The Insidiousness of Cellphone Malware

Hackers and cyber criminals continue to get more sophisticated, especially when it comes to fooling people via less traditional attack vectors. For example, I got an interesting text on my work cell phone earlier this week …

“heyy liveurpic.com that’s what I was telling you you should join.

The message came from a local Twin Cities telephone number that I didn’t recognize. So, being the suspicious type that I am, I “Googled” the phone number and found that the same number was spamming local numbers here in the Twin Cities and that there are several complaints about it already.

Taking this a step further, I fired up a clean VM with antivirus on it that goes through our Sophos WS1000 web security appliance and pulled up the URL in Google Chrome.  Sure enough, the site was blocked and classified as “High Risk” and that “Mal/HTMLGen-A” has been found on the site.

Sophos warning

Sophos classifies malware by its behavior, and Mal/HTMLGen-A happens to be a very commonly used browser payload delivery mechanism that affects Windows, Mac OS X, and Linux.

After doing a little more digging, I found that the URL that was sent resolves to 46.102.246.15, which has some really interesting history to it. This particular IP range was in Volgograd, Russia back in 2010, and is now owned by a Romanian internet hosting company parked in Schiphol, Netherlands.

A few companies I’ve worked at in the past IP block Romania at the firewall since there is a high amount of fraud and scam traffic that originates from there, so it makes sense that they would host from another country to get around geo location-based IP blocking.

And finally, we arrive at the nature of the attack itself.

Cell based text messaging. Both my phones run a variant of Linux, one being Apple iOS (work cell) and the other Android (personal cell). If an attack is highly sophisticated, it will include some sort of detection routine so it knows which payload to push onto the phone such as iOS JailBreak code or Android rooting scripts/programs – something that will allow the attacker to access your dialer without you knowing about it to make premium calls or text messages. Sure, you’ll figure it out once you get your next phone bill, but by then it’ll be too late.

If the attack is low-tech, then it may be as simple as trying to get you to share you URLs (like Chrome does) with a far more vulnerable Windows OS and use some canned Blackhole Exploit Kit scripts that were purchased to farm some bank info.

I’d love to take the time to pull the payload code apart to see what it’s trying to do, but from the poor English used in the text message itself, I’m betting its low tech.  If the attacker can’t be bothered to try to make the message look legit, you can more than likely bet they bought their malware off the shelf.

Moral of the story: your cellphone is as at as much risk as your computer. Be wary, be vigilant.