After taking a long hiatus, trojan dialers that can rack up thousands of dollars in charges are back by popular demand. According to researchers at CA Security's malware analysis lab, a new wave of malicious dialers is hitting users of mobile phones. The trojans are built on the Java 2 Micro Edition programming language and …
It was inevitable, wasn't it?
As soon as mobile phones were designed to access the internet, and send and receive emails, it was only a matter of time before this happened. I use my mobile phone as a mobile phone, and my computer for accessing the internet. Makes sense to me.
Dumb phones smarter than smartphones?
My six-year-old Samsung makes and receives voice phone calls and text messages. That's it. Everytime I see another one of these stories about how smartphone users are being pwned, hacked, or screwed over by providers or surveillance tech, it makes me that much gladder that I own a dumbphone.
One thing worries me, though: both of the mobile phone accounts at our house are in my wife's name. We'd held out for a long time, but she decided after 9/11 that having a mobile phone might not be such a bad idea after all. Our first "mobes" were good old-fashioned Nokia candy bars; after a couple of years she moved us up to our current Samsung models. I'm scared to death that she's going to see some goddamn' TV commercial and get all ga-ga eyed and move us up to smartphones.
Just a Phone? - Nah! Not here mate!
Couple of years ago, when switching from a company mobile to a personal phone, I went into car phone warehouse and asked for a phone that made calls, sent texts and didn't have a camera.
Poor Salesperson - You could hear their synapses pop from 20 feet away :-)
"Buy why would you want that?"
Oh how I miss the old Nokia's - days of standby, made calls, received calls. What more could you ask for?
It seems obvious then...
... that you should get the contract in your name instead?
Take control man!
re: Just a Phone? - Nah! Not here mate!
You can get those if you look for them. My old mother got recently a fancy Nokia, didn't like the complexity and its too small size for old person's fingers, and replaced it with a Doro model, which is much like the phones of the days of yore. See http://www.handleeasy.com/ for examples.
Any ideas on names or places where they are picked up?
Would like to warn our users who travel to US but can't find a "standard" app or whatever they should be looking out for.
Of course they shouldn't be doing but we all know that argument doesn't hold much sway with gadgeteer salesmen!
I assume the creators have genuine certificates...
... with which to sign the midlets which contain these SMSers (is that the equivalent of dialler?), or are they relying on users just hitting "yes" every time the SMSer wants to send an SMS?
Stupid is as...
May seem a dumb thing to you, but even folk who wouldn't fall for it at the desktop [and I'm not entirely convinced that isn't a minority] have a whole different view of security when it comes to their mobile habits.
just maybe Apple's control isn't such a bad thing. Sometimes. Just a little.
I for one welcome my nanny state
As my eyes drifted down to this post I was thinking the exact same thing.
Makes it much harder for 3rd parties to patch up holes while you wait a few months for Apple to get round to it though.
wouldn't help really
... last time I checked you didn't need to submit source code to apple.
If you put some malicious code into a normal looking app and had it only send messages out on a certain date in the future then you could in theory do this type of attack... not sure Apple have ever used their ban list for removing apps from phones and itunes either... but I'm guessing it could take a few days for them to get it off people's phones.
Didn't somebody do this hidden feature trick with an app on iphones once, got told not to do nudies in their app, so instead just hid the nudies from users but they were unlockable so apple pulled the app again....? Sure it was in the later half of last year.
Next up on android - 3rd party firewalls, virus checkers, and "trusted developer" application status where they submit code for review to Google??
Next up on iphone - submitting all code to Apple for all applications. Meaning longer approval times, larger dev licensing costs, and remote delete being enabled by apple.
Fun times. :)
Why dont the people who have hit with this malware do two things, number 1 get independent confirmation that they where hit with this malware that caused the fees, then 2 sue the operator who runs the premium numbers to give over the details of the people who received the money and sue them after filing criminal charges, and if the details are incorrect sue the operations of the premium service for adding and abetting criminals.
Start a class action suit even.
Should not be hard to track and find these people.
sounds like a lot of hassle
They're more likely to learn from the mistake and let it slide. Indeed how would you prove the premium service [which probs has genuine willing victims] is involved - it would be a neat way of attempting to discredit a rival service were you so inclined.
"Should not be hard to track and find these people."
I speak as someone involved in the past in detecting this kind of thing.
Unfortunately, the text/call is probably going to go to a suitably unpoliced country, where the cash is collected by someone in another country who then passes it on to the guy in Russia writing the malware, someone who will be paying the right people to be protected. And who is probably doing it for a few weeks before changing every link in the chain. It's really not as easy as it sounds.
More positively, ten years ago I was involved in developing systems to detect suspicious behaviour and stop the calls/texts almost immediately. If telcos aren't using such systems ten years on then customers should be up in arms.
Here we go again....
...good luck, so you sue your operator (you could just ask first, but hey, guess your American, so sue first ask later.
Next when the tell you it's registered to the Camen Islands, Ivory Cost, Nigeria. Feel free to travel there, track them down, take them to court and win your money back...3
"Should not be hard to track and find these people."
Thats right thats why there are hundreds and thouand of people in Nigeria for running scams
With the new smart phones and the graphical capabilitites.
Man you can really see porn like never before.
You can carry around Gigabytes of porn.
Megabytes of pornographic photos.
The new smart phones have really advanced porn , for the good.
Darrin, does this also mean that what we thought was 'silver lining' in clouds is really rather ikky old stains?
Man oh man
If you're happy viewing porn on a 2" screen, I guarantee you'll be overjoyed when you view your porn on a 22" one.
You might want to try it one day, but beware, after you do, you'll never go back.
Dialers were stopped in their tracks with one simple technique.
If the carrier tries to make you pay, point out to them that the the use of a hidden dialer is a felony (in most states.) If they attempt to collect the money, the carrier is an acessory.
As soon as i suggested this technique to my customers, the porn dialer industry shut down almost instantly. Same should work for texting.
Buttnote: Besure to lubricate grenade thoroughly befor inserting in scammer.
Wow Disco Legend
I think we should nominate your for a Nobel prize or something !
You single handedly stop a mulitnational racket in it's tracks.
And there was silly me thinking it was the mass uptake of broadband, combinded with AV software plus tougher regualtions that help phase it out.
How dumb am I !
"You single handedly stop a mulitnational racket in its tracks."
Well it was certainly not single handedly, we worked with the Arizona AG to make dialers a felony. And it was our customers that stopped paying the phone company.
In a conversation with someone previously in the stealth dialer industry I was told, "It was a great business, but we had to stop when the phone companies quit paying us."
No noble prize required, just PayPal me some money.
OK, so many people...
...have overlooked the fact that their "phones" are in fact nothing but portable computers. Many times more powerful than the "high-performance" XTs and ATs I started to work on in the mid-1980s. Still, in my experience the major reason for the success of malware of any kind is the sheer idiocy of the users who will cheerfully and without even stopping for a moment download stuff and start it up, without any verification of its origin.
As Mark65 has pointed out, a secured marketplace does have its advantages for those who unquestioningly double-tap on files/attachments named "pornviewer.exe" or similar. The problem is not the device, it's the gullibility of the user. Which (unfortunately) cannot be stamped out. Spam would be a thing of the past if people would only stop reacting to it -- spammers only turn a profit if they generate sales. The same goes for dialer trojans (or, for that matter, all trojans). One may point out that the standard settings for the Windows Explorer -- to hide "known" filename extensions -- further this behaviour, and I agree with that. And, for a quote, "few things are as uncommon as common sense" (though I don't remember by whom that quote is; I have read it in literature dating back to the 1950s).
Particular to the dialing trojan "problem, in a sense, the telecommunication companies are partially at fault; a very few have already introduced cost-controlling measures such as an easy-to-enable option to allow only a certain amount of charges per month when dialling a selectable range of numbers, after which all other attempts will be cut off. And the customers of those companies are usually not being told that the option even exists. I have enabled the option for my contract; my bills have remained the same, though.
As with email spam, the widespread use of such measures would kill off dialing trojans, IMHO.
Batten down the hatches. My best guess is that most people impacted by malware are not the type who are reading el Reg, but as a professional IT consultant, I will give you the completely free advice to review your security settings, from firewall through AV all the way to the way you handle downloads, mail attachments, and other people's data sticks. With some self-discipline and proper OS settings, I have so far found that most AV software is basically superfluous (really!).
Not a very convincing post from CA
Firstly, the CA author shows a poor understanding of J2ME MIDP.
"The JAD application however is packaged with a data file (load.bin) that has a list of high-cost destination numbers."
Erm - JAD application? The JAD is the descriptor - it is not the app. itself.
Secondly, even if the user downloads and runs the associated JAR, every MIDP phone I have ever seen prompts the user before sending an SMS - irrespective of whether the app is signed or not.
Finally, does it really matter that the list of premium numbers is read via a call to getResourceAsStream(...)?
As a general comment, smartphones present a much greater risk for this style of attack. Symbian Signed apps can run in the background and can send SMS messages without any user interaction. Android has similar capabilities. iPhone apps are extremely limited in this regard - I believe all an app can do is open an SMS link in the browser - the user must actually send the message.
Finally, if memory serves, the Series60 based SX1 shipped with an augmented reality game called Mozzies. The word was going around that if the game were run on a non Siemens based terminal, it automatically generated a premium SMS. This may be apocryphal - I had an SX1 but never saw the brilliant Mozzies running on any other handset.
It is fair to say that the real worry in premium SMS trojans is that it only takes one SMS to subscribe to a tide of reverse billed content.
Black Helicopter because it looks vaguely like a mozzie...
The telco should require verbal authorisation
The simple answer to all this dial premium service malware is for the telco to provide premium services as an option, if the mobile owner has to speak to a human before any premium lines can be called then problem disappears for most owners. In the real world the telco does not care if the owner has been defrauded as it isn't there problem, they still get paid. The idea of suggesting that the telco is acting as an accessory to fraud wouldn't wash in the UK I think without a very expensive court case. When you telephone a premium line in the UK they are required to confirm age of caller and if they are the bill payer, this I understand has to be a human operator at both ends. With overseas premium services these rules don't apply and the local telco is not required to give an option to disable all overseas premium services.
Back in the days of phone dialers, the companies getting the money were in Belarus - and the phone companies had to forward the money to them, because of international treaties. Since the government of Belarus failed to act against those 900 numbers, I'm surprised the treaties weren't renegotiated - with telephone service to Belarus cut off until they joined the new treaty. Our governments need to be tougher when it comes to protecting their citizens.
What does a user have to do ...
in order to be hit by this Trojan? Let's step through it, shall we?
1. The user has to find this MIDlet on the web, click through ALL of the "yes. Download this. No, really" dialogs until the thing finally gets installed on his phone
2. Start the MIDlet (which won't happen automatically)
3. Click "Yes" every time the MIDlet wants to send an SMS.
Even if the MIDlet writer has somehow got hold of signing certificates and has signed the damn thing, the user must still click through all sorts of dialogs in order to permit it to do its dirty work. Any user who does this deserves his high phone-bills.
BTW, the picture on the CA website is of the PC-based Wireless Toolkit, and not a real phone. Sun doesn't make phones (or much else, either). Which begs the question, why would CA want to publish such drivel?
Paris, because maybe her cell number is buried somewhere in that application ...
Same rule applies as ever....
Don't install software you don't trust and don't browse dodgy sites. Works for me.
In my experience...
the types of people who have wankphones are posers, fashion victims, wannabees and gadget magpies. The genuine hardcore techie types are still using phones from 4 years back because, as a tool for making phone calls, they're still great. No-one's ever needed to figure out how to make a better hammer, have they?
Raises an interesting question though. Back when, Apple machines were considered pretty virus-free because there were so few of them it wasn't worth writing malware for them. Now they're in a dominant position in the smart-phone market, I hope some people over there are taking time out from drawing pretty white cases to think about some of this stuff.
I use PAYG
It may not stop the diallers, but it will limit your risk exposure to your current balance.
I never use "premium" rate telephone services as they are never good value.
So why can't I tell my carrier to block them all from my phone?
It just hype
... to get the masses to buy their products.
I note that the CA page shows an image of an emulator used for designing mobile software, and as such most likely has the ability to disable the prompts before sending an SMS (if im wrong please correct me).
I also wonder if CA show the emulator rather than a compromised phone because they are trying to develop the virus in the first place (it would be in the best interest of their business model if there was a problem need their solution I guess).
Lastly I have not even overheard ANYONE in the real world having a problem with a virus on any mobile device.... has anyone else?
let's have more