Slashdot Mirror
Mobile Game Trojan Calls the South Pole
UgLyPuNk writes with an excerpt from Gamepron.com: "Freeware games can actually cost you more money than their pay-to-play cousins, as mobile gamers in the UK have learned. A 'booby-trapped' version of a popular Windows Mobile game has been sneakily spending their money while they sleep – by dialing phone numbers in the Antarctic behind their backs."
aw man, that's pretty cold.
and what did they say ?
I always thought Microsoft made a bit of a branding error when it came to naming their mobile OS. "WinCE" just invites all kinds of negative associations, and stories like this one just add to the painful image.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
....how about a nice game of Ice Station Zebra?
...how they even *found* numbers in the Antarctic. It's not like you can set up a phone line down there, and I can't imagine many people would have occasion to call the Antarctic.
Air is just like fog, but it's not gray.
Crappy brain dead design strikes again.
Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?
Surely that should be something that has to be done on a per-application basis, and only after the user has allowed it by entering an authorization password to allow the app to access those parts of the phone!?
There should also be a way to limit the number or costs of calls (per application) that is built in at the lowest possible level too.
Comment removed based on user account deletion
>Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?
For the record, when a Symbian app tries to make a call or connect to the internet the user is presented with a dialog asking whether to allow the app to connect/make a call. No idea why Microsoft decided this is not needed.
Apple has "Mac vs PC", Microsoft has "Laptop Hunters", Linux has recession
+88234-86-7-53-0-9
Simmilar examples can be found in:
1.) Back in the good old days of dial-up, there were adult sites that would give "free" access assuming you (stupidly/unknowingly) dialed into a south-pacific island nation number that had a north American prefix, with your unlimited long distance account.*
2.) All the cell joke and ring tone numbers you can "get for free" that are/were advertised on TV.
*my brother found out about this the hard way
I don't know about angles, but it's fear that gives men wings. -Max Payne
Might be using some software bug to circumvent the prompt but yeah.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
I originally modded you up - and then I did a search of my own.
http://countrycode.org/antarctica
Seems Wikipedia is not right about everything - go figure.
dnuof eruc rof aixelsid
I saw this on the BBC website too, but neither article tells me how it is to the advantage of the hackers to give random people big telephone bills. Do the hackers own some little phone company which the calls are going through? Do they have some overpriced premium number connecting to a computer in Scott Base which recites astrology readings in a synthetic voice?
More seriously: why should the phone OS allow a game to initiate phone calls? (I really hope the answer is 'the OS has a bug' rather than 'that's how they designed it.')
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
the problem is that a secure design would show a popup like:
do you want to call this 00431341424345 number with your modem (yes/no/always allow this number) every time the modem driver engage
instead windows 7/vista shows us a popup like:
the application solitaire.exe requires you authorization to continue (yes/no)
and that popup is so common that users click trough it without a second thought.
And decent phones do. On a BlackBerry, for example, you have to specifically authorize each application to access to the voice radio, IP connections (as a whole or per-domain), GPS, address book, etc. It's easy to use and provides great protection, not to mention the instant insight into what a program is actually doing (i.e. "Why does this free calculator want to connect to warez.ru"). Why WindowsCE doesn't do such things is a complete mystery.
That country code is for Australia (they have one code for Australia proper, and one for external territories, which includes the Antarctic station). Most countries use their own country code for their Antarctic territories, but Australia is the exception. The only people you'll get with that country code are Australians, and none of the other research stations, so I'm not sure I'd say that Antarctica has its own country code.
Learn to love Alaska
One of the problems with mobile apps is the "allow and install" vs "deny and not install". You read the list of privileged operations and you are left with a tough decision and no middle ground - which would be "deny and still install". If I read the list of requested privileged applications I often get a shiver.
It's how .NET CF's telephony API works. You call a function, send it a number as a parameter, and it dials it. As long as I can remember, that's pretty much been how you call that particular .NET CF function. At least, that's how it worked in 2005 with .NET CF 1.0. So basically, that particular hole has been there for probably about 5 years. Since most mobile phones run a slightly older than latest version of .NET CF, I'd imagine that quite a few phones would be vulnerable to that. That said, the main reason it doesn't prompt for verification is because a lot of big companies, carriers, major third party dev houses, etc. most likely demanded that they be able to "phone home" seamlessly and quietly for various reasons or they wouldn't support their platform.
I know, you're probably thinking "what reasons"? Well, from some of the vendors I've worked with, it ranges from location based information to cell phone recovery tracking to remote programming. None of it is absolutely necessary given current available technology and that you can do all that stuff over the data network, but when Windows CE was originally designed, data networks weren't quite as useful.
Well that's helpful. I tried googling the phone number to see what I could find.
Google told me the answer was 88,079.
Thanks Google.
Running any application on your phone from untrusted sources produces unexpected results. Clip at 11.
What I don't exactly see is how they're profiting off the number.
There are plenty of providers of international premium rate numbers that will ask no questions about the callers and deposit a percentage of the call termination fees into a bank account at the end of the month - the article mentions they used Somalia ($0.14/min), Dominica (€0.45/min), Antarctica (€0.46/min). The provider I linked to was the top of Google's search - you can probably find others offering higher rates.
It should be a simple matter to follow the money back to the source of the problem
Not really. These crimes cross multiple legal jurisdictions, and there is no evidence to tie the trojan writer to the person profiting from the calls. Authorities in, say, Switzerland, will not break the banking secrecy of an individual just because they profited from running a premium rate phone number.
I remember hearing a story back in the early 90s about a French guy who had over 30 land lines installed in his house, and had set up an automated blueboxing dialler to call international premium rate numbers 24/7. Allegedly, he was earning $1.50/min from each call, and he quickly became a millionaire.
The island of Diego Garcia used to be a favourite for such phone scams. Phone companies have international agreements to tranfer money, a portion of what they bill for international calls. In the case of the scam calls to Diego Garcia the money could be siphoned off by middlemen because Diego Garcia did not have agreements with all phone companies (bad credit rating?) and the money was routed indrectly. Something similar is happening here. The Irish Communications Regulator blocked direct dial calls to a list of countries to cut down on such fraud http://news.cnet.com/Ireland-launches-phone-fraud-crackdown/2100-1036_3-5377387.html
... software bug ....
Oh I hardly think that likely...
You are aware that Apple don't review code before it is added to the shop right?
And the rest of the world have already solved this problem for mobile phones. An application don't have access to do anything that can interfere with other applications/the operation system without explicit user accept.
And this access is handled by the operation system not the application. The application ask the operation system, and the operation system ask the user, so the application don't have any way to trick the user into doing something by lying to the user.
I guess that whole "Is your refrigerator running" crank would be sort of un-funny given the circumstances....
All of the 3rd party code in the App store is reviewed and no code is placed into the App store until review is complete. This sort of hack, which would have to use non-standard API's to accomplish this, is exactly what such reviews would find. Love it or hate it, it is an effective tool in finding such malware. It is not a catch all, but is an important piece.
"You are aware that Apple don't review code before it is added to the shop right?"
This isn't freeware. It was a shareware version of a "pay" game that was cracked and injected with malware. Why does the summary make it look like freeware is more dangerous than pay-to-play? This is just another case where warez is more dangerous than legitimate software.
Android's permissions are either all or nothing when it comes to Internet access. And some apps just ask for that permission for no real reason.
Best way to deal with that is to have a rooted phone and Droidwall. However, this won't protect against an app that was installed that was given capabilities of dialing and sending/receiving SMS/MMS items.
Another item to have is an app called autostarts. You would be surprised on what apps want to hook where.
I have that problem with Motorolla Karma/QA1. Signed google maps can access the network all it wants after selecting "yes always". But the unsigned gmail cannot "yes ask every time" is the only allow network option for gmail and all unsigned apps. I've always assumed it's something that AT&T did to intentionally cripple the phone to not use the network as much as it's not a "smart phone" (read as cheaper data plan), but it's still quite capable so they had to make it stupider. [sic]
I'm sure they do but it's obviously not worth much. It's partly why they won't allow an interpreted language - to make the check possible at all - and they still couldn't possibly check one app thoroughly, let alone all the thousands.
Such a check is less than worthless - like WEP - a false sense of security. Sure, it'll catch some trivial malware that's written by someone who didn't expect the examination but such a check will miss any of the code submitted to the Underhanded C Contest.
The only worthwhile security to implement here is capabilities. Very precisely, what can this app do? That way whatever code does sneak by onto the system it's still only going to be able to do what an untrusted app should be able to do.
Not that Apple doesn't also do that, but that code reviews for security are fundamentally flawed and therefore ultimately harmful.
I am actually a bit miffed at MS for taking the easy way out and doing this. Why couldn't they make a permission/security system that would both work with legacy programs, but still provide protection against rogue apps on legacy systems? There are already third party firewall programs for WM, it wouldn't be hard for Microsoft to integrate that functionality in and have apps either request permission on install (like Android), or before use (like Blackberries).
What made Windows Mobile so attractive for a platform pre-7 is the fact that I could run almost anything on my WM device, including onboard E-mail that supported client certificates. Since WM 7 is another walled garden, it means that if I want custom apps, I have to look elsewhere.
Android isn't perfect either. I wish Google would come out with an ADP3 that is already rooted, has a quality fastboot and recovery mode, and would support custom ROMs out of the box without needing a "gold card" exploit. Android developers are not the ones pirating apps [1], and someone who buys a phone from the Android Store is clued enough to know the ramifications of the "#" prompt, fastboot, and custom ROM issues. The N1 comes close, but it still requires an exploit to get rooted, and the warranty on the phone is voided as soon as one does that. I'd love to see a slider with a hardware keyboard, but that's just my personal taste.
[1]: As a modder, I have nothing but contempt for app pirates. Apps are not expensive. Pirates are one of the reasons that make phone makers and cellular carriers put more and more roadblocks to make custom ROMs, much less even root their devices. The only excuse/justification of this would be that an app might be available on one country and not in another.
It seems the developer was a little. *puts on sunglassses* cold blooded. YEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH