Android malware can make calls even after switching your phone off

A recent warning has come out from AVG has come out that some 3rd party App stores have Apps which bring in a Android Trojan which pretends to shut off your phone when you press the power button.

 The Hacker News has a nice article about it Android Malware Can Spy On You Even When Your Mobile Is Off  or you can read the original AVG post Malware Is Still Spying On You Even When Your Mobile Is Off
As the AVG blog explains:

The malware affects versions of Android older than v.5 (Lollipop) and requires root permission to hijack the shut down process.
After pressing the power button, the phone displays an authentic shutdown animation, and the phone appears off. Although the screen is black, it is still on.
While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying you.

But beyond the obvious problems with a malware spying on you, recording you, and sending your data to Chinese servers, it can be making Premium Rate SMS or calls without your knowing it.

The Hacker news article points this out:

PowerOffHijack malware has ability to silently send lots of premium-rate text messages, make calls to expensive overseas numbers, take photos and perform many other tasks even if the phone is supposedly switched off.

The article also has good options for removing PowerOffHijack and preventing it from getting on your phone

Replacing Flappybird with Premium Number Fruad

Much to the dismay of millions of players, the creator of the Flappybird mobile game took it down from Google Play and Apple iTunes app stores.

Now there has been many speculations as to why someone would take down a game that was earning him $50,000 a day in advertising revenue. The various reasons have been stated as:

• Too Stressful
• Threatened legal action by Nintendo (which they deny)
• It was too addictive

But regardless of what the real reason is people have come in to fill your Flappybird addiction with replacements or by selling phones with it installed on e-bay (which you can not do anymore).

But you should be wary of FlappyBird replacements -According to a report by Trend Microsystems

All of the fake versions we’ve seen so far are Premium Service Abusers — apps that send messages to premium numbers, thus causing unwanted charges to victims’ phone billing statements.

As the TrendMicro article advises:

We advise Android users (especially those who are keen to download the now “extinct” Flappy Bird app) to be careful when installing apps. Cybercriminals are constantly cashing in on popular games (like Candy Crush, Angry Birds Space, Temple Run 2; Bad Piggies) to unleash mobile threats. Our past entry, Checking the Legitimacy of Android Apps, enumerates some tips on how to do avoid suspicious or malicious apps. Users may also opt to install a security app (such as Trend Micro Mobile Security) to be able to check apps even before installation.         

Always remember in cases like this TANSTAAFL so be careful there are those who are out there to take advantage of you.

Nice article on effects of Toll Fraud

Thanks to Mark Collier's VoIP Security Blog I point you to this article that  Toll fraud can put SMEs out of business in minutes.

Unfortunately the premise and conclusions are correct. If you think of the example from the 2011 Astricon where a company was hit for $400,000 in fraud over 2 days then it is easy to see how this kind of hit could cost a small business everything in almost no time.

Real time monitory and proper security checks are needed to help prevent this kind of fraud. I will keep posting details on how you can protect your company, or you can contact me directly for more information about real-time monitoring or VoIP Security Audits.

Interesting Article on the Challenges and Prevention in a VoIP Environment

 As I have been writing here, VoIP service has become more common and thus more of an attractive target for fraud attacks.

Jim Murphy, President of Phone Power has a nicely written article on TMCNet titled Toll Fraud Challenges and Prevention in a VoIP Environment

He discusses the fact that there are always new targets to attack and that many PBXs use default or easy to crack passwords (1234).

But to me the most worrying thing he mentions is how much this can cost a company:

The risks of toll fraud within a VoIP network are severe. Some hackers are able to hijack systems and push through charges that can total $2,000 an hour or more.

Now we have seen companies hit in a few days with $25,000 - $50,000 in fraud, or even 1 case for $400,000 over 2 days, so this number of $2,000 per hour sounds quite plausible to me.

This is why I moved to Greenfield Technologies and am specializing in doing Security Audits for Asterisk based VoIP PBXs.

After performing auditing on more than 35  PBXs

We have found that the most common Policy issues are:

—

Incomplete, non-existent, unenforced Password policies:

Many had identical default SIP passwords for all phones that were never changed
Many had identical default voice-mail passwords for all extensions that were never changed

Server / PBX Passwords

Multiple PBXs using the same password
Root access and web client interface using the same password (if any)

No update policy

Server OS
PBX software
Phone firmware

No mailbox polices

Who get voice-mail
When to close them

No policy to monitor phone usage / activity

Infographic: Fraudulent Calls Up 29 Percent in 2012

Threat Post, the Kaspersky Labs Security News Service has a nice article about the status of fraudulent calls in 2012 titled Report: Fraudulent Calls Up 29 Percent in 2012 that starts:

On average, there were almost five fraudulent phone calls every minute earlier this year according to a report released today from security firm Pindrop Security. The Atlanta-based company found phone fraud was up 29 percent January to June this year from the last half of 2011 after it analyzed 1.3 million different instances as part of its 2012 State of Phone Fraud Report.

The accompanying graphic shows how things are already looking in 2012 speaks loudly as to why companies need to be proactive in their approach to telecom fraud.

Term Tuesday - Industry Standards Organizations That are involved in Fighting

There are 2 primary organizations that I would like to mention in terms of Telecom Fraud these are the CFCA and the TM Forum.


Taking the about sections from each:


CFCA

The idea for the Communications Fraud Control Association began in February 1985 with a group of concerned communications security professionals from several different long distance carriers. Intent upon finding a more effective way to combat the growing problem of communications fraud, representatives from AT&T, ITT, MCI, Network One, Satellite Business Systems and Sprint met to lay the groundwork for the Communications Fraud Control Association (CFCA). These representatives left their first meeting assured that a cooperative effort through an Association of security professionals was a realistic and appropriate response to the identified need.

Through the years, membership categories have expanded to include a world-wide network of: carriers, PBX /PABX owners, ISPs, cable and satellite provides, corporate end-users, operator service providers, fraud system developers, prosecutors, members of law enforcement agencies, communications consultants and companies that provide revenue assurance solutions for wireless, wireline, IP, NGN, etc., systems.

TM Forum 

TM Forum is a global, non-profit industry association focused on simplifying the complexity of running a service provider’s business. As an established industry thought-leader, the Forum serves as a unifying force, enabling more than 800 companies across 195 countries to solve critical business issues through access to a wealth of knowledge, intellectual capital and standards. 

The Forum provides a unique, fair and safe environment for the entire value-chain to collaborate on pressing industry issues, helping companies of all sizes gain a competitive edge and the flexibility and speed they need to underpin future growth.

Does IT make it too easy for fraudsters?

I was just reading an interesting article by Steven Cotton of the TM Forum entitled Fraudsters Will Be Fraudsters, But How Does Provider Indifference Help? In it he explains about a recent phishing attempt that came to his in-box and how the service provider’s support group did not know if they had a security or fraud department and could not be bothered to care.

Now if you look at most of the recent stories labeled as telecom fraud they are frequently about people being defrauded using the phone rather than fraud hitting the PBX. In these cases it us usually someone tricked by phone or email into going down to Western Union an sending money to someone that they know who is in some sort of “trouble.”  Now the cases and cause of the trouble is varied (bail, hospital charges, fees to get car fixed, etc.) but the common item is that they always want the money sent via Western Union – who has no verification, tracking or roll-back options once the cash is taken.

Now Steve ended his blog entry with this line

I'd suggest that the industry should at least set a basic goal of making the fraudsters at least break a sweat as they perpetrate their nasty business.

I suspect that this is exactly the case, and if there was a way to force Western Union to verify the identity of the person claiming the money, say the way that a person-to-person call works, would cut down more than half of this kind of fraud.

The same is true in PBX related fraud, keeping default passwords, leaving the system ports open, not watching your phone bill, and not proactively protecting your system makes it just as easy to defraud you as those who are praying on phone scam victims.

Term Tuesday: Sweepstakes or Premium Fraud explained

In our on going series explaining how Telecom Fraud works and how to protect yourself and your company here is an example of how Sweepstakes or Premium Fraud occurs.

Not all Telecom Fraud requires that the fraudster hack your phone system or take any real risk. In many cases fraudsters try to trick you into making calls or into staying on the line a long time, thus defrauding yourself. These are easier than hacking your system and can be much more profitable.

Some examples of how they get you to call can be:

• Message to your cell phone
• Voice message (automatic return the call option)
• Missed call
• Email or fax offers

In most of these cases you will be asked to call a number, they then want to keep you on the line as long as possible, and if they can do it they want to encourage you to call over and over again by offering you chances to win. I came across one example recently that explains this clearly:

Thank you for calling dial to win applications, where you can win fabulous prizes every week, the longer you hold the line the bigger is your chance to be the winner, for every minute you hold you collect one lucky hit, the more lucky hits you collect the the bigger your chances, now get ready we will generate you unique code 322123179325. 

Well done, you have collected you first lucky hit for this call, please continue to hold etc...

What they don't tell you is that you are not calling a toll-free number and in fact can be paying more than $5 per minute, and there have been cases of over $20 per minute.

Be wary of these scams.

To read more about this type of fraud see:

• Premium Rate Phone Fraud Hoax: www.hoax-slayer.com/premium-phone-rate-hoax.html
• Missed calls & text messages from unknown numbers: www.scamwatch.gov.au/content/index.phtml/itemId/693789
• Scams: 1-900 Numbers: www.spamlaws.com/900-scams.htm
• The Sweepstakes Fraud: www.about-the-web.com/shtml/reports/sweepstakes_fraud.shtml
• Mobile phone fraud: www.actionfraud.org.uk/protect-yourself/mobile-phone-fraud

Podcast: Humbug Labs' Eric Klein on Telecom Fraud

Interview piece: Humbug to Weigh in on Cloud Communications, Fraud Detection at ITEXPO

I was interviewed for an article in the January 23, 2012 infoTECH Spotlight titled Humbug to Weigh in on Cloud Communications, Fraud Detection at ITEXPO 

Term Tuesdays - Types of Solutions for Telecom Fraud Prevention

Over the next few weeks I will be discussing different solution types for preventing Telecom Fraud. These will include but are not limited to:

• Cloud based
• Premises based
• Carrier Based 

More coming next week.

First Telecom Hacking

• Claims that communication technology is 100% secure
• Hacking a network with cheap common tools to show that those security claims are faulty
• Patent claims challenged as too broad
• Existing companies upset with new technologies breaking their business model

Sounds like the ongoing fights between Apple and Samsung or Oracle vs. Google.

“A century ago, one of the world’s first hackers used Morse code insults to disrupt a public demo of Marconi's wireless telegraph”

As explained in the New Scientist article Dot-dash-diss: The gentleman hacker's 1903 lulz  by Paul Marks, a 39-year-old British music hall magician named Nevil Maskelyne was able to thwart Guglielmo Marconi’s demonstration to the Royal Institution.

It seems that Marconi had made promises of a secure wireless network connection only to have it hacked as they set up the demonstration, and then again while he was selling ship-to-shore services. In both cases Maskelyne was able to do it with inexpensive readily available tools.

The article is a good read, and tells how even as wireless communication was starting out the seeds of telecom fraud and patent fights were being sown.


And hear I thought that the first fraud being Alexander Bell was surprising.

Term Tuesdays - Call Sell PBX Fraud

Online or offline call wholesalers hack into PBXs in order to sell calls to their customers without incurring any of the charges themselves; the more expensive the destination the better; the more calls the wholesaler can route out of a Call Center simultaneously the better. 


Destinations may be satellite phones that cost $8/minute to call, or countries that cost upwards of $2/minute to call. Obviously, the more lines the fraudster uses to perpetrate the attack, the more profound the financial loss.

Term Tuesdays - Off Hour Calls

Off Hour Call

Calls originating from an organization’s PBX may be the result of Internal Employee Fraud, unauthorized visitors, or remote hackers accessing the system. Most significant telecom fraud attacks are perpetrated when the enterprise is unmanned over weekends, bank holidays, religious holidays, etc.

Your telecom provider can not identify these as they do not know your business. You need to be able to monitor and prevent calls at times when your business is closed.

We have seen cases of $25,000 - $400,000 in Telecom Fraud happening over a holiday weekend.

ComReg warns firms to be on guard against PBX fraud

Telecoms watchdog ComReg has warned there has been a rise in the number of PBX fraud incidents where firms’ telephone systems have been hacked into and large bills generated over their lines.

Full article at: http://www.siliconrepublic.com/strategy/item/25037-comreg-warns-firms-to-be-on/

Term Tuesdays - Internal Misconduct

Telecom fraudsters are not always outside the confines of the organization. 

Internal Employee Fraud is a significant contributor to fraud affecting enterprises. In the CFCA 2011 Telecom Fraud Survey they found that Internal/Employee Theft totaled $1.44 billion out of the over $40 billion dollars of Telecom Fraud each year.

Employees may use company phones to make premium number, personal, and long distance calls. In the worst-case scenario, employees may actively enable toll fraud.

Without detailed per call reporting it can be hard to identify who is making these calls or to implement policies to prevent these calls. 

Guest blogging on Peer-to-Peer blog: 2011's Biggest Frauds and Phreaks

I have another Guest Blog published on Channel Partners Magazine’s Peer-to-Peer blog

2011's Biggest Frauds and Phreaks 

It reviews the many news stories about Telecom Fraud that occurred during the year.

Shssshhhhhh!!!! Al-Qaeda Phreaking!

Humbug Telecom Lab’s Eric Klein will be making a guest appearance on VoIP Users Conference weekly discussion:

Topic:  As shown by the recent arrest in the case of terrorist who were hacking AT&T business customers to fund Al-Qaeda; Telecom Fraud has come a long way from Captain Crunch and Steve Jobs phreaking Ma Bell for fun and glory. It is now big business aimed at stealing from you via your PBX. Let’s discuss actual cases and some things you can do to make sure your PBX is not funding terror.

Friday at December 2^nd at 12 Noon Eastern Time (9AM Pacific)

To connect see instructions on http://www.voipusersconference.org/how-to-participate/date-and-time/

Term Tuesdays - Premium Rate Fraud

Premium Rate Fraud

By tricking a person to call a telephone number that charges more than expected, a fraudster is able to get some sort of revenue from each call.

These attacks come in various forms, but they all have 2 parts:

1.      They have acquired a Premium Rate number that enables them to “revenue share” with the terminating operator.

2.      They trick people into calling the number or use a hacked PBX to dial it themselves.

Part one is easy, they can get numbers from most phone companies who offer them to legitimate businesses. These can include pay per call customer support services, sex lines, satellite lines, etc. In the USA these are usually associated with 1-900 numbers. But with the explosion of mobile virtual network operators (MVNO) it is easy for what looks like a regular number to actually charge more for the termination of the phone call than is expected (more on this when I cover arbitrage fraud).

Fraud – From Fun Phreak to Terrorism

Cross posted to Humbug Telecom Labs Blog

In today’s news there are headlines showing the darkest side of Telecom Fraud:

•        Terrorists Steal $2m in US Phone Hacking - PC Magazine
•         AT&T Hackers Have Terrorism Ties, Police Say – InformationWeek
•         AT&T customers in $2M Saudi terror hack, via Philippines - Computerworld (blog)
•         Philippines police arrest four over phone scam - The Guardian

Although the titles are different, the source and the story is all the same. The Philippine National Police – Criminal Investigation and Detection Group (CIDG) put out a press release explaining how a “joint operatives from the CIDG and the United States Federal Bureau of Investigation (FBI) have busted a group of Filipino hackers whose operation is allegedly being financed by a Saudi-based terrorist group”.

This operation was in response to a complaint filed by AT&T about the hacking of AT&T customer’s PBX’s.