Attackers are turning to mobile platforms, researcher saysDate: Jul 28, 2010
In this interview, Mikko Hypponen, chief research officer at F-Secure Corp., talks about what he
sees as the coming mobile security threats. He says money-making malware is already infecting some
smartphones, but all platforms are at risk. As he notes, "There are more phones on the planet than
computers. And it's easier to steal money from phones."
At his Black Hat presentation, "You will be billed $90,000 for this Call," Hypponen will explain why attackers are turning to mobile platforms and how they are finding ways to route money without leaving a trail for law enforcement.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
Attackers are turning to mobile platforms, researcher says
Interviewer: Mikko, thank you very much for joining us, I
Mikko Hypponen: Thank you.
Interviewer: Let us talk a little bit about your Black Hat Turbo Talk you have
coming up. It seems like mobile application issues, mobile
vulnerabilities is where it is at, at this particular Black Hat
Conference, or that is what we are predicting, at least.
Mikko Hypponen: It seems there is quite a bit of interest into mobile issues, and no
wonder. You just look around at how big of a revolution we have see
over the last years with mobile devices. Yet we really have not seen
much real-world attacks. For example, we still have not seen more than
500 mobile phone viruses; everybody is expecting something to happen.
That is probably one of the reasons why there are so many talks and so
much attention into smartphone and mobile issues in this Black Hat.
Interviewer: In your opinion, what platforms are at risk? Do you think the iPhone,
Apple OS, or the Google Android phones are just as at risk as some of
the other platforms out there, like Linux or Symbian?
Mikko Hypponen: I think the three main platforms for near-future attacks will be the
iPhone, Android, and Symbian. I do not think we will be seeing much
activity on Blackberries or Windows Phone. iPhone is important because
it is such a sexy gadget; everybody has it. There has been tons of
research into vulnerabilities in there, and that is why I am guessing
it is going to be one of the target platforms. Android, because it is
so open, it is the most popular open source mobile smartphone platform
out there and there has been, again, a lot of interest in there.
Symbian, because it still is the gorilla, it still has 40% of the
market share of smartphones all over the world. Most of those are
outside the USA, but nevertheless, if you look at where most of the
attacks have been coming so far, they have been coming from Russia,
South America, and many parts of Asia and China, and these are the
areas where Symbian is absolutely the king of the smartphone operating
system. iPhone, Android, Symbian, that is where the interest seems to
be right now.
Interviewer: Is it too early to predict what happens to Microsoft? They got the
new OS that is going to be coming out.
Mikko Hypponen: I was playing around with a prototype Windows Phone 7 a couple weeks
ago, and it actually looks pretty neat. They are obviously trying very
hard to fight back, and it has not really been easy for Microsoft for
their mobile platform. They have had Windows CE, Windows Mobile,
Windows Phone for 10 years, and they have never managed to get more
than around 10% market share, tops, it has been a failure for them.
They obviously would like to get the same market share as they have on
the PC side, and now they seem to be trying really hard with Windows
Phone 7, and it is pretty slick. Then there are some weird things, for
example, if you look at what is happening with iPhone and iOS 4, they
have now introduced multitasking. Then you look at Windows mobile and
Windows Phone 7, they are actually getting rid of multitasking in the
new Windows Phone 7 for various reasons. There is a bit of a conflict,
but it remains to be seen. They will very seriously try to make it a
player again, and we will see how it works out.
Interviewer: Is it going to be the same kind of attack factors that we have seen
in the past? You had attacks via SMS. Are there commonalities between
some of these platforms that would make an attack lucrative for
somebody since the market is so fragmented right now?
Mikko Hypponen: I think the main thing to understand about mobile attacks today, is
that we are not seeing exploits being used. If you look at how the
average computer gets infected today, your average Windows box, it
gets exploited through a vulnerability. You surfing and you hit a
website which has an exploit for Flash, Java, or Adobe Reader plugin,
something like that, and you get owned; that is how it works. That is
on the way it works on your phones. We have not seen as single case
where somebody would have been owned on their phone through a
vulnerability. All the cases we have seen so far have more or less
been social engineering, so users have been tricked into clicking on
links, accepting a Bluetooth Beam file transfer, or downloading games
which have Trojans inside of them, so there are no exploits. This will
change, and when that happens, all the bets are off, and we might very
easily see a situation where a mobile smartphone worm infects your
phone while you are sleeping through an exploit, and spreads further
from your phone to everybody listed in your address book and infect
their phone automatically. A worm like that would go around the world
in a couple of minutes. Sooner or later that will happen.
Interviewer: How about making money though? Have you been able to figure out a way
that an attacker could make money without having a money trail?
Mikko Hypponen: The topic of my talk here in Black Hat this year is, 'You Will Be
billed $90,000 For This Call.' That is exactly what I am talking
about; how to monetize and how we are seeing attempts to monetize
mobile phone Trojans. The main difference in monetizing an infected
device, between an infected PC and an infected phone, is that when you
infect somebody's PC, there is no built-in money transfer mechanism on
computers, but there is a built-in money transfer mechanism on phones,
that is called the phone bill, because every phone call is a money
transaction. If you just call a normal number, it costs you something,
especially if you call a premium number, a 1-900 number, it is going
to cost you something more, and that is the main difference. You
cannot do that on your computer, because we do not have modems on our
computers anymore, but you can do that with your smartphone. During
the last couple of months we have been analyzing several attempts to
do exactly this. We are seeing, possibly now, the rate of smartphone
dialers, which are issuing expensive calls from your phone as long as
they are infected.
Interviewer: You call them smartphone dialers, what does that mean?
Mikko Hypponen: It means that they secretly issue phone calls. For example, we saw
this game called 3D Anti-Terrorist Action, which is basically a
shooting game. The real story behind it turned out to be that somebody
took the actual game, which was made by a Chinese company, hacked the
game, removed the copy protection, then added a Trojanized part, which
issues a number of phone calls while you are playing the game, and
these phone calls go to expensive numbers. The real trick here is not
really to Trojanize a game and have it make expensive phone calls, the
real trick is to avoid detection. If you just have a phone call 1-900
numbers here in the USA and charge $9 a minute, sure, you can do that,
but you most likely will not get money out of it, because there are
systems in place to prevent fraudulent use of premium-rate numbers. If
you buy a 1-900 number here in the USA, you have to give out your real-
world credentials; your name, your addresses. You will not get the
money right away, there is a delay of 30 or 45 days until you get the
money to prevent fraud.
What these guys are doing is that they are using far away
international call truncations. For example, issue calls to North
Korea, to Sierra Leone in Africa, to Antarctica, the South Pole. Then
these numbers are special numbers which call, a technique called loan-
lining, which means the phone call actually does not go to Antarctica,
but it will bill you as if you called Antarctica, which obviously, is
very expensive. The actual call might end up in Canada, or Austria,
somewhere much cheaper, but you will be billed the whole bill, and the
difference goes to the actual guy behind it, and that is exactly what
the 3D Anti-Terrorist Trojan did earlier this year. It issued calls to
Antarctica, and many other countries, and they were these special
truncating lines, which paid the money back to the virus writer who did
Interviewer: It seems like when you travel in different parts of the globe, the
cellular networks are obviously much different. The way you pay for
your bills in the United States, for example, is much different than
the way you pay for service in Europe. Does that insulate the US
somewhat, and where do you think attacks like this will be most
Mikko Hypponen: There are big differences in how people pay their phone bills. For
example, prepaid phone cards are very popular in big parts of Europe,
and monthly bills elsewhere, and so on. However, there is always a
phone bill, you always pay for the calls, and you can almost always
make international calls, which means it does not actually matter how
you pay for your bills, as long as there is a payment mechanism like
the one used in these Trojans. The main difference might be that if
you have a prepaid card on your phone, you might actually run out of
credits much sooner than you actually realize that there is a problem
because it is going to be a big bill. Again, these guys are trying to
avoid creating too large bills. For example, the 3D Anti-Terrorist
Trojan issues eight phone calls, then it sleeps for 31 days, then it
issues them again. The logic here is that if you have a monthly bill,
you will only get a small add-on to your monthly bill, but they will
be able to make money out of that, and these are a global problem. We
have been tracking infections with, for example, the 3D Anti-Terrorist
Trojan in 20 different countries, including USA, most European
countries Japan, and elsewhere.
Interviewer: It could happen anywhere?
Mikko Hypponen: Yes. Right now it could happen anywhere. Of course, the big
difference is not really the payment mechanism, it is the platform. 3D
Anti-Terrorist Trojan was a game running on Window mobile, so where
Windows mobile phones are popular, that is where the most infections
Interviewer: Your prediction is that we are going to be seeing much more of this
moving forward, because people are using their smartphones more often
and the phones are obviously getting more powerful?
Mikko Hypponen: My main thesis on why we have not seen more activity on the mobile
side is that it is so easy right now for the online criminals to make
money with the existing acts on existing platforms, mainly Windows
computers, not just Windows computers, specifically Windows XP
computers. Windows XP still has around 43% market share of all the
computer operating systems worldwide, so most of the computers on this
planet run Windows XP, which is obviously a very easy target for an
online attacker. Why on earth would they start looking at targeting
any other platform? Not just Windows 7, but Mac, or mobile platforms.
Why on earth would they even consider targeting those when they have it so easy
on the most common operating system, which is Windows XP? When Windows
XP will slowly disappear from the radar, say two years in the future,
when Windows XP is no longer the most common operating system, that is
when the attackers, the masses of attackers will start to look around.
Some of them will smell the coffee and realize that we actually should
not be targeting computers, because there are more phones on the
planet than computers, and it is easier to steal money by infecting
phones than by infecting computers.