Three years ago I wrote about the pending birth of Premium Rate Service (PRS) rogue mobile apps for Hakin9 security magazine, and I remember I never saw any media coverage. Some (this included security companies) asked me why I was writing about mobile malware, so I explained that PRS fraud in one guise or another has been around for some years but in different forms.
Today media coverage is moving faster (for example social media) and there doesn’t appear to be a day that passes whereby for example, Android Market doesn’t feature an SMS PRS malicious or data stealing app. Android isn’t the only platform that will be a target, expect Windows Phone 7 to also be targeted, especially if Nokia and Microsoft can make inroads into the consumer market this year.
So how does a SMS PRS Trojan app generally work?
The SMS PRS rogue (includes malware) infection route normally starts with a user downloading a genuine app from an App store (in this instance Android Market). Some of these apps include some well written legal terms which also highlight that the app may charge the user. How many people actually read these terms? Next to no one reads these in my opinion. So, you can see just how malware writers can see that developing these rogue apps is going to be ‘easy money’.
Having researched rogue mobile app development over the years, it’s not hard to see that malware writers will focus their efforts on Android apps (open source or is that ‘open season’) and look to exploit the permission settings. Most readers will already know this. Here is some top level research that I did at the back end of last year on an SMS PRS Trojan app. It’s high level and brief, but should give my readers an idea about what is happening.
Firstly, a malware writer will acquire a genuine app and then attempt to re-engineer the source code so that they can infect the SMSC default setting (apps can work out the country where it was downloaded based on the ISO) on device and exploit permission settings with the aim of sending SMS messages containing a string of numbers to PRS number(s). It’s an easy bit of coding, I can tell you.
The next step involves ‘data extraction’. This is again done using the rogue Trojan App using GPS location (GPS tracking data can also be illuminating for obvious reasons 🙂 ) via HTTP and opening ports to connect to malicious URLs (remember mobile browsers more often than not, don’t show the URL string, as mobile screens are generally too small and most of us want a clean UI experience) – this also allows remote access to a compromised device, which for me is the really interesting part.
This allows the remote attacker to collect the IMEI and IMSI number from the mobile and make copies of SMS messages which are sent and received to a remote user (bot server) as well as your calendar, contact and email data. Remember, there isn’t anything graphical here, it’s all text based so large amounts of data can be transmitted without you ever knowing or ever seeing any bandwidth issues. The only time you might see your data, is if it is published on sites such as Pastbin. 🙁
This leads me my final point – app validation. Validating Android apps is rather more difficult – iOS and BlackBerry do this part very well. You can check a developer profile, rating and comments/feedbacks from users or you could use an anti-virus product which manages the permissions for you. I’d suggest you do both, without forgetting to add your comments/feedbacks to the App stores, so other users don’t end up being victims.
Safe surfing folks!