The computer emergency response team (CERT) of one of Poland’s leading mobile operators, Orange, has written a blog about malware on a phone they recently examined.
Co robił malware na urządzeniach ofiar? Czekał na moment, gdy telefon był na dłużej odkładany (zazwyczaj po prostu na noc) i wykonywał opisywane wyżej płatne połączenia. Gdyby akurat w tym momencie użytkownik miał telefon w ręku, widziałby, że ten bez żadnej interakcji nagle zaczyna dzwonić za granicę! Dlaczego nie widział tego rano? Bowiem nie było ich w rejestrze. Aplikacja mogła je zeń usunąć, ale mogła też skorzystać do dzwonienia z własnej nakładki. Ofiara mogła je zobaczyć co najwyżej na billingu, gdy zorientowała się, że coś jest nie tak. Wtedy już jednak część tego, co miała zapłacić, trafiała na konta przestępców.
What was the malware doing on victims’ devices? It waited for the moment when the phone was inactive for a longer period of time (usually overnight) and made the paid calls described above. If the user had the phone in his hand at that moment, he would see that it suddenly starts calling abroad without any interaction! Why didn’t he see them in the morning? Because they were not in the call log. The application could have deleted them, but it could also have used its own overlay to make calls. The victim could only see them when he realized something was wrong with his bill. By then, however, part of what he was supposed to pay went to the criminals’ accounts.
The malware would typically make calls to expensive destinations outside of Europe. Evidently the goal is to generate criminal profits from international revenue share fraud (IRSF). Mobile phones that are vulnerable to this malware rely on older versions of Android, from version 4.4 to 8.1. Orange listed 22 models of mobile phone that are at risk, plus nine kinds of television or set-top box.
Orange is clearly worried about customers becoming irate when they receive sky-high bills for calls that actually occurred but which customers know nothing about. The use of mobile malware to make calls from consumer phones to expensive destinations could be considered an evolution of hacking corporate PBXs. Both tend to be exploited when it is least likely that anyone would notice, either during the night or across a weekend.
One obvious mitigation for this kind of fraud is to update software and harden security on the devices that would otherwise be used to make IRSF calls. This might also have the advantage of increasing handset sales! However, Orange could take responsibility for identifying anomalous traffic and interrupting it. Some operators state they have greatly reduced fraud by playing warning messages in advance of connecting calls to expensive destinations, and asking that the customer confirms they wish to place the call by pressing a button on their handset. It was fascinating to see that various members of the public left comments in response to Orange’s blog that proposed similar mitigations that would spare customers the need to keep buying newer handsets. This generated a refreshingly honest response: these countermeasures had not occurred to Orange’s cybersecurity specialists.
The comms industry is undergoing a convergence of security and anti-fraud activities, but sometimes a mindset that focuses on the technology of security will not be oriented towards the best and cheapest way to reduce crime. Knowing a little bit about the way humans behave can also help to prevent fraud. People do not make calls when they are sleeping; analytics can be used to spot calls which are expensive and suspicious. Writing a blog may lead to a very small number of customers changing their handset; automatically interrupting the most expensive calls will protect many more. Sometimes we just need to ensure fellow professionals are told about common sense fraud mitigations that have proven effective elsewhere. And everyone can take the time to learn about the anti-fraud methods used by their peers. Perhaps the cybersecurity boffins at Orange Poland just need to spend more time reading Commsrisk…
CERT Orange Poland blogged about Android phones being used for IRSF here.