Android premium rate SMS Trojans (aka toll fraud) is nothing new in Russia but typically it is distributed via fake Android marketplaces or unofficial app stores. In conjunction with one of our carriers customers we investigated malware that was promoted via SMS. In this attack spammers were targeting Russian consumers with a social engineering campaign that sent out tens of thousands of SMS with links to a website hosting mobile malware.

Distribution

This threat was promoted via SMS instead of Google Play or the fake Android markets that have been seen before in Russia. Since Google increased the security of Google Play scammers have gone off market looking for other channels to distribute and promote their apps to a wide audience.

The SMS tell the recipients they have received an MMS message with the text “I love you” and a link to view the MMS. 

"Vam prishlo MMS s tekstom "Anastasiya, ya tebya lublu!". Prosmotr: hxxp://mmsget.org/9560.htm"

The name in the SMS varies but is usually a woman’s name. It is an interesting use of social engineering to entice people to click on the link.

If the link is clicked on using an Android phone it downloads an SMS Trojan app that sends out 5 premium SMS without notifying the user. The malware is a variant of the FakePlayer family. If a phone that supports J2ME is used it downloads a variant of the J2ME.OpFake family.

Infection

The app is downloaded through a “drive-by download” technique. When a subscriber clicks on the link hxxp://mmsget.org/9560.html using an Android browser the malware app is downloaded automatically without user intervention. The malware authors achieve this by configuring the server to send a HTTP 302 response to the browser that links to the malicious apk. This causes the browser to issue a GET request for the apk that is downloaded to the phone’s file system without the user’s consent.

The app is a variant of the FakePlayer family that was first seen in August 2010. If a non-Android phone is used a J2ME file, mms9560.jar, is downloaded. This is a J2ME.Opfake variant.

Several URLs have been identified as serving up malware from Russian servers:

 hxxp://mmsget.org/9560.html ->  hxxp://mmsget.org/mms9560.apk 
 hxxp://mmsrus.ru/9560.html  ->  hxxp://mmsrus.ru/mms9560.apk  
 hxxp://mmscom.ru/9560.html  ->  hxxp://mmscom.ru/mms9560.apk  

The URL names are similar to ones use by Russian operators and have been chosen so the user thinks they are going to a legitimate website to view a new MMS that was sent to them.

When the download starts, the phone shows a notification.

After the app has downloaded the user has to click on it to start the install - it does not install automatically without user intervention. The app puts an ‘MMS’ icon on the desktop.

The app starts a background receiver to intercept any SMS replies from the short codes so that the user does not know that they have been charged as the SMS will not show up in the Inbox.

  
When the app is opened it immediately sends out 5 SMS to premium short codes while showing a loading screen. The SMS numbers and contents are read from a configuration file inside the apk package.

The text may be related to the original FakePlayer app and left in by the author.

 app_text1 Данное видео содержит эротические материалыrn Продолжить? 
 app_text2 Идет буферизайия видеоrnНажимайте ОК для продолжения      

The app_id value is not used in the app, the '9510' value may refer to an earlier version of the threat that used a different URL such as

 hxxp://mts-mmsru.ru/9510.html 
 hxxp://91.202.244.25/9510.apk 
 hxxp://mtsport.ru/9510.html   

Sending premium SMS

As the SMS are sent, they can be seen in the debug log.

 

After sending out the SMS, the app displays the fake MMS to the user in a webview that loads content from the website ‘hxxp://baash.ru/’.

The 3 lines of the MMS says: 

Message: You won't believe where I am now! Look at the 2 photos I sent you.

I can't believe I am here.

This is a new nudist beach

Premium SMS

The 5 short codes used by the malware will only affect Russian subscribers as they are only valid in Russia. 

 3698 costs 300 roubles per SMS sent 
 3652 costs 200 roubles per SMS sent 
 7019 costs  80 roubles per SMS sent 
 7015 costs  35 roubles per SMS sent 
 1231 costs   4 roubles per SMS sent 

The 5 SMS sent by the app will cost the subscriber approximately 619 roubles (15 Euros / 13 GBP /  20 USD). The exact cost may vary per network. 

Source of SMS

The app does not attempt to promote itself via SMS so this malware is not the source of the fake MMS notification sent to Russian subscribers. There is evidence of SMS being sent from multiple countries into Russia, as well from Russian mobile numbers.

+673 Brunei
+84 Vietnam
+230 Mauritius
+995 Georgia
+249 Sudan
+628 Indonesia
+234 Nigeria

At this moment it is unclear what is sending the SMS – they could be sent by malware from infected phones or by scammers sending an SMS spam campaign.

History

There is evidence to suggest that there may have been earlier versions of this scam, using different URLs. Note that the URLs are designed to look like legitimate URLs used by Russian operators.

 hxxp://mmscom.ru/9503.html           
 hxxp://mms4you.ru/9540.html          
 hxxp://mts-mmsru.ru/9510.html        
 hxxp://mtsport.ru/9510.html          
 hxxp://mtsport.ru/9510.jar           
 hxxp://www.megafon-mms-portal.ru/9511
 hxxp://mmsportal-mts.ru/9511.apk     
 hxxp://mmsportal-mts.ru/9512.html    
 hxxp://beelineportal-mms.ru/9509.html

Some of the URLs served up both J2ME and Android premium SMS Trojans.

It is unclear exactly how many phones were infected in this the "9560" campaign, most likely in the low thousands, but it and it's predecessors were successful enough for the authors to start working on new variations which we'll cover in a follow up posting.

Summary

Your phone was respectfully chosen as Apple's Over Stock iwinner! GoTo [**REDACTED**] & enter code 2255 to receive your Free Gift-Card now!

The URLs contained in the message redirected through several links to eventually redirect to an online auction website.
We have covered in our last GSIM report the ecosystem that is present in the United States, making it very attractive to SMS Spammers, sending both nationally and internationally, and this certainly attack fits into that pattern. However, while the scale of this attack was very large, we also recorded something unique about this attack. : the first ever SMS spam in the Irish language:

Ta do uimhir a rinne an lae inniu buaiteoir sheasur saoire! Cliceail ar [**REDACTED**] a eileamh do thairge saor in aisce!

While this text is grammatically poor as Gaeilge, the example is interesting, as not only is it the first recorded , wide-scale,  SMS spam in Irish - it has come at a much earlier stage in SMS spam’s life-cycle, than the equivalent email spam. While email spams in Irish exists, they have been very rare. Some interesting early examples are here, with a more widescale attack occurring at the start of 2012. 

The use of this language at an earlier stage makes sense for a few reasons. Emails, if anything, are written more in the language of the office, but SMSs are more typically a personal communication – making it more logical to attempt to use the language one would expect to elicit a response in. And in addition, it is much easier to tell what language a receiver of spam is more likely to speak from a phone number, than an email address. This makes a localisation language much easier to guess for the spammers.

At least that’s the theory, in this case, there have may been too much emphasis on Country information factbooks. It is true that Irish is one of the two official languages in Ireland, along with English, and the last census of Irish language knowledge in 2011 showed 1.77 million saying that they can speak Irish (around 41%),  but in reality the language is probably used as an everyday medium by a much smaller number –less than 100k, making the prospective response pool smaller. However on the other hand, within Ireland, Irish is used in all official communications, making the use of the language a more ‘prestige’ form of communication, and this may also have been what the spammers have tried to exploit, as was postulated in the Irish language email cases  

Incidentally if any of our New Zealand readers has received a SMS Spam in Māori, let us know!, and in the interim, i would like to say : Athbhliain faoi mhaise daoibh!

In conjunction with its Awareness Day the IWF has published a study which found that 88% of self-generated, sexually explicit online images and videos of young people are taken from their original location and uploaded onto other websites. As this research shows, increasing smartphone ownership amongst young people has made taking and sharing explicit photos and videos online very easy. As the availability of web-enabled devices increases, so too does the need for education and support on how to deal with this undoubtedly difficult issue.

The work of the IWF is vital. They have worked for over fifteen years to virtually eliminate online child sexual abuse content in the UK. Since 2003, less than one per cent of child abuse content has been hosted in the UK, which is down from 18 per cent in 1996. Parents and children, communities and mobile phone operators must join together with the IWF to encourage safe usage of smartphones. Similarly, operators need to filter explicit content to provide a safe web experience to the public.

The IWF relies on the public for reports of online child sexual abuse and the more people who know where to turn, the more that can be done. You can get involved on Twitter by using the #IWFAwarenessDay tag to spread the news; alternatively please donate a Facebook status on the IWF page so that your friends can help spread the word too.

However in some online discussions of this exploit there has been a range of debate on who is responsible, and the possible implications. Contrary to some comments, such as this article from Dark Reading here, this is not a network issue, this is a handset issue, and specifically an issue within the SMS client used by the iPhone handset. The GSM network is based on the 3GPP specifications, and in this case 3GPP 23.040, which clearly outlines the danger of using this parameter:

3GPP 23.040-530, 9.2.3.24.10.1.15 Reply Address Element:

Despite the fact that MMI aspects of the ME are out of the scope of the present document, it must be mentioned that this mechanism might open the door to potential abuse. It is desirable that the user is made aware in some way that the reply address of the incoming message is different from the originator’s one, and that the user is presented with the original TP-OA address to identify the sender of the SM.

However for most devices the Reply-Address doesn't matter. Why? - we've tested this parameter on a range of Android, Windows Mobile, Blackberry and Symbian devices, and so far the vast majority simply ignore the Reply-Address or not display it - or if they do - like the BlackBerry version shown, they display both addresses, as the specification outlines. If this was indeed a network issue, then all devices, receiving the same message must be similarly affected, and they're not. Any device, be it the iPhone or some other device, that displays the Reply-Address is opening itself up to malicious use, as the Specification clearly outlines.

Screenshot of Blackberry displaying both Originating Number and Reply Address (Callback Number).

The next question is, what is the impact of this? For this question, we agree with many of the comments made by others, i.e. it only affects iPhone devices, unless other devices which also don't heed the warnings of the spec are identified, and opens them up to an increased chance of phishing attacks. Apple are aware of this issue, however if this reported statement by Engadget is correct, then they're going about mitigating the problems it presents in an unusual way, by using iMessage. Obviously iMessage is only supported on iPhones, and so does nothing to address SMS sent from non-iPhones with this parameter.

Incidentally the use of the Reply-Address is exceptionally rare in mobile networks now. It is not used due to the fact that it's not supported by many devices and the original scenario that it was addressing never really materialised - it is one of the many extended SMS function fields that didn't get much traction (see the original Change Request adding this here, 3GPP spec fans). This makes the identification and blocking of messages that contain this parameter by mobile operators easier to perform. Mobile Operators already perform this task in blocking other types of message which are spoofed at the signalling level or sent via less than reputable companies who provide access to these fields to bulk SMS senders. The question is though, should operators have to filter this parameter? If you care to read the Change Request, it clearly states that the reasoning for this Reply-Address is that:

3GPP 23.040-520, CR047 (3GPP TSG-T2#16 T2-020230):

it is desirable to set a return address different of the one used to send the SMS

This negates the argument made by online commentators, that the operator should be inspecting the Reply-Address, if they did what would they compare it against - if designed to be different from the sending address, how should it be validated? This is why the authors of the Change Request added in the proviso that it could be maliciously abused and both addresses should be displayed. So operators could filter and look for this parameter, but in this particular case, filtering of the Reply-Address parameter would be a secondary fix.

We work with operators every day to help them identify and remedy the threat posed by mobile malware, spam, and other security issues, but they shouldn't be blamed for this one.

It seems that every week – and sometimes every day – we hear of new schemes and scams that cause us to question our confidence in the data that enters and (specifically) exits our devices without our knowledge. With this uncertainty, how likely are we to adopt the new wave of Near-Field Communications (NFC) technology that will allow us to use apps that provide instantaneous access to - and debit from - our personal bank accounts?

Operators too struggle with this question. In a landscape where (almost) every operator offers near identical service, a new differentiator is emerging. Pretty much all operators offer devices that provide access to the web, Facebook, Twitter and thousands of popular applications such as ‘Angry Birds’ and ‘Words with Friends’. They all offer texting/SMS, Picture Messaging/MMS and even an oft forgotten ‘app’ called Voice Calling. They all have similar pricing bundles, nationwide coverage and - despite aggressive marketing to the contrary – download speeds that are often negligible to the human eye. They all offer the same range of operating systems and many have identical devices: phones, tablets, phablets and WiFi hotspot doohickeys.

So what is this emerging differentiator? The answer is simple - trust.

If the next ‘killer app’ is built around mobile payments via technologies such as NFC, then subscribers will flood towards operators that are built around trust. It’s the last bastion of what has become an increasingly level-playing field despite light-speed advances in network and device capabilities.

While some operators may elect to employ smoke and mirror tactics, trust is more than a marketing campaign. Trust is earned and is built from proactive measures to limit malicious data from traversing a network. Trust is being able to use your device, safe in the knowledge that your operator has filtered any and all malware, spam and rogue applications to ensure your phone is clean.

In this context, trust is an assured reliance on the character, ability and/or strength of the operator we rely on and cannot be earned by throwing subscribers another free ‘security app’. These apps may be great at finding the phone you left in the back of a cab but let’s face it, in the world of mobile payments it’s like throwing a Band-Aid to a swimmer in a bay of sharks.

"We welcome this consultation - it’s critical that parents have more control over what their children are seeing online. However, there is a very real need for mobile devices to be considered - over half of parents believe that smartphones – rather than the desktop, laptop or gaming device – are the real badlands for harmful content such as online porn, according to our Global Security Insights in Mobile report.

"17% of 8-15 year olds own a smartphone today and this activity frequently goes under the radar, compared to home desktops or laptops, which are shared between all family members. This represents a clear opportunity for mobile operators to help families by offering services and support which goes above and beyond what is required by any legislation put in place. “

"As with so many parenting challenges, a ‘one size fits all’ technology approach is unlikely to work - 68% of UK parents want controls they can adapt as their children mature, with the convenience of filtering websites from their own handset one of the ways that technology can be more successful at combatting this problem."

M2M is an exciting area for operators. Not only does it allow them to expand subscriber numbers in developed markets, but it offers operators the chance to expand their offering into something other than simply handling people’s communications. If done correctly, it allows them to move into areas such as connected healthcare and transportation which will be of critical importance to the society of tomorrow.

And that’s where the need for security comes in. As the importance of these communications is greater for certain devices, then the requirement for security is greater as well.  Recent reports of wirelessly hacking medical devices, and our own illustration of the vulnerability of a mobile controlled front door controller shows the type of effects that the lack of security can have.  

M2M security cannot be approached light-heartedly. Some may point to the use of private dedicated APNs for M2M devices as providing all that is required for M2M security. However that ignores the fact that many M2M devices will never have a private APN dedicated to them, and that many M2M devices today communicate via the same network that people use. A further complication is that these networks often rely of people forming a critical part of the security, another re-conception that needs to change to implement M2M security..

We need to make sure then that security is designed from the offset, for as Sinisha Patkovic of RIM memorably described at the recent AdaptiveMobile–sponsored MWC Mobile Security Forum, “security is like eggs within your cake. It’s a lot easier to add the eggs when you bake the cake, than try to add the eggs after the cake is done.”  Lets get the ingredients for M2M right from the start!

AdaptiveMobile’s Network Protection Platform has been shortlisted in the category of “Best Technology Product or Solution for Safeguarding and Empowering Customers”. This is a new category added to the awards line-up this year and further demonstrates the importance of mobile security in today’s environment. Mobile threats are growing in size and sophistication and Adaptivemobile is leading the way in ensuring that subscribers and operators remain protected. This year saw the highest level of entries to the awards and therefore we are even more thrilled to have been nominated. It is great to be recognised for our hard work and continuous innovation in mobile security.

The winners of the awards will be presented during the GSMA Global Mobile Awards Ceremony at MWC in Barcelona on the afternoon of Tuesday, 28 February – just two weeks away!

With smartphones and applications making services instantaneous, persistent and location-conscious, we have to be aware that our identity and personal data is more vulnerable than ever.  The thrill of trying out a hot new app or staying up to date on social networking sites leads the majority of users to ignore the annoying requests for permissions. But the majority of apps don’t need to access your location or your information, and many apps are not what they seem.  Whether these are grey-market versions of legitimate applications that have added in Trojan features to capture user data; or ad-funded games where the location information is used to improve advertising effectiveness; users rarely understand when information is being passed from their phone, and who may eventually end up with this data.

Add to this the ease with which your character can be poisoned within your social networks – through apps consistently spamming your contacts highlighting how cheap you are to have taken an illegitimate unlicensed app rather than paying the £1 for the real version; or acting as a spam bot to promote malware sites through your twitter account – and the potential downside of social media and location-based services becomes clear. 

The reality is that whilst users express outrage when they believe their data may not be secure, many are unwilling to protect themselves. AdaptiveMobile’s recent research showed that whilst two thirds of consumers hate apps leaking their data, 75% may be giving away their physical location when downloading them, with mostexpecting mobile operators to look after their security and personal data. Mobile operators have been very careful in defining how location data is used and have standards on location tracking, however the top Internet players aren’t as stringent. Therefore consumers need to be extra vigilant when allowing apps to access location information. With mobile threats becoming increasingly sophisticated and the increasing use of smartphones for social and location services, mobile operators need to realise that the traditional security practices are no longer sufficient.

Please note that you will require an Exhibition Visitor Pass to gain access to the Forum and as a gold sponsor we are able to offer a limited number of complimentary Exhibition Visitor Passes. Spaces are limited and require prior authorisation.

If you would like to meet with the AdaptiveMobile team at Mobile World Congress 2012 (or a suitable date and location) to discuss the very latest mobile security solutions, please confirm your availability here.

We look forward to seeing you in Barcelona.