Darlene Storm

Mobile malware: You will be billed $90,000 for this call

August 05, 2010 4:44 PM EDT

Be it business or pleasure, most of us have our cell phones handy at all times. Those phones are full of vulnerabilities which are ripe for viruses. Some people change apps faster than their underwear; some of those apps act as a Trojan Horse carrying malicious code. Although some software security experts expect smartphones to be a tempting new target for hackers, F-Secure reported there haven't been more than 500 mobile phone viruses so far. What do we have to thank for staving off the upcoming smartphone attacks? Windows XP.

"There are more phones on the planet than computers. And it's easier to steal money from phones," stated Mikko Hypponen, chief research officer at security firm F-Secure Corp. In a video interview, Hypponen explained there haven't been more mobile phone attacks, since Windows XP computers are still the "easist" and most exploitable target. Even though Microsoft discontinued support, Windows XP is still widely used throughout the world. It's currently "very easy" for online criminals to make money off of XP. As XP disappears, attackers will start to look around for another easy and popular target. Then online criminals will set their sights on smartphones which all have a built-in payment mechanism in the form of a monthly bill.

According to the above video, any mobile platform could be targeted. However, Hypponen guesses that the three main platforms for smartphone attacks will be iPhone, Android and Symbian. Most phone attacks are coming from Russia, South America, parts of Asia, and China where Symbian is king of the smartphones. Hypponen explained in the interview that so far all the attacks on smartphones have been, more or less, due to social engineering and tricking users into clicking on a link.

At his Black Hat presentation, Hypponen explained why attackers are starting to eye mobile platforms as targets. Criminals are finding ways to route money without leaving a trail for law enforcement. His talk was entitled, "You will be billed $90,000 for this call."

We would be quick to report such an outlandish charge on our bill. If the calls totaled $12, however, how many people would notice, admit to being scammed, and take the time to report it?

Hypponen told a tale of a hacker removing the copy protection from a 3D anti-terrorist shooting game before offering the cracked version as a free app via a copycat site. Also free in the download was mobile malware. When users played the Trojanized game, their phones would secretly issue eight expensive international calls to places such as North Korea, Africa, and Antarctica. These special long-lining numbers didn't actually call the South Pole, but instead the call might end up routed to Canada while still billing the whole premium international expense to the South Pole. The billing difference between calling the premium international number (South Pole) and the less expensive location (Canada) goes to the virus writer.

To avoid detection after its $12 payload was triggered, the mobile malware-laced app would work only as a game while the virus slept for 31 days. Then the virus would awaken and issue eight premium international calls again.

"Eventually, virus writers will realize it is easier to make money by infecting phones than it is by infecting computers," Hypponen tweeted. According to the video, he expects to eventually see mobile smartphone worms that spread automatically to everyone listed in a phone's address book. When this happens, a worm could spread infection around the world in only a couple of minutes.

He advises cell phone owners to be wary of apps, install anti-virus software on your cell phone, and set strong passwords.