App that can steal money from mobiles uncovered

A smartphone application that is capable of transferring prepaid phone credit without the phone user’s authorisation or knowledge has been discovered by the Network Security Group at the American University of Beirut (AUB).

Once installed, the app, which maquerades as a benign messaging app, starts sending and intercepting SMS messages, causing unauthorised credit transfers to another phone number without being detected. “The potential impact of the app is in the loss of millions of dollars from the accounts of phone subscribers,” said Imad ElHajj, one of the researchers and professor of electrical and computer engineering at AUB. “The vulnerability exists on most smartphone operating systems, and affects many operators in the region, including the two operators in Lebanon who were informed about this vulnerability.”

A prototype application was demonstrated on a Samsung smartphone running the Android 2.3 operating system over both mobile network operators in Lebanon. The malware was not detected by any virus detection tools, and could be published on Google’s Play Store. This vulnerability was discovered by the group as part of a research project funded by TELUS Corporation, Canada. (Itp.net)