A few days ago, independent security researcher Bogdan Alecu claimed to have identified a serious issue that affected avast! Mobile Security. Apparently, the app sent out SMSs without the users’ knowledge, inflating their phone bills.
The researcher identified the issue while testing the application. He found that the app would send out an SMS message to a number from the Czech Republic, most likely belonging to the company.
“I was checking my balance on the phone and noticed that 0.12 EUR were missing. Hmm, maybe I have sent a message to some of my Roaming SIM cards,” he explained
“I logged on to my account to check why I have been billed. I noticed that indeed a message was sent to a number outside my country, but after checking the number I realized this number was not mine.”
Digging a little deeper, Alecu found that he wasn’t the only one who noticed such activity after installing the app, some users reporting such occurrences since late August.
Many were unhappy with the fact that the applications sent SMSs without their knowledge and thought that it was some sort of a secret mechanism implemented by the security firm.
However, what appeared to be a serious issue at first, turned out to be a bug that affected only a limited number of users because it was only triggered when certain tasks were performed in a particular order.
First of all, the fact that avast! Mobile Security sends out an SMS is actually a security feature.
“Notification to the user that a new SIM card has been inserted into his phone is a security feature to allow the user [of a stolen device] to know what new number is being used on his phone (and therefore give him the contact to the thief),” Milos Korenko, marketing director at avast!, told Softpedia.
“And the user gets a very simple and very visible notification that this will happen when the SIM card is changed,” he explained.
The fact that an SMS is being sent out when certain tasks are performed is a bug that the company will address with an update that will be released soon (possibly even today). The update has already been tested by Alecu and he claims that it works properly.
“The update we'll provide also fixes one more thing: there are some people who might have several SIM cards and do wish to exchange them. In such case, we do cash the info on our servers and hence each new SIM is reported only once,” Korenko said.
“Overall, I'm glad the misunderstanding was properly explained and fixed. Indeed AVAST doesn’t do anything 'behind the users backs' and the security feature is actually an important addition to prevent users' phones from being lost,” he concluded.
Alecu applauded the company for the fast response and for the interest it showed in fixing the problem.