March 21, 2013 at 5:35 AM ET
Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat.
Not for long.
Criminals have been probing the systems that protect U.S. smartphone users for years, searching for the right combination of programming tricks and social engineering that would allow them to sneak onto users' phones. Recently, one hacker group hit the jackpot.
They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list. Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.
Tim Strazzere, Lookout’s lead research and response engineer, said the sudden "staggering increase" in detection of the of the NotCompatible, which initially appeared one year ago, shows that the marriage of spam and mobile malware might be a recipe for real trouble.
"This Android malware is unique," he said. "It's exactly the same scheme and end game as before, but it's just being circulated through different means. And it's working."
U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either. That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.
Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.
But Strazzere warns that the criminals behind NotCompatible have found a way to make U.S. users almost as vulnerable as those in Asia – a direct email invitation from a friend to install what turns out to be a bogus app.
Those who might dismiss this scenario should beware: Last month, when a report by Mandiant Corp. alleged that hundreds of U.S. companies had been hacked by an arm of the Chinese military, the initial method of attack was almost the same -- a "spear-phishing" email that appears to come from a co-worker or friend, sent to entice the recipient into clicking on a virus-laden link.
Smartphone users might fear that a criminal with access to their devices might destroy all their data, "brick" the phone or prank call all their contacts. But the real nightmare from a hacked phone is much more subtle, and can be much more expensive, than having to replace a phone.
Vikram Thakur, a researcher at Symantec Corp., studied one mobile phone hacker who turned compromised devices into an estimated $1 million annually.
“We found a mobile phone botnet, which had … maybe 200,000 cellphones which were compromised and in control of just this one person," he said. "(He) was able to send text messages, make these phones view videos, which were in turn giving him money; and he was doing so about 25,000 times a day."
Cellphone hackers don't do anything to call attention to themselves. Instead, their programs are designed to run in complete silence, in the background. And they cover their tracks. There's no log of calls placed to dicey overseas numbers, no evidence of text messages sent that can run up a monthly bill.
“Your phone bill might have extra data usage toward the end of the month,” Strazzere said. "That might be the only way you'd know."
Hackers around the world have clearly trained their attention on the fertile ground of phone hacking. Kaspersky Labs, another security firm, says there has been "explosive growth," and offers numbers to back that up. In January 2011, it counted only eight new malicious mobile malware programs. At the end of 2012, it counted 6,300 such programs monthly.
Nearly all of that activity has until now targeted overseas users, sometimes with devastating results. A program aptly named "BillShocker" by researchers infected 620,000 users earlier this year, mostly in China, and ran up hefty bills through premium text message services.
Mobile malware writers are also developing hybrid threats designed to counterattack online banking security systems. In one sophisticated attack, criminals hacked both a victim's computer and cellphone, then lurked until an online banking transaction was initiated on the PC. When the bank sent a so-called "out of band" text message as a security confirmation, the criminals intercepted them and approved the transactions. A malicious program named Eurograbber is blamed for stealing $47 million from 30,000 bank accounts this way, according to a report by security firm F-Secure.
Those victims were in Europe, but now there are other indications that mobile hackers are circling the waters, aggressively looking for more ways into the U.S. market.
Computer security expert Brian Krebs reported earlier this month on his blog that criminals are selling authorized Google Play developer accounts on underground bulletin boards. A developer account would theoretically give a criminal the ability to post rogue software onto the Google Play store.
NotCompatible is a little less ambitious. Its main goal is to control a smartphone and turn it into a "proxy" device for overseas criminals, so they could pretend they were ordering expensive merchandise from within the U.S. Because many online sellers use geographic location to filter out fraud, and many trust cellphone location information, a hacked phone can be a perfect tool for foiling fraud-fighting software.
"Companies block transactions when someone in Romania is trying to buy concert tickets in the U.S., for example," said Strazzere. "NotCompatible allows them to hide where they are coming from ... gives them a little more mobility based on where they want to come from. With a hacked cell phone, they will look like they are where the endpoint is."
Strazzere sees the blended threat – part virus, part spam – as ushering a new style of cellphone attacks, just as such blended threats gave hackers the upper hand in the personal computer world during the last decade.
“This shows the progression of malware authors and what they are doing to experiment,” he said. It also shows impressive coordination in attacks. “It’s still a new space for them. But they are figuring things out.”
More from Red Tape Chronicles: