Mobile Game Trojan Calls the South Pole

UgLyPuNk writes with an excerpt from Gamepron.com: "Freeware games can actually cost you more money than their pay-to-play cousins, as mobile gamers in the UK have learned. A 'booby-trapped' version of a popular Windows Mobile game has been sneakily spending their money while they sleep – by dialing phone numbers in the Antarctic behind their backs."

yikes

[iwannasexwithyourmom]

aw man, that's pretty cold.

Re:yikes

[PDX]

What next downloading penguin porn? That would be appropriate for a Linux virus.

Re:yikes

[PinkyGigglebrain]

No, that would be perfect for a Windows virus.

Adds insult to injury, with a dash of salt.

Did penguins answer ?

[Arvisp]

and what did they say ?

OS name appropriate - WinCE

[zooblethorpe]

I always thought Microsoft made a bit of a branding error when it came to naming their mobile OS. "WinCE" just invites all kinds of negative associations, and stories like this one just add to the painful image.

Cheers,

Re:OS name appropriate - WinCE

[phantomfive]

On the other hand, having programmed for windows CE, it may actually be the most descriptive name the could find.

Re:OS name appropriate - WinCE

[splutty]

As we all know, 6 months of programming in Windows makes you want to jump out of one (YMMV)

Let's play a game...

[_Sprocket_]

....how about a nice game of Ice Station Zebra?

One really has to wonder...

[Lord+Artemis]

...how they even *found* numbers in the Antarctic. It's not like you can set up a phone line down there, and I can't imagine many people would have occasion to call the Antarctic.

Re:One really has to wonder...

[JWSmythe]

    You know, I was curious about this too. I found this page which shows there to be no phones (land lines nor cell) in the Antarctic. Wikipedia has a reference to calls being relayed over HAM radio only. They also mention that Scott Base does have a satellite relay for telephone calls. It seems they do have a country code assigned (672), so I'd suspect that someone got a number assigned, regardless of the fact that they aren't really there.

    What I don't exactly see is how they're profiting off the number. I know some long distance calls act as premium rate numbers (like dialing a 900 number in the US), where a profit can be had from the initial connection and the minutes on the maintained connection. It should be a simple matter to follow the money back to the source of the problem, and prosecute them accordingly. It's becoming rare that pranks like this are done just as pranks. There's usually a financial interest in it.

Re:One really has to wonder...

[Lumbre]

...how they even *found* numbers in the Antarctic. It's not like you can set up a phone line down there, and I can't imagine many people would have occasion to call the Antarctic.

I don't see how you can't imagine phones in Antarctica. It's not like there aren't dozens are hundreds of researchers down there. It doesn't have to be a physical wired connection. It could be a phone connecting to a satellite. As another example of advanced technology in Antarctica, you can find an ATM down there. It's pretty much a normal ATM which they service every couple years. Think abstractly my fellow /.er

Re:One really has to wonder...

[DarthBart]

+672 is not just for Antarctica, though. It is shared with Norfolk Island (a sort-of part of the commonwealth of Australia).

Re:One really has to wonder...

[stonertom]

Wholesale phone minutes is a sleazy business. If you have a good route to an obscure country making loads of calls to it would probably pay off.

Re:One really has to wonder...

+88234 is allocated to our company Global Networks Switzerland AG who operates a GSM network in Antarctica. The +88234 allocation is published by the ITU in the E.164 standard somewhere around 2003. As Antarctica is not considered a country according to the united nation but international territories, the +88234 allocation is out of the shared country codes block which is where you also find the satellite networks such as GlobalStar, Thuraya etc and also networks operating on Cruise Ships and similar. This is the main reason why operators charge a fortune. They don't differentiate +88234 in pricing from other networks in +882xx or +881xx which means you get charged sattelite connections even though our connection is much cheaper (and they make a hell of a lot of money off you). The connectivity to Antarctica goes over satellite to the edge of Antarctica to a research station (you can't reach the center over satellite). There is a second allocation +672 for antarctica for the australian Scott's base which is basically some kind of areacode of Australia. We have nothing to do with that network.

About the abuse of the number for so called auto-dialers, malware in games etc, please be aware that we are not involved in this. People somewhere in the middle do break out those calls and terminate it illegally on their equipment charging termination fees and making money of it. Those calls do not end up on our switch where they would supposed to go. The numbers used in the dialers are not in use in our network so calling them would result in a "unallocated number" error and you would not have been charged.

If you get charged for calls to +88234-8.... complain to the operator as it clearly points to shortstopping by a 3rd party.
Our legitimate users use mainly +88234-7xxx xx xx with a few allocations in +88234-4... and +88234-5...

Regards

Andreas Fink
CEO
Global Networks Switzerland AG
afink at gsm.aq

Re:LOL

[vivian]

Crappy brain dead design strikes again.
Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?

Surely that should be something that has to be done on a per-application basis, and only after the user has allowed it by entering an authorization password to allow the app to access those parts of the phone!?
There should also be a way to limit the number or costs of calls (per application) that is built in at the lowest possible level too.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Could someone please post the phone number

[DarthBart]

+88234-86-7-53-0-9

Re:LOL

[FearForWings]

The simple answer is that the phone companies hope you'll be to embarrass to contest the charges.

Simmilar examples can be found in:

1.) Back in the good old days of dial-up, there were adult sites that would give "free" access assuming you (stupidly/unknowingly) dialed into a south-pacific island nation number that had a north American prefix, with your unlimited long distance account.*
2.) All the cell joke and ring tone numbers you can "get for free" that are/were advertised on TV.

*my brother found out about this the hard way

Re:no phone numbers in antartic

[pookemon]

I originally modded you up - and then I did a search of my own.

http://countrycode.org/antarctica

Seems Wikipedia is not right about everything - go figure.

What to the hackers gain?

[Michael+Woodhams]

I saw this on the BBC website too, but neither article tells me how it is to the advantage of the hackers to give random people big telephone bills. Do the hackers own some little phone company which the calls are going through? Do they have some overpriced premium number connecting to a computer in Scott Base which recites astrology readings in a synthetic voice?

More seriously: why should the phone OS allow a game to initiate phone calls? (I really hope the answer is 'the OS has a bug' rather than 'that's how they designed it.')

Re:What to the hackers gain?

[LingNoi]

but neither article tells me how it is to the advantage of the hackers to give random people big telephone bills.

Maybe they get lonely down there.

Re:What to the hackers gain?

[thegarbz]

This is almost triggering nostalgia. I remember the good old days where viruses were actually malicious to the system they were installed on. None of this run silently in the background bot zombie we'll use your resources if we need it to further our own gain crap.

In the good old days a virus just wasn't a virus if it didn't format your C: on some arbitrary birthday of the writer, or nuke your master boot record, or even copy itself to the master boot record so that when you started up the computer said Suck It! Rather than displaying the Windows 3.11 loading screen. Man it sucked re-installing dos and windows from floppies.

Re:What to the hackers gain?

[fuzzyfuzzyfungus]

Frankly, the kiddie vandal stuff was way less dangerous than the pro-level sneaky botnet crap we put up with now. Yeah, it sucked for the target(whereas, with a sufficiently powerful machine, your modern malware victim can limp along for months); but diseases virulent enough to kill their hosts swiftly don't spread as well, and don't have time to spam.

It would be ugly, for a while; but if more modern viruses nuked their hosts, as opposed to quietly lurking and spamming, the internet would be a safer, cleaner, place today.

Re:LOL

the problem is that a secure design would show a popup like:

do you want to call this 00431341424345 number with your modem (yes/no/always allow this number) every time the modem driver engage

instead windows 7/vista shows us a popup like:

the application solitaire.exe requires you authorization to continue (yes/no)

and that popup is so common that users click trough it without a second thought.

Re:LOL

[profplump]

And decent phones do. On a BlackBerry, for example, you have to specifically authorize each application to access to the voice radio, IP connections (as a whole or per-domain), GPS, address book, etc. It's easy to use and provides great protection, not to mention the instant insight into what a program is actually doing (i.e. "Why does this free calculator want to connect to warez.ru"). Why WindowsCE doesn't do such things is a complete mystery.

Re:no phone numbers in antartic

[AK+Marc]

That country code is for Australia (they have one code for Australia proper, and one for external territories, which includes the Antarctic station). Most countries use their own country code for their Antarctic territories, but Australia is the exception. The only people you'll get with that country code are Australians, and none of the other research stations, so I'm not sure I'd say that Antarctica has its own country code.

To install or not install

[krischik]

One of the problems with mobile apps is the "allow and install" vs "deny and not install". You read the list of privileged operations and you are left with a tough decision and no middle ground - which would be "deny and still install". If I read the list of requested privileged applications I often get a shiver.

Re:LOL

[zullnero]

It's how .NET CF's telephony API works. You call a function, send it a number as a parameter, and it dials it. As long as I can remember, that's pretty much been how you call that particular .NET CF function. At least, that's how it worked in 2005 with .NET CF 1.0. So basically, that particular hole has been there for probably about 5 years. Since most mobile phones run a slightly older than latest version of .NET CF, I'd imagine that quite a few phones would be vulnerable to that. That said, the main reason it doesn't prompt for verification is because a lot of big companies, carriers, major third party dev houses, etc. most likely demanded that they be able to "phone home" seamlessly and quietly for various reasons or they wouldn't support their platform.

I know, you're probably thinking "what reasons"? Well, from some of the vendors I've worked with, it ranges from location based information to cell phone recovery tracking to remote programming. None of it is absolutely necessary given current available technology and that you can do all that stuff over the data network, but when Windows CE was originally designed, data networks weren't quite as useful.

Re:Could someone please post the phone number

[VShael]

Well that's helpful. I tried googling the phone number to see what I could find.

Google told me the answer was 88,079.

Thanks Google.

Still Think Apple Moderates Too Harshly? ;)

[Udigs]

Running any application on your phone from untrusted sources produces unexpected results. Clip at 11.

Profiting is the easy part

[chrb]

What I don't exactly see is how they're profiting off the number.

There are plenty of providers of international premium rate numbers that will ask no questions about the callers and deposit a percentage of the call termination fees into a bank account at the end of the month - the article mentions they used Somalia ($0.14/min), Dominica (€0.45/min), Antarctica (€0.46/min). The provider I linked to was the top of Google's search - you can probably find others offering higher rates.

It should be a simple matter to follow the money back to the source of the problem

Not really. These crimes cross multiple legal jurisdictions, and there is no evidence to tie the trojan writer to the person profiting from the calls. Authorities in, say, Switzerland, will not break the banking secrecy of an individual just because they profited from running a premium rate phone number.

I remember hearing a story back in the early 90s about a French guy who had over 30 land lines installed in his house, and had set up an automated blueboxing dialler to call international premium rate numbers 24/7. Allegedly, he was earning $1.50/min from each call, and he quickly became a millionaire.

Re:Profiting is the easy part

[DNS-and-BIND]

Funny, back when I used to work in toll fraud at one of the Big Three, we regularly had overseas calls in the $3-4 range per minute. A popular destination was Vanuatu along with some other Pacific islands, easily the most expensive of them all. I never really understood porn over voice. Any time I saw the country codes for Pacific islands, I blocked them immediately. Another popular destination for toll fraud was 809, which was part of NANPA but still counted as overseas (Caribbean islands) and thus ran up big charges quickly. The most expensive fee per minute I ever saw was a puzzling destination of INMARSAT. What kind of country is that, I thought to myself as I dialed the number to check what it was. Seaman Mumble picked up the call, it was the bridge of a Navy destroyer! INMARSAT was/is a satellite communications provider for ships at sea. $5.50 per minute, the highest I ever saw.

The point of this rambling post is that toll fraud seems much cheaper these days. Fifty cents a minute to Antarctica seems like nothing compared to rates back in the day.

Diego Garcia

[ei4anb]

The island of Diego Garcia used to be a favourite for such phone scams. Phone companies have international agreements to tranfer money, a portion of what they bill for international calls. In the case of the scam calls to Diego Garcia the money could be siphoned off by middlemen because Diego Garcia did not have agreements with all phone companies (bad credit rating?) and the money was routed indrectly. Something similar is happening here. The Irish Communications Regulator blocked direct dial calls to a list of countries to cut down on such fraud http://news.cnet.com/Ireland-launches-phone-fraud-crackdown/2100-1036_3-5377387.html

Re:LOL

[jimthehorsegod]

... software bug ....

Oh I hardly think that likely...

Why attack freeware?

This isn't freeware. It was a shareware version of a "pay" game that was cracked and injected with malware. Why does the summary make it look like freeware is more dangerous than pay-to-play? This is just another case where warez is more dangerous than legitimate software.

Re:Android permissions

[mlts]

Android's permissions are either all or nothing when it comes to Internet access. And some apps just ask for that permission for no real reason.

Best way to deal with that is to have a rooted phone and Droidwall. However, this won't protect against an app that was installed that was given capabilities of dialing and sending/receiving SMS/MMS items.

Another item to have is an app called autostarts. You would be surprised on what apps want to hook where.

Time to investigate.

[dadelbunts]

It seems the developer was a little. *puts on sunglassses* cold blooded. YEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH