A security precaution skipped in mobile applications such as Facebook’s Messenger could be abused to make an expensive phone call at a victim’s expense, a developer contends.