April 9, 2010

From Russia With Love: New Mobile Malware Hides in a Game and Makes Charges to your Phone Bill


The Threat: There is a new family of mobile malware currently in the wild that forces infected phones to periodically dial premium-rate international phone numbers. The malware is a repackaged version of a legitimate 3D game and was being distributed on multiple mobile download sites. The game, “3D Anti-Terrorist Action” is from a Chinese company named Huike, but the malware author appears to be Russian. Only Windows Mobile devices are affected by this specific malware although similar malware exists for other platforms.

How it Works: When a device becomes infected, the malware stays dormant for approximately 3 days then wakes up and dials between four and six premium-rate international numbers, depending on which version of the malware was installed on the device.  After the first round of dialing, the malware stays dormant for one month, then dials the same numbers again, repeating the process every month afterward.

By waiting several days before waking up, the malware isn’t apparent to a user–if your phone starts making strange looking calls immediately after installing a game, you’d know exactly why.  Because the game is functional, a user is also unlikely to uninstall it.  The only evidence of malicious behavior is strange international numbers on a user’s phone bill or in their call history.  Reports of $10 and $20 monthly charges resulting from this malware have surfaced on developer forums. More sophisticated malware could hide its tracks by removing entries from the call history.

Phones it Affects: All phones running Windows Mobile 5.0 or above

How to tell if you’re infected:

  1. Check your call history for any strange looking international numbers
  2. Review your phone bill for unauthorized charges
  3. If you’re comfortable with it, open your “File Explorer”, then navigate to “/Windows” and look for a file named “smart32”. If you see this file be sure to install security software to remove it.

How to stay safe:

  1. Run good security software on your phone (we’re partial to Lookout)
  2. Only download applications from trustworthy sources

All Lookout users on Windows Mobile will receive updated protection the next time their device checks in to the server.  If you want to manually connect and receive the update, you can do so by simply initiating a backup.

There are multiple versions of the malware in the wild, dialing between 4 and 6 international phone numbers.
When a user first installs a CAB (Windows Mobile installer archive), the legitimate game’s files and two additional malware files are unpacked (“reg.exe” and “1.dll”).  Reg.exe is the heart of the malware and 1.dll is a software library which allows the malware to use the phone dialer.

CAB installers support a feature called a “Setup DLL”, which is a special library that will be run at certain points during the installation process.  The malware installer includes a Setup DLL which runs code after the install is finished, starting reg.exe and moving 1.dll to “\Windows\Microsoft.WindowsMobile.Telephony.dll”.  During the first time reg.exe runs, it copies itself to “\Windows\smart32.exe” and  registers to be launched again in about 3 days using the CeRunAppAtTime function provided by Windows Mobile.

When the malware runs 3 days later, it will dial each of the premium international numbers, waiting 50 seconds between each to allow the call to go through.  Next, it uses the CeRunAppAtTime function to run again in 1 month.  The same process of dialing and registering for 1 month in the future is repeated indefinitely.

Remember, if you see anything suspicious on your phone, be sure to contact security /at/ lookout /dot/ com and we’ll be there to help.

Leave a comment