Read previous: Attack vectors on mobile devices 2: Android and iOS security
Final part of Tam Hanna’s presentation outlines his investigation into RenRen phishing, WAP scams, HTC Bluetooth FTP issue, and the future of mobile threats.
The next thing we have is a few exploits that are typical to Germany. Germany is a strong area for the church of iPhone, and so many attackers focus on the land where the believers are. And there is a thing called RenRen. Very little is known about RenRen except that it has popped up on users’ accounts, charged them 80 EUR – and that was it. And they said: “We didn’t even download anything”, many didn’t even have an iPhone. So this is relatively strange. Nobody knows anything about RenRen.As I have already said, there are two ways: either it can be social engineering to get the password or it can be an exploit in iOS. But me not being paid, I decided to do some research on my own. And the first thing I did was I figured out this thing – an article in ‘Spiegel’ (see screenshot). The ‘Spiegel’ is a German newspaper. It is not particularly reliable, but on tech they are one magnitude better than the New York Times, and so one can believe them to some extent. And they gave us some good information. First of all, non-iOS owners get attacked also. So the article in ‘Spiegel’ tells us it could be phishing, and secondarily they gave us this string in Chinese. It’s the name of the app. And the name of the app is: ‘The world has difficult times ahead of itself.’ I googled it, and I saw this – a company called ‘RenRen’ is peddling the application. And the manufacturer string was only given partly by the ‘Spiegel’: ‘Beijing Quianxiang Wangji.’ When I googled this, it brings me to this poor fellow (see image). I sent him an email asking him: “My dear friend, could you tell me more?” And he thought: “This guy is Sha Gua”, which means as much as ‘f..king idiot’, the only word I learned in Chinese. So he has probably nothing to do with it. It is similar to another malware some time ago, which contained the string: ‘Mikko cut your hair.’ They meant a security expert from F-Secure who has got long hair, and he should cut his hair.
But the next thing was much more interesting. RenRen is a huge Chinese company. They are said to be the Chinese Facebook. And the really funny string was this: “The company believes it will be increasingly shifting toward third-party licensed games in order to leverage the platform effect of renren.com.”
And so, what do we know? RenRen operates an Internet website. And stock announcement about RenRen is that they are sitting on over one billion USD in cash and no debt. This is not like some American company which is worth ten billion but has fifteen billion of debt. These people actually have money.
And so I decided I am going to get in touch with them. I sent an email to their press department – I have a press ID so I thought I should send an email to them. I asked them just friendlily: “Please forgive me for getting in touch, bla, bla, bla…I would like to ask if the iPhone game (Chinese name) was in-house developed, or is it a third-party product?” The response came very, very fast, and it CC’d the chief of investor relations, for a normal peaceful question. And now comes the unusual thing: there was no actual info, and instead she wanted to know more from me.
People who have basic understanding of PR know that usually if a journalist is asking something short – you just answer this question because it costs you nothing. If somebody asked my company: “Mr. Hanna, how often do you shave?”, I send him back: “Every day in the morning”. Because if I send him back: “Where are you working?” – he might get angry, he might say: “He doesn’t know me, what an asshole, I will dig something out and write bad about his company”. So this was really, really strange.
But me be me, I sent them another friendly email, telling them I am working for a magazine where I really do work, and I want to tell them that this made quite a splash in Germany recently due to creative use of app purchases. I didn’t mention anywhere that criminal stuff or anything. And the effect was I never heard from them again. I am not a lawyer, so I can’t say what this means, but I can tell if something smells like phish, and I really smell the phish.
That brings us to another thing – the WAP scams. Today, especially with Nokia, people don’t buy apps, they want everything for free. And these apps are monetized via ad banners. If I click on such an ad on the cell phone, the web browser opens a WAP URL. And when a WAP URL is opened, you get the so-called MSISDN1 number. This number is worth gold because if I have your MSISDN number, I can charge you money by your carrier, and I get the money deducted off your phone bill.And this brings us a pretty complex economy of crime (see scheme). On the top, we have the scammer. The scammer pays the ad house to run an ad and in addition contracts the carrier to get the right to bill from MSISDN. The ad house then gets in contact with the developer who shows the ads of the ad house in his app. The user uses the app of the app developer who gets the ad from the ad house, clicks on the ad, the carrier charges the money, and the scammer gets paid. So we’ve got a total of five parties involved, and only one of them is acting criminally. Only the scammer is acting criminally. The developer doesn’t know anything, he is powerless. The ad house doesn’t really know much either. The victim gets owned due to stupidity and unawareness, and the carrier charges the money.
So again, the user clicks the ad, the WAP request is sent, the MSISDN is transmitted, and the carrier charges. And this is where the point gets hairy because the carrier has to pay the MSISDN charge within less then 24 hours. So by the time you get the bill and you complain, if I am the scammer I am already sitting in Panama with six girls, so I am long disappeared.It’s time now to look at the staff who are working in mobile industry. First of all, most mobile programmers still are completely unaware of security. There is no secure chain, and this means there is a huge amount of unfound and exploitable errors in the operating systems currently. An example for this was the HTC Bluetooth FTP. It is a ‘bonus gift’ to smartphone users, which is given out from HTC. It allows you to access files in an outbox folder of the phone. And a well-mannered client sees he is in the outbox folder, so he is not allowed to go up anymore. An evil client sends the dot-dot command in the root folder, and then he can access /Windows. And the moment he can access /Windows on a classic Windows Mobile device, the device is down.
But why HTC Bluetooth FTP didn’t become too much of the problem was because Bluetooth FTP requires pairing. And if I would today pair with anyone of you, would you accept the pairing process? No. The average user wouldn’t even understand what it means ‘to pair’. So the practical risk was relatively low.
And we’ve got another benefit. The attackers currently are not particularly smart. Every mobile computing programmer can create a cutting edge mobile virus today. I develop mobile applications to make money with them, for sale, and I could replicate any of the Android viruses currently on the market with ease. Even my pupil who is in training could replicate most of them with ease. So we are not seeing any kind of really advanced malware just yet. But the attackers are socially smart because they need to get the people to accept installation request.
And secondarily, the attackers are greedy. There are no viruses like the infamous ‘Den Zuk’ which brought you the nice pictures, the beautifully rendered graphics. And there are no viruses like ‘I Love You’ which is basically a worm, and which only causes havoc.
The attackers today are greedy, and they do no technical development unless it is needed to make money. And as they can currently make good money with social engineering, why should they take more effort?
And finally, I have got a spring of new ideas for all those of you who are looking for new ways to create a better mobile virus. The last time I had such a set of slides, it was at Confidence 2010, and I told the people how to bypass the quality assurance for iPhone, Android, and Ovi Store. Two months later, the first attacks were surfacing using my vector. Manufactures were not always as reactive.
The first idea which I suggest is mobile ransomware. Already today, there are products like FlexiSPY: I install FlexiSPY on my wife’s phone, and then I can read her SMS and see her phone calls. And I suggest in the future data theft that attacks the credit card numbers and similar sensitive data on the phone to do identity theft and other ‘funny’ things.The next thing is there are tons of exploits still open, the question is who finds one first. And then there is something which I personally expect to see after talking about this definitely. It’s an attack which bridges from the phone to the PC. In the past, the PC and the phone were synced, hot synced, active synced and so on. Today, it is easier because this phone can act as a USB drive. And if I connect it to my PC, the autostart mechanism of Windows starts the application. So all I would have to do as a virus is I would have to place an autostart application in the right folder – and profit.
And finally, another very funny thing I want to suggest is the mobile scam (see image). Essentially, you send the person one or another kind of email, and he then responds, and you either scam him off or you send him an SMS, and he responds to a premium-rate number. I predict a lot of new things like this will come up soon.
1 – MSISDN (Mobile Subscriber Integrated Services Digital Network Number) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network.