• Smartphone hacking comes of age, hitting US victims

    Security researchers at Symantec warn that the next target for hackers will be your mobile device. NBC News' Bob Sullivan gets a demonstration of just how easy it is to hack a phone.

    By Bob Sullivan, Columnist, NBC News

    Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat.

    Not for long. 

    Criminals have been probing the systems that protect U.S. smartphone users for years, searching for the right combination of programming tricks and social engineering that would allow them to sneak onto users' phones. Recently, one hacker group hit the jackpot.

    They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

    Tim Strazzere, Lookout’s lead research and response engineer, said the sudden "staggering increase" in detection of the of the NotCompatible, which initially appeared one year ago, shows that the marriage of spam and mobile malware might be a recipe for real trouble.

    "This Android malware is unique," he said. "It's exactly the same scheme and end game as before, but it's just being circulated through different means. And it's working."

    U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

    Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

    But Strazzere warns that the criminals behind NotCompatible have found a way to make U.S. users almost as vulnerable as those in Asia – a direct email invitation from a friend to install what turns out to be a bogus app.

    Those who might dismiss this scenario should beware: Last month, when a report by Mandiant Corp. alleged that hundreds of U.S. companies had been hacked by an arm of the Chinese military, the initial method of attack was almost the same -- a "spear-phishing" email that appears to come from a co-worker or friend, sent to entice the recipient into clicking on a virus-laden link.

    Smartphone users might fear that a criminal with access to their devices might destroy all their data, "brick" the phone or prank call all their contacts. But the real nightmare from a hacked phone is much more subtle, and can be much more expensive, than having to replace a phone.

    While the threat from foreign hackers is grabbing headlines, some security experts look ahead to networked devices and wonder whether your refigerator might be more vulnerable than your PC.

    Vikram Thakur, a researcher at Symantec Corp., studied one mobile phone hacker who turned compromised devices into an estimated $1 million annually.

    “We found a mobile phone botnet, which had … maybe 200,000 cellphones which were compromised and in control of just this one person," he said. "(He) was able to send text messages, make these phones view videos, which were in turn giving him money; and he was doing so about 25,000 times a day."

    Cellphone hackers don't do anything to call attention to themselves. Instead, their programs are designed to run in complete silence, in the background.  And they cover their tracks. There's no log of calls placed to dicey overseas numbers, no evidence of text messages sent that can run up a monthly bill.

    “Your phone bill might have extra data usage toward the end of the month,” Strazzere said.  "That might be the only way you'd know."

    Hackers around the world have clearly trained their attention on the fertile ground of phone hacking. Kaspersky Labs, another security firm, says there has been "explosive growth," and offers numbers to back that up. In January 2011, it counted only eight new malicious mobile malware programs. At the end of 2012, it counted 6,300 such programs monthly.

    Nearly all of that activity has until now targeted overseas users, sometimes with devastating results. A program aptly named "BillShocker" by researchers infected 620,000 users earlier this year, mostly in China, and ran up hefty bills through premium text message services.

    Mobile malware writers are also developing hybrid threats designed to counterattack online banking security systems.  In one sophisticated attack, criminals hacked both a victim's computer and cellphone, then lurked until an online banking transaction was initiated on the PC. When the bank sent a so-called "out of band" text message as a security confirmation, the criminals intercepted them and approved the transactions. A malicious program named Eurograbber is blamed for stealing $47 million from 30,000 bank accounts this way, according to a report by security firm F-Secure.

    Those victims were in Europe, but now there are other indications that mobile hackers are circling the waters, aggressively looking for more ways into the U.S. market.  

    Computer security expert Brian Krebs reported earlier this month on his blog that criminals are selling authorized Google Play developer accounts on underground bulletin boards.  A developer account would theoretically give a criminal the ability to post rogue software onto the Google Play store.

    NotCompatible is a little less ambitious. Its main goal is to control a smartphone and turn it into a "proxy" device for overseas criminals, so they could pretend they were ordering expensive merchandise from within the U.S.  Because many online sellers use geographic location to filter out fraud, and many trust cellphone location information, a hacked phone can be a perfect tool for foiling fraud-fighting software.

    "Companies block transactions when someone in Romania is trying to buy concert tickets in the U.S., for example," said Strazzere.  "NotCompatible allows them to hide where they are coming from ... gives them a little more mobility based on where they want to come from. With a hacked cell phone, they will look like they are where the endpoint is."

    Strazzere sees the blended threat – part virus, part spam – as ushering a new style of cellphone attacks, just as such blended threats gave hackers the upper hand in the personal computer world during the last decade.

    “This shows the progression of malware authors and what they are doing to experiment,” he said.  It also shows impressive coordination in attacks. “It’s still a new space for them. But they are figuring things out.”

    Follow Bob Sullivan on Facebook or Twitter

    More from Red Tape Chronicles:

    Comment

    Show more
    Explore related topics: , , , , ,

  • Why smart phones threaten would-be censors

    Google vs. China.  Facebook vs. Pakistan.  YouTube vs. Turkey.  Blackberry vs., well, half the world. If it seems like the Internet is under siege lately, that's because it is.  The cat-and-mouse game between government censors and communications technology is a lot like life along the San Andreas Fault. There are low level rumblings all the time, but every once in a while there's a tectonic shift. 

    But why so many tremors and earthquakes lately? And is it a good idea for multinational, for-profit companies to be the standard-bearers for basic human rights like free speech?  Here are some answers.

    It's been true since the beginning of organized society: Governments hate secrets. By nature, they cannot allow citizens or enemies to communicate in secrecy. That means every new communications technology is a potential threat. Chat rooms, e-mail, encryption, the Web, Twitter -- all have, one by one, come under assault from haters of secrets.

    Now that smart phones have reached the masses, governments around the world are panicky. It's one thing to control citizens' use of e-mail from their bedrooms or cubicles -- in a place like Iran, there are only a few Internet pipes in and out of the country, so it's not hard to shut down the pipes or scan the data flowing through it for offensive or illegal content.  But Blackberry gadgets work differently. They let citizens walk around anywhere with tiny computers that can give users unfiltered access to everything on the Web and enable them to transmit their data with surveillance-busting encryption. If your job is to monitor citizens and keep order, this is an earthquake.

    "We do think that the mobile Internet is where the cat-and-mouse game will play out over the next few years, with the rise of smart phones and ubiquitous 3G connectivity," said Jim Cowie, chief technology officer of Renesys, a firm that analyses Web traffic. "That's especially true in emerging economies like the (United Arab Emirates), where mobile Internet growth is really exploding -- in many cases mobile Internet providers have leapfrogged fixed-line Internet providers."

    Blackberry maker Research in Motion is in the cross-hairs now. On Monday, a ban in Saudi Arabia went into effect, though Blackberry's Messenger service appeared to continue to operate normally. Other bans are threatened in the U.A.E., Algeria, Lebanon, Indonesia and India. But censorship experts expect the battle eventually will affect all mobile Internet devices. That expected escalation alarms Clothilde Le Coz, U.S. director of free speech advocacy group Reporters Without Borders.

    "Mobiles devices such as the Blackberry ones are one way to get … news, share news and comment on it. If even these devices are getting controlled and monitored by the governments, it is a bad sign for freedom of speech," Le Coz said.

    On Thursday, Blackberry CEO Mike Lazaridis threw down the gauntlet, indicating he plans to pick a fight with Arab nations who try to limit his company's service.

    "Everything on the Internet is encrypted," he told the Wall Street Journal. "This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."

    But privately, the company appears to be in active negotiations with governments in the region. Some of the compromises that have been floated would sound alarming to any free speech advocate's ears. A report in The Economic Times in India said Research in Motion offered to let the Indian government access user e-mail and promised to create a system that would allow monitoring of chats within six to eight months.

    From an architecture standpoint, there's even more to be concerned about. While hand-held smart phones seem to imply great freedom of movement, they may ultimately be easier to control, Cowie said. Countries tend to have far fewer mobile providers than Internet service providers, as the wireless spectrum is highly regulated. That gives governments a lot of leverage in any censorship debate.

    "This might make it a lot easier for governments to censor -- or to implement community-appropriate filtering -- depending on your spin," Cowie said. "There are typically fewer mobile providers in a given national Internet market because of licensing requirements. They have more tightly integrated control over the end user Internet experience."

    Harvard Professor Jonathan Zittrain, who runs the censorship-fighting Web site Herdict.org, takes that argument one step farther. Now that Web users seem to be clustering around a few Web sites and service providers, censors' jobs are getting easier, he thinks. It's hard for governments to censor e-mails flowing in an out of from hundreds of Web mail services. It's much easier to censor all traffic in and out of Facebook.com.

    "(It) could be a game changer, the re-emergence of more centralized umbrellas for activities on the Internet," he said.

    Cell users are rebels
    On the other hand, Cowie thinks mobile Internet users have already shown a disdain for control that will ultimately be the undoing of any attempts at censorship. Smart phone users, for example, have demonstrated their tendency toward rebellion.

    "There was a time when mobile providers thought that they could create a 'walled garden' mobile Internet," he said. "They believed that users would be satisfied with a few kinds of well-tended content on their phones, served up from the provider's own online kiosks.  If the story had ended there, it would have been a government censor's dream -- complete integration of hardware, software, delivery infrastructure and content, in one manageable package.

    'We're all geeks now'
     "However, mobile consumers have pretty clearly indicated that they reject that model. They want access to the entire Internet on their smart phone -- not just a small corner of it, but all their familiar sites and services. They want to be able to jailbreak their smart phones, have carrier choice … and generally have the same freedom to tinker that they have on their desktop. This was a somewhat unexpected outcome, but the masses have spoken. We're all geeks now." 

    If Middle Eastern nations stick to their Blackberry bans, their motivations will remain hazy. Few observers take the claim of national security at face value, and it's possible the ban is aimed as much at halting teen-aged flirting as it is to preventing terrorism attacks. (Thanks, World Blog.)

    What the United Arab Emirates has asked for isn't, on its face, much different from what the U.S. government regularly asks for, said Mark Rasch, former head of the U.S. Department of Justice computer crime unit. 

    During the Clinton years, the federal government engaged in a protracted (and failed) battle to prevent the widespread use of encryption by Internet users. But federal investigators armed with court orders still use wiretaps and other technologies to regularly inspect e-mail, Web and mobile communications. And European nations have saddled Internet service providers with data retention requirements for the purpose of law enforcement investigations.

    There is an important distinction, however, said Rasch, now a consultant with Secure IT Experts.

    "What the UAE is asking for is not fundamentally different from what the U.S. government sometimes asks for," he said. "But while it may not be an unreasonable request, it may be an unreasonable government that is requesting it."

    There are plenty of reasons not to trust foreign nations with the keys to inspect smart phone traffic. However flawed U.S. due process might be, most U.S. citizens would be considerably more uncomfortable with the idea that governments in the United Arab Emirates or India could read their Blackberry messages in real time, or months after they were sent.

    Tala Dowlatshah, another spokeswoman for Reporters Without Borders, said it's important for consumers to realize that countries like the UAE are trying to have it both ways.

    "In recent years, the UAE has implemented a  Draconian  policy toward its citizens concerning the free flow of information," she said. "Clearly the UAE believes in democracy and free markets when it comes to doing big business deals with the West. But when it comes to empowering its own citizens, that's when the country demonstrates how small minded it really is."

    Google's lesson
    But while human rights groups can call attention to the problem, at the moment, the job of fighting on the front lines of the censorship battle has really been left to companies like Google. The firm's well-publicized spat with China earlier this year set the standard for company vs. state censorship battles. Google had happily provided China with a scaled-down Web experience designed to prevent citizens from finding Web sites on controversial topics such as the Falun Gung or the Dalai Lama. But when a scandal erupted that suggested hackers sponsored by the Chinese government had raided Google's servers, the company flipped a switch and began sending Chinese users to its unfiltered Hong Kong site. China, in turn, threatened to kick Google out, a potential body blow to the company's Asian aspirations.

    In the end, Google blinked, but only slightly. It went back to the filtered Chinese site, but added a link to the free Hong Kong site. That earthquake was over, even if the fault line along the China-Google border remains active.

    Zittrain, who praised Google for confronting China, encourages tech companies to think about the big picture -- instead of next quarter's profits -- during censorship fights.

    "It's helpful for corporations to realize they are representing interests and issues that go beyond their customers," he said. Standing up to censorship is the thing to do, he stressed, but it's also good business.

    "In a place like China, if there is a regime change in 15 or 20 years, how might you be greeted if you stood up on principles? Or if you didn't?"

    Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.