Smartphone Web apps turning malicious
Posted on | August 2, 2010 | add a comment
Global smartphone shipments topped 54 million in the first three months of this year, a 57% jump from a year ago, according to research firm IDC.
The cyber-underground took notice. Hackers have begun adapting tried-and-true computer infections to work on Internet-enabled smartphones that are all the rage with consumers.
Download the wrong wallpaper app for your Google Android phone and you could get one that will harvest the phone and voicemail numbers, and data that can be used to disclose your location. Mobile security firm Lookout discovered 80 such Android Web apps last week, which have since been taken down by Google, says John Hering, Lookout’s CEO.
The information was being transmitted to a website based in China. The wallpapers, showing ponies, basketball scenes and other innocuous images, were downloaded more than a million times. Hering and other security experts attending the Black Hat and DefCon cybersecurity conferences here last week say such hacks underscore the potential for spreading malicious Web apps on Android handsets, iPhones, BlackBerries and Windows Mobile phones, Hering says.
“Smartphone usage is going mainstream,” Hering says. “And so the bad guys are looking at web browsing and the downloading of Web apps as two primary attack vectors.”
In a more pernicious attack, a scammer has pioneered a way to trigger premium-rate phone calls from infected Windows smartphones. The attack, discovered by Mikko Hyponnen, senior researcher at Finnish antivirus firm F-Secure, begins by spreading infections via a popular 3D anti-terrorist shooting game, game delivered as a Web app.
Infected smartphones initiate expensive calls to far-off locales, such as Antarctica, Somalia or Democratic Republic of São Tomé and PrÃncipe, obscure islands in the Gulf of Guinea. Hyponnen gave an eye-opening presentation last week at the Black Hat cybersecurity convention in Las Vegas provocatively titled : You will be billed $90,000 for this cell phone call.
The infected phone makes the calls after the user should have gone to bed for the night. The full fee for one minute call time is registered as soon as the phone in the remote locale rings. But the caller hangs up before the call is answered. The crook is using a system set up to collect most of the charge for the call.
This appears to be a slick variant of premium-rate call back scams, in which the trickery involves getting the victim to dial back to someone who has hung up after a few rings, Hyponnen says.
Hyponnen says smartphone Web app infections are rare compared to the deluge of malicious programs to compromise Windows PCs.
“From the criminal’s point of view, the low-hanging fruit is elsewhere, so we only have a handful of these problems,” Hyponnen says.
The richest target for cybercrooks remains consumer and commercial banking and other accounts that run on Windows XP computers, which remain the most widely used device to access the Internet. There are some 40 million known malicious programs for Internet-connected computers vs. less than 600 for smart phones, Hyponnen says.
However, as much more secure Windows 7 PCs begin to replace older XP machines and hacks become more difficult, cybercriminals inevitably will turn their attention to smartphones and mobile devices like the iPad. “It will happen sooner or later,” Hyponnen says.
By Byron Acohido