Does Google Aid Crime by Selling Spoof SMS Apps?

If you search Google Play, the store for Android apps and other content, you will find plenty of apps that allow users to send spoof SMS messages which will appear to come from a different CLI to that of the user. But should Google sell these apps, and are they encouraging crime by doing so? That was the question recently brought to my attention by Wilfred Sonny Gomez Jr, who works in the IT & Product Security team at Maxis, the Malaysian operator.

These are examples of the functionality boasted by some of the apps available on Google Play:

XXXX is a cool app for sending International SMS messages on low rates. XXXX can easily spoof the SMS message sender’s number and if the receiver has the number stored in his phone book, the contact name will be the one that appears on his screen.

Send 100% Anonymous SMS Messages to ANY mobile number in the world! Set the Sender’s Name or Number to anything you want – pretend to be someone else.

XXXX has the ability to change your Caller ID while text messaging friends and family. It will Spoof the ID of any number you wish and be able to send text messages to any number using the ID you have Spoofed. XXXX makes it easy to fake a message. Be able to trick friends and enemies at any time with this super awesome app!

Though the apps are generally promoted as a way to play jokes on people, there is obviously a risk that individuals will use them for more sinister purposes. They could be used to swindle money from unsuspecting recipients; the spoof messages might entice them to dial an expensive PRS number. There is also the risk of bullying and other harassment. People can be nasty if they think they will not be caught. Another risk is that the spoof app user might send an unpleasant message that appears to come from the real number of an innocent person, in order to cast blame upon them.

It is good that Wilfred has identified this issue, but the makers of these apps will say they are offering a legitimate product. Making the argument against them will depend on evidence that the apps are misused in practice. That may not be so easy, not least because many of the apps receive plenty of negative reviews saying they do not work properly.

Though the apps may be legal, a privately-run market like Google Play also imposes its own conditions. I checked the Google Play Developer Policy, and found it lacked a criterion that could be used to ban apps like these. The most helpful section states:

Deceptive Behavior

We don’t allow apps that attempt to deceive users. Apps must provide accurate disclosure of their functionality and should perform as reasonably expected by the user. Apps must not attempt to mimic functionality or warnings from the operating system or other apps. Any changes to device settings must be made with the user’s knowledge and consent and be easily reversible by the user.

When Google refers to the user, they are thinking of the person who owns the phone and buys the app. But if it is necessary to protect the app users from deception, is there not a similar argument to protect other phone users from deception too? Phones are used for communication between people. Can Google really justify a moral stance which says the person who sends the message must know the truth, but the app can be designed to intentionally mislead the person on the receiving end?

I am grateful to Wilfred for highlighting the potential problem with spoofing apps. Now my worry is that there may be a serious problem but we will collectively fail to address it because everybody thinks the responsibility lies elsewhere. I would be happy to collate information which shows these apps pose a threat, and use it to put pressure on Google to update the policies for Google Play. But that depends on what information I receive. Or perhaps there is an organization already focused on this concern, and we should be supporting their existing efforts. If you think there is a danger, if you have relevant information, if you know of a campaign to ban spoofing apps, or if you know somebody who has been deceived, then I encourage you to share the experience. And if you are concerned about the risk, then please share this article with others, so they can lend their support.

This industry needs to work together if we want to deal with issues like this. If we do not tackle deception at its root, we will inevitably suffer later on.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.