Late last year, AT&T, Sprint and T-Mobile together announced that they will no longer offer or support Premium SMS services (with Verizon following shortly after). Premium SMS supports things like ordering ring-tones, checking horoscopes and all sorts of other things I have never done. It also supports legions of spammers, shady SMS aggregators and 3rd parties who try to bill people a few dollars here and there and hope they get away with it. This service has been around for a long time and carriers love(d) it because they received a cut of each transaction. Lookout did a great blog post on how the whole process works (https://blog.lookout.com/blog/2012/10/03/avoid-premium-sms-scams/).
In November the carriers said they were going to put an end to the madness, probably because of the volume of complaints and the general obsolescence of SMS in the eyes of the average consumer. This is interesting for a number of reasons, but the most significant is related to mobile malware. Juniper reported last year (http://www.juniper.net/us/en/local/pdf/additional-resources/3rd-jnpr-mobile-threats-report-exec-summary.pdf) that 73% of approximately 200k known mobile malware samples use premium SMS as their primary attack. That means almost all the malware out there (and almost all of that is for Android) was sending SMS messages that would later show up on a consumer’s bill. It would be up to the consumer to contest those charges and get a refund.
Hackers, malware authors and bad guys in general will always take the path of least resistance – which to date has been Premium SMS. Mobile malware is a hot topic in the infosec and anti-fraud community. Advanced malware has demonstrated the ability to backdoor devices, log keystrokes, turn on microphones, redirect SMS (to bypass step-up authentication) and even function as botnets. However, today, the malware zoo contains very few of these creatures.
That is about to change. The easy money is gone, which will drive further innovation in the mobile malware space.