Mobile Game Trojan Calls the South Pole

UgLyPuNk writes with an excerpt from Gamepron.com: "Freeware games can actually cost you more money than their pay-to-play cousins, as mobile gamers in the UK have learned. A 'booby-trapped' version of a popular Windows Mobile game has been sneakily spending their money while they sleep – by dialing phone numbers in the Antarctic behind their backs."

yikes

[iwannasexwithyourmom]

aw man, that's pretty cold.

Re:yikes

Mod parent up--brrrrr!

Re:yikes

[PDX]

What next downloading penguin porn? That would be appropriate for a Linux virus.

Re:yikes

[PinkyGigglebrain]

No, that would be perfect for a Windows virus.

Adds insult to injury, with a dash of salt.

Re:yikes

[magpie]

But aren't viruses meant to do bad things...that would be more of a self installing enhancement.

Re:yikes

[Pharmboy]

See, Bill Gates was right! Free Software *does* cost more than proprietary software!

(ducks)

Re:yikes

[ps2os2]

Well, I want to know what the country code is for Antarctica.

LOL

[wulfmans]

Windows virus writers strike again.

Re:LOL

[vivian]

Crappy brain dead design strikes again.
Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?

Surely that should be something that has to be done on a per-application basis, and only after the user has allowed it by entering an authorization password to allow the app to access those parts of the phone!?
There should also be a way to limit the number or costs of calls (per application) that is built in at the lowest possible level too.

Re:LOL

[LingNoi]

Thats way too complicated IMO. All that should be allowed is sending a number to the dialer program. Then the user can decide to call that number or not.

Re:LOL

[eugene2k]

>Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?
For the record, when a Symbian app tries to make a call or connect to the internet the user is presented with a dialog asking whether to allow the app to connect/make a call. No idea why Microsoft decided this is not needed.

Re:LOL

ATDT

Terminal, still the best app :)

Re:LOL

[FearForWings]

The simple answer is that the phone companies hope you'll be to embarrass to contest the charges.

Simmilar examples can be found in:

1.) Back in the good old days of dial-up, there were adult sites that would give "free" access assuming you (stupidly/unknowingly) dialed into a south-pacific island nation number that had a north American prefix, with your unlimited long distance account.*
2.) All the cell joke and ring tone numbers you can "get for free" that are/were advertised on TV.

*my brother found out about this the hard way

Re:LOL

[Peach+Rings]

Well the phone networks would probably be more inclined to promote Microsoft's phones if their users spend $900/mo more on average than everyone else :P

Re:LOL

[KDR_11k]

Might be using some software bug to circumvent the prompt but yeah.

Re:LOL

[erroneus]

No doubt. My blackberry asks if I want to allow software to access the internet, bluetooth, gps and dial the phone each and every time (unless I mark that software safe to do so on its own). So if I am playing a game and it wants to dial my phone, I'm going to deny it and then wonder "wtf?!" Then I'd probably remove it. Not saying that RIM are especially insightful in their creating the OS that way. I'm saying it's plain obvious that it should be exactly like that and that it is unimaginably stupid for Windows Mobile devices to behave in that manner. And if it happened because the security was circumvented? Once again, sucks to be a Windows user, but that is par for the course with Windows. Stop using it! When I see a "cool new Windows mobile phone" I stop seeing it as cool in pretty much the same way I react when I see a cute little black and white animal and realize it's a skunk... back away...back away...

Re:LOL

the problem is that a secure design would show a popup like:

do you want to call this 00431341424345 number with your modem (yes/no/always allow this number) every time the modem driver engage

instead windows 7/vista shows us a popup like:

the application solitaire.exe requires you authorization to continue (yes/no)

and that popup is so common that users click trough it without a second thought.

Re:LOL

[profplump]

And decent phones do. On a BlackBerry, for example, you have to specifically authorize each application to access to the voice radio, IP connections (as a whole or per-domain), GPS, address book, etc. It's easy to use and provides great protection, not to mention the instant insight into what a program is actually doing (i.e. "Why does this free calculator want to connect to warez.ru"). Why WindowsCE doesn't do such things is a complete mystery.

Re:LOL

[PinkyGigglebrain]

Hammer, meet nail head.

You are dead on with that. As much fun as it is for the /. community to say "oh look, another WINDOWS VIRUS!" and start bashing MS this is a screw up at the application level, not the OS.

Looks like I'm going to have to save my MS bashing comments for another day, bummer.

Re:LOL

[zullnero]

It's how .NET CF's telephony API works. You call a function, send it a number as a parameter, and it dials it. As long as I can remember, that's pretty much been how you call that particular .NET CF function. At least, that's how it worked in 2005 with .NET CF 1.0. So basically, that particular hole has been there for probably about 5 years. Since most mobile phones run a slightly older than latest version of .NET CF, I'd imagine that quite a few phones would be vulnerable to that. That said, the main reason it doesn't prompt for verification is because a lot of big companies, carriers, major third party dev houses, etc. most likely demanded that they be able to "phone home" seamlessly and quietly for various reasons or they wouldn't support their platform.

I know, you're probably thinking "what reasons"? Well, from some of the vendors I've worked with, it ranges from location based information to cell phone recovery tracking to remote programming. None of it is absolutely necessary given current available technology and that you can do all that stuff over the data network, but when Windows CE was originally designed, data networks weren't quite as useful.

Re:LOL

[zullnero]

Whoops, meant to say "when .NET CF for Windows CE was originally designed", not just Windows CE. It's a difference of about 5 or 6 years. 2 pint mugs of White Russians can do that to a guy.

Re:LOL

[promythyus]

but it does stop phones from dialing without *ANY* user interaction (besides installing the program), which is what this program is doing... It's your own damn fault if you let a call go through because you pressed "yes" without thinking, but it's hardly one's fault for installing a seemingly innocent program, then finding it has racked up a massive bill on your -once monthly!- statement.

Re:LOL

[ArsenneLupin]

No idea why Microsoft decided this is not needed.

User frienliness

In any case, the victims "deserve" what they got. Don't they have any geek friends, and didn't any of these warn them about Windows Mobile?

Re:LOL

I think you missed his point entirely. Security permissions should be handled on a per-application basis BY THE OS. How is a random application going to enforce security on itself to prevent itself from abusing the system?

As other's have pointed out, RIM's BlackBerry does that in a great and simple way. When you install the app, it tells you what permissions the app is requesting and you can allow all of it, some of it, or none of it, depending on what you want.

This is absolutely a Microsoft screw-up, and even with their history I still have a hard time believeing their phones don't work in a similar manner to my BlackBerry.

Re:LOL

[Bugamn]

Why WindowsCE doesn't do such things is a complete mystery.

Are you sure it is a mistery?

Re:LOL

[kasimbaba]

We're talking about Windows Mobile, not Windows 7/Vista.

Re:LOL

There's no mystery. Windows CE is crap.

Re:LOL

[kasimbaba]

There's no screw up at the application level. The trojan app is doing what it's designed to do, which is screw the users out of their money. It should be up to the OS to ensure that the user is protected from said app.

Re:LOL

A lot of phones have the opposite problem (from game developers view): every time you access the network, every time you use camera, every time you use the filesystem, it will pop up a confirmation. EVERY time as is 25 times per second (if you could dismiss the stuff fast enough, that is) if you're trying to do realtime stuff. Unless your application is signed with the proper permissions, of course, in which case anything goes and the user doesn't even need to know about it.

The security model is just completely fucktarded.

Re:LOL

[makomk]

All the cell joke and ring tone numbers you can "get for free" that are/were advertised on TV.

That's generally known as false advertising and fraud, at least in countries with sensible regulatory systems. Our cellphone/ring tone scams here in the UK are all rather more advanced for this reason...

Re:LOL

[DrXym]

Android also has finegrained security permissions and does stick up a warning before installation of what the app is permitted to do. But I think it would be very easy for people to click through these. I think certain permissions are more dangerous that others, especially in combination and I would like to see phones more prominently warn upfront and also when the app tries to invoke them.

Re:LOL

[jimthehorsegod]

... software bug ....

Oh I hardly think that likely...

Re:LOL

[machine321]

Almost all BB apps I've tried will grab whatever perms they want during the install (via innocuous OS prompt, something like "Do you want to set permissions for this app?").

With that said, the BB perms are pretty granular. If you don't set the perms, when you run it you'll get prompts like "Allow [program] to access maliciousad.doubleclick.net?" and you can "deny always".

Re:LOL

WinMo probably does have a similar setting. The problem is that many programs you install on Blackberries prompt you to change their security settings, much like many Linux things you install prompt you for root access. When it becomes commonplace people just click OK or enter their password without thinking - it's only the security-conscious who pay attention to those things.

Re:LOL

[davidbrit2]

Why WindowsCE doesn't do such things is a complete mystery.

It's built from a codebase that's from around 1995, when such concerns barely existed yet. And instead of building up something like UAC and privilege control, it looks like MS is just taking the easy way out and locking down the OS, which is kind of sad, considering extreme flexibility and relative open access is/was one of WM's (only?) major strengths.

Re:LOL

[abigsmurf]

You're running a piece of code. Your phone is already compromised.

You could give the user an option to give an application permission to use the phone functions but in all likelihood, the application could quite easily authorise itself, trick the user ("submit your high score?") or just disable the checks.

Even if you put in a permissions system modelled after Unix or Windows 7, there's still plenty of damage malware can do (how about changing every number in your phone book to a premium rate number?).

The only thing to protect against malware is Apple style code reviews and signed apps or high levels of sand boxing (which break all sorts of handy functionality).

Re:LOL

[TheSunborn]

You are aware that Apple don't review code before it is added to the shop right?

And the rest of the world have already solved this problem for mobile phones. An application don't have access to do anything that can interfere with other applications/the operation system without explicit user accept.

And this access is handled by the operation system not the application. The application ask the operation system, and the operation system ask the user, so the application don't have any way to trick the user into doing something by lying to the user.

Re:LOL

[hattig]

It's simple - apps that are preinstalled by the carrier are already pre-approved to access the telephony APIs (for non-international, non-roaming calls).

The security levels to access telephony APIs are (at least);

1) No Access (default)
2) Access to call national numbers (whilst not roaming) with user confirmation
3) Access to call national numbers (whilst not roaming) without confirmation
4) Access to call all numbers with confirmation
5) Access to call all numbers.

I don't see why there should be a feature to auto-dial, without confirmation, an international number, unless you've rewritten the dialer application. I guess that a dialer application could be written with a trojan caller inside it - but such an application probably shouldn't be running as a service style app. So (5) could be restricted to foreground (visible) applications only.

Re:LOL

[Lumpy]

iPhone and Android makes you press a button on screen to dial a number from a webpage. Why is this not the case for the WM OS? there should be no possible way to initiate a dialing. Push the number to the phone interface, but it can not dial until the user presses the dial GUI button.

Re:LOL

[PopeRatzo]

at least in countries with sensible regulatory systems.

Xanadu?

Re:LOL

[DJRumpy]

All of the 3rd party code in the App store is reviewed and no code is placed into the App store until review is complete. This sort of hack, which would have to use non-standard API's to accomplish this, is exactly what such reviews would find. Love it or hate it, it is an effective tool in finding such malware. It is not a catch all, but is an important piece.

"You are aware that Apple don't review code before it is added to the shop right?"

Re:LOL

[Dan+East]

Note that this differs between signed and unsigned apps. Unsigned apps result in more notifications to the user, and RIM doesn't actually approve applications like Apple does. So anyone can sign unlimited apps for $50.

Re:LOL

[pinkushun]

A non-related security feature of Window 98, involved canceling the login dialog to get Administrative access. Microsoft is just sticking to proven security practices :)

Re:LOL

[doug141]

>Why WindowsCE doesn't do such things is a complete mystery. Perhaps because they get panned when they do the same thing, like in Vista UAC?

Re:LOL

[Hurricane78]

J2ME (Java) is an example of how to do it properly. For every action that could be abused, there is a security rule. That rule is by default disabled. Then e.g. when the program tries to make a call, the JVM itself asks if you want to allow it [Never] [No] [This time] [Always]. (Something like this.)

But hey: Windows is brain dead because it has to fits its users. ^^
They would complain if it were different, for being “too complicated to use”. (With is another way for them to say that they are just too damn lazy and feel entitled to 10 miles of soft retard padding.)

Re:LOL

[Sebilrazen]

Shhh, you aren't supposed to find arguments in favor of a review process like Apple's, this is /. after all.

Re:LOL

[QBasicer]

It's frustrating on my windows mobile phone that if you turn off data, for example if you're roaming in the US, and some app is like "OH I NEED TO CHECK FOR UPDATES RIGHT NOW", that WinMo will just say "Oh I see data is turned off. Let me turn that on for you.".

Re:LOL

[gid]

I have that problem with Motorolla Karma/QA1. Signed google maps can access the network all it wants after selecting "yes always". But the unsigned gmail cannot "yes ask every time" is the only allow network option for gmail and all unsigned apps. I've always assumed it's something that AT&T did to intentionally cripple the phone to not use the network as much as it's not a "smart phone" (read as cheaper data plan), but it's still quite capable so they had to make it stupider. [sic]

Re:LOL

what?

Re:LOL

[Joe+U]

Actually, most vendors have security turned on, you can only installed signed apps, and unsigned ones don't get access to the phone or the web.

The first thing the average XDA user does is disable that.

Re:LOL

I can only assume that was why he was modded insightful claiming they don't review the code before it's put into the App Store. /. has become so politicized anymore that they are willing to toss fact out the window to justify their hate of Apple. Basically if you slam Apple, regardless of what the facts say, you get a + Insightful or +Informative.

Re:LOL

[GNUALMAFUERTE]

Actually, it was even worse. There was no security model in win98, FAT doesn't have permissions, and all users are the same. The login dialog allowed you to login onto a network, and to load a custom wallpaper and some other user-based preferences.

When m$ migrated everything to NT-based systems, they did introduce file permissions and user-based auth, but it's still totally insecure and easily bypassed.

Did you really think m$ was going to do better on the mobile version of their os?

Re:LOL

[WNight]

I'm sure they do but it's obviously not worth much. It's partly why they won't allow an interpreted language - to make the check possible at all - and they still couldn't possibly check one app thoroughly, let alone all the thousands.

Such a check is less than worthless - like WEP - a false sense of security. Sure, it'll catch some trivial malware that's written by someone who didn't expect the examination but such a check will miss any of the code submitted to the Underhanded C Contest.

The only worthwhile security to implement here is capabilities. Very precisely, what can this app do? That way whatever code does sneak by onto the system it's still only going to be able to do what an untrusted app should be able to do.

Not that Apple doesn't also do that, but that code reviews for security are fundamentally flawed and therefore ultimately harmful.

Re:LOL

[mlts]

I am actually a bit miffed at MS for taking the easy way out and doing this. Why couldn't they make a permission/security system that would both work with legacy programs, but still provide protection against rogue apps on legacy systems? There are already third party firewall programs for WM, it wouldn't be hard for Microsoft to integrate that functionality in and have apps either request permission on install (like Android), or before use (like Blackberries).

What made Windows Mobile so attractive for a platform pre-7 is the fact that I could run almost anything on my WM device, including onboard E-mail that supported client certificates. Since WM 7 is another walled garden, it means that if I want custom apps, I have to look elsewhere.

Android isn't perfect either. I wish Google would come out with an ADP3 that is already rooted, has a quality fastboot and recovery mode, and would support custom ROMs out of the box without needing a "gold card" exploit. Android developers are not the ones pirating apps [1], and someone who buys a phone from the Android Store is clued enough to know the ramifications of the "#" prompt, fastboot, and custom ROM issues. The N1 comes close, but it still requires an exploit to get rooted, and the warranty on the phone is voided as soon as one does that. I'd love to see a slider with a hardware keyboard, but that's just my personal taste.

[1]: As a modder, I have nothing but contempt for app pirates. Apps are not expensive. Pirates are one of the reasons that make phone makers and cellular carriers put more and more roadblocks to make custom ROMs, much less even root their devices. The only excuse/justification of this would be that an app might be available on one country and not in another.

Re:LOL

[John+Hasler]

> That's generally known as false advertising and fraud, at least in countries
> with sensible regulatory systems.

It's also illegal in countries with simple basic criminal laws against fraud. No need for "regulatory systems".

Re:LOL

[toadlife]

Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?

I'm pretty sure that they aren't allowed by default. I used to have an app that would dial my voice mail. I would get a prompt to confirm the dialing. This was with Windows Mobile 6.1, which almost identical under the hood compared to 6.5. During the install process some policy must have been changed to allows the automatic dialing.

Completely removing the ability of the program to do such things would make the platform inferior IMO. Some sort of better framework (I've seen something like that with Android and Blackberry) that notifies the user exactly what programs want to do via some sort of manifest is a much better solution.

Re:LOL

[mlts]

This is the classic dancing bunnies problem. Clued users would know what to do. Joe Sixpack will click "deny", find that his app doesn't work, so will just click "allow all" so he can see the dancing bunnies, just as he clicks "install" on his Windows box, then wonders why his WoW account's password got changed.

Of course, the most idiot-resistant way is Apple's method. I'm sure one of the reasons that MS is going with the walled garden approach is that they are tired of getting the blame when people install Windows, don't follow any basic security principles (like not installing random .EXE files pushed on them from pr0n sites), and MS gets a black eye for their failure to zip their fly in public. For Joe Sixpack, taking away the decision of allow or denying by rights may be a very good one, just like (obligatory car analogy) not everyone is allowed to drive unless they at least take a test to know the rules of the road.

This is why install-time asking of privs is probably the best compromise out there between complete lockdown and no protection against malware. If an app needs to do something that it doesn't have current ability to do with security settings, the developer can push out an update that will have the added permissions required in the manifest. This way, a user that sees a game ask for contact access, phone access, SMS access, access to network, and access to read/write other app files would likely at least start wondering, if not actually not install the app in the first place.

I do wish for finer grained access controls with Android. It would be nice to have apps be able to list in their manifest if they just communicate with one site (say a game that uploads high scores), multiple sites (a MMO), or anywhere on the Internet (a Web browser.) This way, a game can be locked down to not be useful as a botnet client. Of course, if the dev needs more servers, it is easy to push another update to the Android Market that would specify the new server array in the manifest.

Re:LOL

[PinkyGigglebrain]

Upon reflection you do have a point, better security at the OS level may have prevented this. But as vivian pointed out the code in the application that actually makes the calls to the communication APIs of the OS should have had better security as well to prevent an app from making a call in the first place.

Unless the trojan contained the code to invoke the OS APIs directly (a possibility) it seems like there is grounds for both MS bashing, some choice comments about the inept mobile app coders and end users who install programs from questionable sources.

Re:LOL

[xOneca]

Don't mind. We have to blame Windows.

Re:LOL

[xOneca]

Yes, they're often hard to find...

Re:LOL

[Kru)(fen]

> *my brother found out about this the hard way

Your *wink* brother *wink wink*

yeah, right :)

Re:LOL

[jc42]

It's also illegal in countries with simple basic criminal laws against fraud. No need for "regulatory systems".

Illegal if the victim has the funding to challenge a megacorporation in court, and pay for the decade or more of delaying courtroom tactics, after which (if they get the right judge) they can collect damages.

For the rest of the population, those who would be bankrupted by any attempt to prosecute a megacorporation, a "regulatory system" works a whole lot better. When it works at all, of course.

Re:LOL

[V+for+Vendetta]

There were plenty of those in Win9x

Why even boot up to the login prompt? Press Shift+F5 = boot to plain DOS. cd windows, del *.sam, all users gone.

A PW protected screensaver? Hit CTRL+ALT+DEL, kill screensaver task and you're in.

Re:LOL

> No idea why Microsoft decided this is not needed.

Really not a single clue? You realize that the monocrop argument is one heck of a fallacy spread around by paid MS astroturfers right? Or do you really believe that all OSes are created equal with regards to security?

I know why MS decided this was not needed: nobody in that company, not a single person, understand what "security" means. It is simply not part of their culture. All they can produce are software that have more holes than swiss cheese. And it has already fired back on them. And it shall continue to do so.

Windows for mobile is in huge trouble: it's a mobile Un*x world out there (both OS X and Linux) and the trend will just accelerate. Good riddance.

Re:LOL

[makomk]

It's also illegal in countries with simple basic criminal laws against fraud. No need for "regulatory systems".

That assumes the police care. Generally they don't, which is why it's handled by separate regulatory bodies or not at all. About the only time anything seems to happen in the US is when a particularly crusading attorney general is in power in that state, and their careers are generally cut rather short.

Re:LOL

[pinkushun]

Good ones! And my old favorite, the con-con BSOD :)

Re:LOL

[Scoth]

It was mainly intended for network login, or per-user customization. It wasn't intended for real security, per se, just customization profiles. It actually mostly worked for a family with different preferences for font sizes and such.

Did penguins answer ?

[Arvisp]

and what did they say ?

Re:Did penguins answer ?

They're not sure, all they heard was: "Tekeli-li! Tekeli-li!"

Re:Did penguins answer ?

[vbotka]

The answer is pretty clear. How can you be sure the program is save ? You have to check the source code ! Generally the open source program is safer than the proprietary one, because the source code is available and thousands eyes observe it. Freeware does not necessarily provide the source code. Freeware only tells you that you do not have to pay. The main goal of this article is to mix open source and freeware and spread fierce uncertainty and doubt (FUD). Actually nothing new.

Re:Did penguins answer ?

[DreadPirateShawn]

"Never gonna give you up, never gonna let you down, never gonna run around and desert you..."

Re:Did penguins answer ?

[Sulphur]

That guy with the whistle is calling again.

Re:Did penguins answer ?

[laejoh]

No penguins answered. The only sound they heard was Tekeli-li! Tekeli-li!

Re:Did penguins answer ?

[EnsilZah]

Probably something along the lines of "Nope, not seeing any bees around here either".

Re:Did penguins answer ?

Doo Bee - Doo Bee Doooooooooooo.

Re:Did penguins answer ?

"and what did they say ?"

Umm, "awk" by any chance?

Mod this reply troll, flamebait, trollbait, whatever....it richly deserves it, but I just couldn't resist.

Re:Did penguins answer ?

[sexconker]

Generally, when pulling a scam such as this, open source is the way to go. If you go closed source you've got one point of creation, distribution, and collection (of $ stolen). If you go open source, there's an amorphous blob of contributors and reviewers and distributors making it orders of magnitude more difficult to litigate.

From a user's perspective, freeware is the same as open source. A typical user will .N E V E R. read source code. A typical user will .N E V E R. understand what a repository is. A user will .A L W A Y S. download shitware if it promises them 5 minutes of entertainment.

The article is correctly advising users to be wary of free (open source or not) programs. The alternative is explaining to the user that there are safe places to get free things and there are dangerous places to get free things, and then teaching them how to distinguish between the two, and how to actually access the safe repositories. If you believe this is possible, then you have never dealt with a typical user.

From a user's perspective, code from MS or Apple or even Adobe is "safe". From a user's perspective, code from sourceforge is unsafe. From a user's perspective, Linux is unsafe.

Linux zealots have been trying to lead the masses to their side of the pasture for what, a billion years now? The problem is they do very little to educate people. Support? "Ask on the forums." "Sorry, your chipset is only partially supported."
Liability? "Linux is provided and maintained for free. If shit goes wrong, oops!"

The masses want dead simple shit.
Ubuntu is the dead simple version Linux for retards.
But for your fancy FOSS there's no dead simple support line where they can talk to a robot.
There's no dead simple interactive help tutorials.
There's no dead simple corporate entity to bitch at, or if need be, sue.

Saying open source code is safer because others can review it is about as horse shitty of a claim as peer review making academia better or that Wikipedia is a legitimate source of information.

To an outside observer who knows nothing about the code and can't review it themselves, they have to trust the repository. To an outside observer who knows nothing about the review process, there is little to no difference between the review process at your FOSS repository vs. the review process at Download.com . They make similar claims - free software, claims that it does what they want, assurances that it's safe, etc.

The fucking trick to all of this is that 99% of Linux fanboys are outside observers. They can't review the code themselves, and they don't know the details of the review process. Even if they are programmers they simply don't have the time to review every line of code and every included library. Unless they're a reviewer themselves they don't any knowledge of the actual (vs. claimed, see academia and Wikipedia) process, who is involved, and who is accountable.

So yes, in the end, FOSS is as potentially dangerous freeware. It obviously isn't 99.99% of the time, but when educating users on what to do and what not to do, you've got to dumb it down.

Re:Did penguins answer ?

[wwphx]

No penguins answered. The only sound they heard was Tekeli-li! Tekeli-li!

If I had any mod points, you would definitely get ++Funny!

Stop Calling Me, Damnit

It sucks enough here with the cold, now I have the phones ringing off the hook!!

OS name appropriate - WinCE

[zooblethorpe]

I always thought Microsoft made a bit of a branding error when it came to naming their mobile OS. "WinCE" just invites all kinds of negative associations, and stories like this one just add to the painful image.

Cheers,

Re:OS name appropriate - WinCE

[phantomfive]

On the other hand, having programmed for windows CE, it may actually be the most descriptive name the could find.

Re:OS name appropriate - WinCE

[pipedwho]

I've been writing for Windows CE for so long, I've got a permanent furrow on my brow.

Re:OS name appropriate - WinCE

[Arancaytar]

*winces at the pun*

Re:OS name appropriate - WinCE

[zullnero]

Dude. That was funny 10 YEARS AGO.

Re:OS name appropriate - WinCE

[splutty]

As we all know, 6 months of programming in Windows makes you want to jump out of one (YMMV)

Re:OS name appropriate - WinCE

Nerds can enjoy the same joke over and over for periods much longer than 10 years. It means we don't need to spend a lot of money on entertainment, assuming of course that we actually did spend money on entertainment instead of pirating it. Did I mention that peg legs and eye patches ARRR still funny, too?

Re:OS name appropriate - WinCE

[PitaBred]

September 19th!

Re:OS name appropriate - WinCE

[DinDaddy]

They should have rolled it all into one system with Windows ME and NT.

Windows CEMENT!

Re:OS name appropriate - WinCE

[Blakey+Rat]

Yeah, they should have called it something like "GIMP." That's much better.

Re:OS name appropriate - WinCE

[mcgrew]

Well, they named their Windows Media Player WiMP. I think both names are fitting.

In fairness, though, WinCE is a better browser than OpenWave, and I say that without even using WinCE; it couldn't possibly be worse than OpenWave.

Let's play a game...

[_Sprocket_]

....how about a nice game of Ice Station Zebra?

Cost of the calls

Just like to point out that as the UK is not part of the eurozone euros are not the currency of the UK; the cost is roughly £4 per minute (which equates to roughly 5 euro or roughly 6 US dollars).

One really has to wonder...

[Lord+Artemis]

...how they even *found* numbers in the Antarctic. It's not like you can set up a phone line down there, and I can't imagine many people would have occasion to call the Antarctic.

Re:One really has to wonder...

Yeah that's silly, we all know Santa's in the north pole!

Re:One really has to wonder...

[DarthBart]

There's enough phone numbers down there it has its country code for mobiles, and that's supposedly what this malware does. It dials +88234 numbers. It probably just wardials numbers in certain blocks.

I don't know how UK mobile providers do it, but I had to call my cell provider (Sprint) to enable international dialing before I could dial past +1.

Still it is a hell of a lot cheaper than wardialing +870 (Inmarsat) numbers. Last I heard, those were going for 10Euro/min on the wholesale market.

Re:One really has to wonder...

[DarthBart]

I stand corrected. 88234 is not just for mobiles in Antarctica. It is a country code assigned "Global Networks Switzerland".

Re:One really has to wonder...

[MichaelSmith]

I don't know how UK mobile providers do it, but I had to call my cell provider (Sprint) to enable international dialing before I could dial past +1.

My bet is that this is a US specific thing. Certainly in Australia new SIM cards can by default dial any number on Earth (and for all I know, some not on Earth). International roaming OTH is not always enabled by default and I have been bitten by this a few times.

Re:One really has to wonder...

[JWSmythe]

    You know, I was curious about this too. I found this page which shows there to be no phones (land lines nor cell) in the Antarctic. Wikipedia has a reference to calls being relayed over HAM radio only. They also mention that Scott Base does have a satellite relay for telephone calls. It seems they do have a country code assigned (672), so I'd suspect that someone got a number assigned, regardless of the fact that they aren't really there.

    What I don't exactly see is how they're profiting off the number. I know some long distance calls act as premium rate numbers (like dialing a 900 number in the US), where a profit can be had from the initial connection and the minutes on the maintained connection. It should be a simple matter to follow the money back to the source of the problem, and prosecute them accordingly. It's becoming rare that pranks like this are done just as pranks. There's usually a financial interest in it.

Re:One really has to wonder...

[MichaelSmith]

What I don't exactly see is how they're profiting off the number

Probably doing it for the lulz.

Re:One really has to wonder...

[Lumbre]

...how they even *found* numbers in the Antarctic. It's not like you can set up a phone line down there, and I can't imagine many people would have occasion to call the Antarctic.

I don't see how you can't imagine phones in Antarctica. It's not like there aren't dozens are hundreds of researchers down there. It doesn't have to be a physical wired connection. It could be a phone connecting to a satellite. As another example of advanced technology in Antarctica, you can find an ATM down there. It's pretty much a normal ATM which they service every couple years. Think abstractly my fellow /.er

Re:One really has to wonder...

[DarthBart]

+672 is not just for Antarctica, though. It is shared with Norfolk Island (a sort-of part of the commonwealth of Australia).

Re:One really has to wonder...

[jonbryce]

There will be satellite phones from networks with a polar orbit, such as Iridium, but not networks like Inmarsat which has a geostationary orbit. That's why it is so expensive.

Re:One really has to wonder...

[stonertom]

Wholesale phone minutes is a sleazy business. If you have a good route to an obscure country making loads of calls to it would probably pay off.

Re:One really has to wonder...

[Adult+film+producer]

absolutely... who really knows what the phone numbers to the antarctic are? The writers of this torjan likely didn't so they sat around for a few nights investigating it... likely chatting to each other on irc describing their angst in finding the numbers... and then after a few successful prank calls to the south pole confirmed, all hell commenced :-) Laugh...

Re:One really has to wonder...

+88234 is allocated to our company Global Networks Switzerland AG who operates a GSM network in Antarctica. The +88234 allocation is published by the ITU in the E.164 standard somewhere around 2003. As Antarctica is not considered a country according to the united nation but international territories, the +88234 allocation is out of the shared country codes block which is where you also find the satellite networks such as GlobalStar, Thuraya etc and also networks operating on Cruise Ships and similar. This is the main reason why operators charge a fortune. They don't differentiate +88234 in pricing from other networks in +882xx or +881xx which means you get charged sattelite connections even though our connection is much cheaper (and they make a hell of a lot of money off you). The connectivity to Antarctica goes over satellite to the edge of Antarctica to a research station (you can't reach the center over satellite). There is a second allocation +672 for antarctica for the australian Scott's base which is basically some kind of areacode of Australia. We have nothing to do with that network.

About the abuse of the number for so called auto-dialers, malware in games etc, please be aware that we are not involved in this. People somewhere in the middle do break out those calls and terminate it illegally on their equipment charging termination fees and making money of it. Those calls do not end up on our switch where they would supposed to go. The numbers used in the dialers are not in use in our network so calling them would result in a "unallocated number" error and you would not have been charged.

If you get charged for calls to +88234-8.... complain to the operator as it clearly points to shortstopping by a 3rd party.
Our legitimate users use mainly +88234-7xxx xx xx with a few allocations in +88234-4... and +88234-5...

Regards

Andreas Fink
CEO
Global Networks Switzerland AG
afink at gsm.aq

Re:One really has to wonder...

[machine321]

Assuming you're who you say you are (and I have no reason to believe otherwise), that's about the most informative thing I've ever read on Slashdot, including the summaries. Thanks.

Re:One really has to wonder...

It could be a phone connecting to a satellite.

no it cant. there is a sat station on the edge of the continent that actually has some big dishes to try and get the signal because it's really freaking hard to get sat coverage from a geostationary bird that far south. Plus there is no phone connections only data. All the phone service down there is either radio or VoIP.

Re:One really has to wonder...

There is a second allocation +672 for antarctica for the australian Scott's base which is basically some kind of areacode of Australia.

Scott Base is actually a New Zealand station. I believe the NZ phone system in Antarctica uses the +64 dialing code with an extension.

Re:One really has to wonder...

Aren't beliefs wonderful? I believe steamed nutmeg is used to create the illusion that the NZ phone system exists.

Re:One really has to wonder...

[fireylord]

and I can't imagine many people would have occasion to call the Antarctic.

i dunno, you may get a sudden urge to check if it's snowing there?

Re:One really has to wonder...

[Hurricane78]

+88234-7xxx xx xx

Hey, I had to try that. But it seems nobody was at home right now. :/

Re:One really has to wonder...

[York+the+Mysterious]

Note: I worked at McMurdo Station last year so I know what I'm talking about There's tons of phones down in Antarctica, but I'm not sure if any country is actually using the Antarctica country code. The US runs phone calls over the NPOESS sat system and trunks them back to Colorado where Raytheon Polar Systems is located. You can call anywhere in the US from the station with an extension to get an outside line, and the calls just look like some local number in the Colorado. Scott has has the same thing (they use the same US Sats). The South pole does similar things when there Sats in the horizon and during other times they use Iridium phones. There's an enormous number of Iridium phones in Antarctica, but again they all have US numbers.

Re:One really has to wonder...

[York+the+Mysterious]

It's all goes digital at some point, but not VOIP. McMurdo Station, population 1000, has old analog phones or the crappy beige variety. There's several hundred of them (400 maybe) with a Microwave uplink to Black Island, 22 miles North of McMurdo. From Black Island the signal is uplinked via the NPOESS satellite system to Centennial Colorado, where it's dropped on the public phone system. No VOIP anywhere in there. The South Pole station, however is VOIP fed by several ancient satellites that peak low enough to be seen at the bottom of the earth.

Re:One really has to wonder...

[York+the+Mysterious]

Iridium is the only Sat phone used the NSF in Antarctica. They own hundreds of them and a bank of Iridium phones provide a very slow data uplink to sync the South Pole stations Exchange servers with the US

Re:One really has to wonder...

[dglo]

While much of the satellite coverage is from geostationary satellites which have drifted out of their normal orbit and thus give partial coverage for a small window each day, the Iridium satellites provide 24 hour coverage. The Iridium links are pretty low-bandwidth, so they're not useful for shipping large amounts of data, but they're useable for phone calls.

I write software for a physics experiment based at the South Pole, and I got a call from there to my home phone just a few days ago, regarding some problems the winter-overs were having. I was a bit confused when I picked up, because the call showed up on caller ID as something like "U.S. Government (Hawaii)".

Re:One really has to wonder...

[JWSmythe]

    Ahh, the difference between speculation and experience. :) Thanks for the insight into it.

Re:One really has to wonder...

[York+the+Mysterious]

The US government runs an Iridium uplink (downlink?) in Hawaii so NSF Iridium phones show up as Hawaii calls

Those pesky penguins

I guess this is their revenge for Happy Feet

Comment removed

[account_deleted]

Comment removed based on user account deletion

Could someone please post the phone number

[harrytuttle777]

I seriously want to call this number. My guess is that the would not have a transoceanic sea line, so it would have to be an Iridium phone that picked up on the other end.
Anyone have details?

If the penguins could get a pay phone set up in Antarctica they could make a killing calling 1-800 numbers all day.

Re:Could someone please post the phone number

[DarthBart]

+88234-86-7-53-0-9

Re:Could someone please post the phone number

[DarthBart]

Oh, and you're correct about the lack of undersea cable. Everything that goes down there has to be transported on satellite, and even that gets iffy at times, especially at places south of McMurdo. Connection to the Amundsen-Scott has been done by a combination of geosynchronous birds in inclined orbits and by medium-earth-orbit birds in highly eccentric Molinya-type orbits.

Re:Could someone please post the phone number

you inconsiderate bastard...
we were trying to get some sleep down here

Re:Could someone please post the phone number

[MichaelSmith]

I assume thats the only way to stay warm at this time of year. So how is the hibernation going?

Re:Could someone please post the phone number

[VShael]

Well that's helpful. I tried googling the phone number to see what I could find.

Google told me the answer was 88,079.

Thanks Google.

Re:Could someone please post the phone number

[jaavaaguru]

http://en.wikipedia.org/wiki/867-5309/Jenny

Re:Could someone please post the phone number

[andrea.sartori]

Sometimes Google is just unreliable. Everybody knows the answer is 42.

no phone numbers in antartic

[spectrokid]

According to Wikipedia, there is no international dial code for the antartic

Re:no phone numbers in antartic

[DrugCheese]

According to Wikipedia, there is no international dial code for the antartic

That's because Antarctica has no nations to be international with. There are however plenty of research stations there with people who like to talk to mom n dad on the holidays.

Re:no phone numbers in antartic

You are retarded. That article says "In Antarctica dialing is dependent on the parent country of each base:", ie: there is no main country code for Antarctica, but there are phone numbers, the country code used depends on the research base.

Re:no phone numbers in antartic

[pookemon]

I originally modded you up - and then I did a search of my own.

http://countrycode.org/antarctica

Seems Wikipedia is not right about everything - go figure.

Re:no phone numbers in antartic

O'rly?
http://www.gsm.aq/

And apparently they are not happy at all that someone abused their range:
http://whocallsme.com/Phone-Number.aspx/8823462479 - second message from the bottom.

But that all can't be because wp doesn't list them...

Re:no phone numbers in antartic

IDD (International Direct Dialing) is not the same as the country code. I think the gp assumed that IDD was the country code and that the malware authors chose Antarctica because it would not have an obvious international code at the beginning. However, IDD is the prefix used to designate the country you are calling FROM, not TO... for the USA the IDD is 011, however, the country code is 1.

Anyway, Wikipedia actually gets it right, see:

http://en.wikipedia.org/wiki/Telecommunications_in_Antarctica
and
http://en.wikipedia.org/wiki/List_of_country_calling_codes (see section "Locations with no country code")

Re:no phone numbers in antartic

[AK+Marc]

That country code is for Australia (they have one code for Australia proper, and one for external territories, which includes the Antarctic station). Most countries use their own country code for their Antarctic territories, but Australia is the exception. The only people you'll get with that country code are Australians, and none of the other research stations, so I'm not sure I'd say that Antarctica has its own country code.

Re:Wait I'm confused

[EvanED]

So I've been reading Slashdot for a couple of years now and I'm thoroughly confused about how we decide which stories deserve the community's notice.

What happens is kwadson looks at the story, and if it's anti-MS, he posts it. (This is not a complete description of the process.)

(And to be fair, this story is much less flamebait than some of the FUD that he's put on the front page.)

as General Disarray says,

Simpsons did it.

UgLyPuNk

[UgLyPuNk]

http://www.wtng.info/wtng-672-au.html Base Old format New format Casey +672 12 8xx +672 12 8xxx Davis +672 10 6xx +672 10 6xxx Macquarie Island +672 13 9xx +672 13 9xxx Mawson +672 11 7xx +672 11 7xxx

What to the hackers gain?

[Michael+Woodhams]

I saw this on the BBC website too, but neither article tells me how it is to the advantage of the hackers to give random people big telephone bills. Do the hackers own some little phone company which the calls are going through? Do they have some overpriced premium number connecting to a computer in Scott Base which recites astrology readings in a synthetic voice?

More seriously: why should the phone OS allow a game to initiate phone calls? (I really hope the answer is 'the OS has a bug' rather than 'that's how they designed it.')

Re:What to the hackers gain?

[LingNoi]

but neither article tells me how it is to the advantage of the hackers to give random people big telephone bills.

Maybe they get lonely down there.

Re:What to the hackers gain?

[thegarbz]

This is almost triggering nostalgia. I remember the good old days where viruses were actually malicious to the system they were installed on. None of this run silently in the background bot zombie we'll use your resources if we need it to further our own gain crap.

In the good old days a virus just wasn't a virus if it didn't format your C: on some arbitrary birthday of the writer, or nuke your master boot record, or even copy itself to the master boot record so that when you started up the computer said Suck It! Rather than displaying the Windows 3.11 loading screen. Man it sucked re-installing dos and windows from floppies.

Re:What to the hackers gain?

[chrb]

neither article tells me how it is to the advantage of the hackers to give random people big telephone bills

International premium rate numbers are big business, see my other reply. Here's another provider offering 1+ euro a minute. The lines usually cost a couple of hundred Euros to set up, so it's easy to make the money back if you can get people to call them.

Re:What to the hackers gain?

[Sockatume]

From the sounds of things, the hackers cracked what was originally a shareware app. Putting in a money-wasting dialler may just be their way of saying "if you want to pirate games with the assistance of hackers, get ready for some serious bullshit".

Re:What to the hackers gain?

Right On! Virusin' Old Skool! 1337 Vandalism because you can!

Ah, the good old days.

If I think calmly, odds probably go on it being some establishment drone trying to put fear in the hearts of those who consider using freeware, but it's somehow more heartening to think it's some high school anarchist trying to stick it to the man.

Re:What to the hackers gain?

Man it sucked re-installing dos and windows from floppies.

At least when you were done with the process you were actually done. Nowadays you re-install Windows from DVD and then have to run Windows Update and reboot repeatedly for the next few hours.

Re:What to the hackers gain?

[fuzzyfuzzyfungus]

Frankly, the kiddie vandal stuff was way less dangerous than the pro-level sneaky botnet crap we put up with now. Yeah, it sucked for the target(whereas, with a sufficiently powerful machine, your modern malware victim can limp along for months); but diseases virulent enough to kill their hosts swiftly don't spread as well, and don't have time to spam.

It would be ugly, for a while; but if more modern viruses nuked their hosts, as opposed to quietly lurking and spamming, the internet would be a safer, cleaner, place today.

Re:What to the hackers gain?

I'm not a fan of malicious software, but the one thing malicious viruses did is get people to tighten up their home security. These days, I encounter people who shrug off any semblance of maintaining a machine with excuses as "it will get hacked anyway, who cares", "I have an antivirus program I pay $100 a year for. I don't need to worry about security", or the most annying, "Geek Squad can fix anything".

If software started formatting drives or zeroing out flash BIOSes on a common scale so that some acquaintance in someone's chain gets stung, it wouldn't be good, but it would get people to actually think twice before running that executable that claims to be needed to view free pr0n.

Even dialers which used to be a threat in the earlier part of the 2000s are not an issue anymore. So someone who gets compromised may not really know or care for a good long while.

Re:What to the hackers gain?

AMEN Brother, I once fought a polymorphic stealth monkey virus. Damn thing hid itself by jumping from the floppy to the MBR and I swear I caught it trying to get into the BIOS once.

Re:What to the hackers gain?

[JustOK]

virulution

Re:What to the hackers gain?

as to why the phone lets applications issue phonecalls:

it allows you to have handy things like a facebook app that allows you to dial or send a text message to any of your friends straight from the app, no copying or pasting. clicking on phone numbers in opera & outlook also allows you to dial. finally, it allows you to use 3rd party messaging and dialer (as in a different touch screen phone keyboard) apps. There's no reason for a game to be able to make a call, but no reason not to allow other apps to.

Re:What to the hackers gain?

[internewt]

Man it sucked re-installing dos and windows from floppies.

This bit of info might be a little late, but IIRC you could copy the contents of the 3.11 floppies to the HDD, and run setup from there. The install process would go much quicker, and the overall install time was quicker to manually do the copying first. Plus no having to watch the install process, and put disks in when it asked.

Re:What to the hackers gain?

[GrumpySteen]

This is a new variation on the old 809 scam. Basically the call goes to a pay-per-call service (like 1-900 number). The phone company gets part of the money and the person who set up the scam gets the rest.

Re:What to the hackers gain?

[izomiac]

I'm wondering whether it'd be white hat or black hat to write an MBR nuker in this day and age. Sure, you deny someone the use of their computer, but if it caught your worm/virus then it almost certainly has others. A nuked MBR is easy enough to fix by a knowledgeable person, said person will clean out the malware and secure the PC, no data loss occurs, and the owner gets a lesson in not being stupid. It's Machiavellian, but just a couple of these viruses would probably eliminate the botnets that don't secure their hosts. And you prevent someone's credit card from getting stolen by the rootkit that their computer was already infected with.

OTOH, nowadays you could probably overwrite the firmware in most portable devices, routers, harddrives, optical drives, network cards, motherboards, and probably a few other components. Now that would be mean!

Hacked by penguins

[kaoshin]

Hernk the planet squaaack!

Permissions

Symbian phones at least require you to explicitly give discrete permissions to the programs you put on them. Do you want to allow access to the gprs? do you want to allow read acess to personal data? to memory stick? write access? sms? calls? stupid for windows phone to let them randomly allow or stupid for people to give a game those permissions.

old news is old?

http://www.theregister.co.uk/2010/04/09/windows_mobile_trojan/
Yes that was on ElReg 2 months ago.

To install or not install

[krischik]

One of the problems with mobile apps is the "allow and install" vs "deny and not install". You read the list of privileged operations and you are left with a tough decision and no middle ground - which would be "deny and still install". If I read the list of requested privileged applications I often get a shiver.

Considering how often links get slashdotted

[VShael]

You'd think SOMEONE would actually tell us the name of the game responsible?
Seems like that should have been in the headline or story.
("3D Anti Terrorist Action" by the way)

But no, I suppose it's more important to emphasise that it's Windows.

Slashdot. Old school journalism at its finest.

("There's a chemical in your home which may kill you. We'll tell you what it is, after these important messages")

Coriolis Effect

[Torrance]

Which way do your toilets flush down there? Clockwise or anti-clockwise?

Re:Coriolis Effect

Directly at you, where all shit belongs.

Still Think Apple Moderates Too Harshly? ;)

[Udigs]

Running any application on your phone from untrusted sources produces unexpected results. Clip at 11.

Re:Still Think Apple Moderates Too Harshly? ;)

[alfredos]

My thought exactly!

Re:Still Think Apple Moderates Too Harshly? ;)

[Hurricane78]

Protip: COMMON FUCKING SENSE!

When we treat people like idiots, the BECOME idiots. And my theory is, that that is the reason most people are idiots nowadays.
Because they CAN. And still live a pretty nice life. It’s just a (short-sighted) question of efficiency.

All those people in those companies that put people in miles of padding, should go to jail for crimes against humanity, until they have undone the damage.

Re:Still Think Apple Moderates Too Harshly? ;)

[noidentity]

Agreed; with the iPhone, I am assured a predictable drain on my wallet, rather than like this with unexpected spikes. Much easier to budget for the iPhone.

Profiting is the easy part

[chrb]

What I don't exactly see is how they're profiting off the number.

There are plenty of providers of international premium rate numbers that will ask no questions about the callers and deposit a percentage of the call termination fees into a bank account at the end of the month - the article mentions they used Somalia ($0.14/min), Dominica (€0.45/min), Antarctica (€0.46/min). The provider I linked to was the top of Google's search - you can probably find others offering higher rates.

It should be a simple matter to follow the money back to the source of the problem

Not really. These crimes cross multiple legal jurisdictions, and there is no evidence to tie the trojan writer to the person profiting from the calls. Authorities in, say, Switzerland, will not break the banking secrecy of an individual just because they profited from running a premium rate phone number.

I remember hearing a story back in the early 90s about a French guy who had over 30 land lines installed in his house, and had set up an automated blueboxing dialler to call international premium rate numbers 24/7. Allegedly, he was earning $1.50/min from each call, and he quickly became a millionaire.

Re:Profiting is the easy part

[DNS-and-BIND]

Funny, back when I used to work in toll fraud at one of the Big Three, we regularly had overseas calls in the $3-4 range per minute. A popular destination was Vanuatu along with some other Pacific islands, easily the most expensive of them all. I never really understood porn over voice. Any time I saw the country codes for Pacific islands, I blocked them immediately. Another popular destination for toll fraud was 809, which was part of NANPA but still counted as overseas (Caribbean islands) and thus ran up big charges quickly. The most expensive fee per minute I ever saw was a puzzling destination of INMARSAT. What kind of country is that, I thought to myself as I dialed the number to check what it was. Seaman Mumble picked up the call, it was the bridge of a Navy destroyer! INMARSAT was/is a satellite communications provider for ships at sea. $5.50 per minute, the highest I ever saw.

The point of this rambling post is that toll fraud seems much cheaper these days. Fifty cents a minute to Antarctica seems like nothing compared to rates back in the day.

Re:Profiting is the easy part

[Alioth]

Big Three what? The only "Big Three" I know of are Ford/GM/Chrysler - and it seems odd they'd have a toll fraud department...

On high per-minute charges, the highest I've seen is the seat back phones on Continental Airlines transatlantic flights a few years ago, it was around $10/minute!

Diego Garcia

[ei4anb]

The island of Diego Garcia used to be a favourite for such phone scams. Phone companies have international agreements to tranfer money, a portion of what they bill for international calls. In the case of the scam calls to Diego Garcia the money could be siphoned off by middlemen because Diego Garcia did not have agreements with all phone companies (bad credit rating?) and the money was routed indrectly. Something similar is happening here. The Irish Communications Regulator blocked direct dial calls to a list of countries to cut down on such fraud http://news.cnet.com/Ireland-launches-phone-fraud-crackdown/2100-1036_3-5377387.html

Windows Mobile Fail

Why would you allow an app access to the dialing functions on your phone?

Oh, wait, Windows Mobile. I hope that they've ring-fenced / sandboxed these functions on Windows Phone 7, like Android has.

Misnomer

[RenHoek]

This article is mistagged as a 'worm', it should be tagged as a 'logic bomb'.

A worm is a piece of software that is able to propagate itself without interaction from a user. A logic bomb is a piece of software or a function in a piece of software that activates when certain conditions are met.

Hmmm...

[rindeee]

I guess that whole "Is your refrigerator running" crank would be sort of un-funny given the circumstances....

Most interesting thing about this story

[alphax45]

I find that there actually exists a "popular Windows Mobile game" the most interesting part of this story!

Re:Android permissions

[just+fiddling+around]

The permissions on Android are OK, but for IP access are too vague. Since I pay per Kb, I'd like to have a per-domain permission or a per-access notification.

Moreover, all the programs I downloaded triggered "network access" warning on install so I would not be surprised if "whoopieCalc" did so. Security breach by desensitivation FTL.

Pranks

[Bigbutt]

Somewhere on McMurdo Station

Bob: ZzzzZZZzz
Phone: *ring* *ring*
Bob: Zz*wha* hello?
Phone: *ScreeEEeeeEee*
Bob: Hey, HEY THIS ISN'T A FAX! PICK UP! PICK UP! *slam* morons

[John]

Get an iPhone!

Apple's "totally controlling the users" method pays off in cases like this. If you had an iPhone, it would have been impossible for something like this to happen. Even a jailbroken iPhone (which allows you to play unofficial apps) is safe from this kind of thing because the jailbreak hack doesn't remove Apple's security from the iPhone OS. If an app wanted to place a call, the OS displays a pop-up saying "CALL 1-555-1212" and you must press OK to call it. Similarly, no application can gain access to your GPS location without asking you the first couple times you open it.

So, apps that track your location without you knowing it, or make calls without you knowing it are impossible on the iPhone. Apple isn't totally crazy after all.

Re:Get an iPhone!

Ahhh, forgot to mention that the iPhone will also not let an app take pictures without the user's knowledge. An app can open the OS's little standard picture-taking screen which will only snap the photo when the user presses the little camera icon. Then, control is transferred from the OS back to the app and the app may do what it wants with the image data. My hat's off to Apple! It's scary to think there are "smart phones" out there that could silently take photos of you and your surroundings, track your movement and relay the LAT/LON to a server on the Internet, or call the South Pole without your knowledge.

Any of these features should be controlled by the operating system, as Apple does!

Why attack freeware?

This isn't freeware. It was a shareware version of a "pay" game that was cracked and injected with malware. Why does the summary make it look like freeware is more dangerous than pay-to-play? This is just another case where warez is more dangerous than legitimate software.

The real question is...

[Braedley]

Who is using Windows Mobile? Release this for iPhone or Android and then you can make some money.

root for a reason

[fireylord]

The reason installing applications on linux takes root priv is because the installation requires modifications within non user filesystem space (/usr/bin, /usr/local, /usr/share), typically installing applications in *nix requires installation in far more than just a user's &home directory, not least because the ability to execute applications from a user's home dir may be disabled without root privs. I believe this is called having a decent security model.

iPhone and Droid apps can

[phorm]

There are iPhone and Droid apps both that can dial out. On either platform, my VOIP apps have access to my phonebook, and can dial out through the phone itself rather than just VOIP. The trick is though that in the "store" they do tell you what an app is capable of doing, although sometimes the info is a bit broad.

For apps that want root access, you must authorize them on the Droid (iPhone is supposed to be no-root in general, droid needs to be cracked fist).

For work I have an old blackberry, and when you launch an app it asks for permission to run or be whitelisted. I haven't found one that does dialing, but from what I've seen of the security layers it might need special permission for that.

When it comes to smartphones, the iPhones is still dominating entertainment, the Droid is growing quickly and becoming more versatile, but the blackberry really does seem to have started out-of-the-gate with a greater focus on security.

stoned.empire.monkey

[phorm]

Anybody remember this one? I don't know that it actually *DID* anything to the computer, but it got around faster than crabs on a $5 hooker.

Infected disk put in machine = infected machine.

Clean disk put in infected machine = infected disk

Back in high school, that thing was rampant until they get a decent TSR antivirus. It slowed the computer down a lot, but it did manage to spank the monkey before it infected the PC's.

900 Numbers in the Antarctic ?

[mbone]

There is no civil society in Antarctica - none. I do not believe that there is as much as a convenience store in the entire continent. So who, pray tell, is getting the money from these calls ? The National Science Foundation ? Now, that would be an interesting way to expand the science budget...

Re:Android permissions

[mlts]

Android's permissions are either all or nothing when it comes to Internet access. And some apps just ask for that permission for no real reason.

Best way to deal with that is to have a rooted phone and Droidwall. However, this won't protect against an app that was installed that was given capabilities of dialing and sending/receiving SMS/MMS items.

Another item to have is an app called autostarts. You would be surprised on what apps want to hook where.

"a popular Windows Mobile game"

I understand all those words individually, but put together in a sentence like that, they don't make any sense!

Re:Android permissions

[spyingwind]

I 3 you for showing my the light of Autostarts

Re:Android permissions

[kalirion]

You moon him? < is your friend.

Time to investigate.

[dadelbunts]

It seems the developer was a little. *puts on sunglassses* cold blooded. YEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH

Every downloader is an app store police

[Ilgaz]

No, Symbian and J2ME seriously warns when it tries to do a crazy thing like "dialling a phone number", I cancel, warn the site which I downloaded. So, I am (as well as 1b potential users) a "app store" guy myself.

What I wonder is: Doesn't Windows mobile have such mechanisms? I heard it does.

Re:Every downloader is an app store police

[Udigs]

The FDA approves drugs. The FCC approves electronics. Point is that widespread utilities like this should go through some sort of validation process. I'm not saying it should be apple, but it should be SOMEONE.

Calling Antarctica

There isn't really a 'code' for dialing Antarctica... I worked IT at the Amundsen-Scott South Pole Station for the United States Antarctic Program. The US stations employ a satellite link to the Denver headquarters, and from there it's just connected to the network. Dialing "The South Pole" is actually just a Denver number.

So, it is end user

[Ilgaz]

Besides all sane download sites should really have at least 3 antiviruses installed and running to check all binary files, it is the architecture of J2ME and Symbian which will seriously alert user with a blocking prompt for _each_ phone attempt done by 3rd party unsigned application.

One must be really stupid to ignore that alert and allow (there is no OK pre-selected) a phone call from game.

What I find hard to believe is: Windows Mobile doesn't have such mechanism?