Graham Cluley’s blog

The world of mobile malware isn’t completely dormant.

Although we have been waiting almost ten years now for the dire predictions of some security companies to come true about the tidalwave of mobile malware waiting for us “real soon now”, there are still the occasional sightings of new malicious code which affects mobile phones.

These new mobile phone viruses are treated as something of a curiousity inside our labs, and analysts who normally spend all day examining mostly Windows-related malware may view it as a nice distraction from the run-of-the-mill malicious code.

The latest example to arrive in SophosLabs is Troj/Konov-A, a Trojan horse that doles out SMS text messages to premium rate numbers (thus, apparently generating revenue for the perpetrators).

That means that the Trojan, which appears to originate from Russia, also costs the user money of course.

It’s apparent that Konov isn’t the first piece of malware to try such a trick. For instance, in March 2006 the Redbrow Trojan horse attempted to perpetrate a similar ruse but according to our friends at Moscow-based security company Kaspersky, Konov is also being spread via social networking websites like Vkontakte (a Russian Facebook-lookalike).

By the way, there is a significant security problem on mobile phones - but it isn’t primarily the malware issue. Although phone users (especially smartphone owners) should exercise caution over which programs they install, and what links they click on, from their device, the main security issue with phones is that users lose them. They leave them on trains, they slip down the back of cinema seats, or they get stolen while you’re in Starbucks.

If your phone is carrying information that might be useful to a criminal (and more and more of them do exactly that) then you best make sure that the information is properly secured behind a password and strong encryption, or potentially face the consequences.

If you have a mobile phone you may have from time-to-time been irritated by an unsolicited SMS text message offering you a free ringtone, or some other nonsense. I receive probably a couple of these every year. Not a big problem - I just press ‘delete’.

But in China, it seems, it’s a different story.

According to statistics from the Internet Society of China (ISC), an astonishing 353.8 billion spam text messages are sent each year. This is apparently a rise of 92.7% year on year.

So, what does that mean for the typical Chinese cellphone user? Well, there are approximately 574 million mobile phone owners in China - so that works out as (clunk.. whirr..) over 600 spam messages every year. Ouch!

That’s why the ISC has formed an allliance of more than 30 companies, agreeing to follow best practice and to stomp out spam text messages. And not before time. In June, the ISC received a mind-boggling 438,668 complaints about spams sent to mobile phones. Under the new guidelines, message senders are obliged to get the recipient’s consent before sending commercial messages in future.

Will this impact on the torrent of SMS spam in the country? Only time will tell.

# The monkeys stand for honesty, giraffes are insincere, and the elephants are kindly but they’re dumb  #

First it was Dublin, then Houston, and I’ve heard rumours about Milwaukee too. Now, a zoo in Brownsville, Texas, has been on the wrong end of a bizarre mobile phone spam campaign that has resulted in hundreds of people flooding its switchboard.

The Gladys Porter Zoo was reported to have been thrown into chaos last week after cryptic SMS text messages were sent to thousands of people saying things like

• Call now someone is looking for you.
• Call now and we will settle this.

and telling them to call a number.. the number of the Gladys Porter Zoo switchboard.

It sounds funny at first hearing - but pity poor Rachel, Gladys Porter Zoo’s receptionist, who has to answer all the calls and weed out the general inquirers from the curious mobile phone owners.  Is this just mischief-making or does someone have a grudge against these zoos?

For your interest, Gladys Porter Zoo is said to be the first zoo to have successfully bred the vulnerable Jentink’s Duiker.  No, I didn’t know what it was either.  Other animals they exhibit include the greater kudu, bontebok and bongo.

How marvellous it must be to have the job of naming animal species.  Forget the malware taxonomy the guys at SophosLabs have to do, anyone who can come up with a name for an animal like the bontebok or bongo is having real fun.

* Image source: wedding_planner04’s Flickr photostream (Creative Commons 2.0)

Bahrain telecoms company Batelco has issued a press release warning cellphone users not to forward an SMS text message that has been doing the rounds in the kingdom.

“Today is BATELCO Wireless 50th Anniversary Celebration Ceremony. Transfer this SMS to 10 Batelco Customers & get BD 5 Talk time free.”

Sound familiar?  It should do, because this is simply a variant of a myriad of email chain letters we have seen over the years offering Applebees gift certificates, a share of Bill Gates’ fortune, a free Ericsson mobile phone or free flights with British Airways.

Batelco have confirmed that they the campaign is fake, and that users will not receive any free talk time for forwarding the message.  According to Batelco spokesperson Ahmed Al Janahi Batelco’s engineers have now blocked the message from being sent via their network.  “We wanted to notify customers who have [already] received it that it is spam,”  he said.

With so many call plans today including hundreds of free SMS texts bundled in with the price, many people may feel that even if the offer sounds potentially bogus that it is still worth forwarding “just in case.”  A large proportion of people probably wouldn’t even consider that the offer sounds unlikely.

What makes this hoax chain letter unusual is that it has spread via mobile phones rather than email.  Maybe this is a foretaste of things to come?

Aside from chain letters and hoaxes being spread via cellphones, we are also seeing the phenomenon extend into the world of Web 2.0.  Anyone who has ventured onto Facebook, for instance, is likely to find that their “Funwall” has been jammed with bogus warnings from well-meaning friends alongside the avalanche of Panda sneezing videos.

Of course, just like email hoaxes and chain letters, a fake SMS campaign like this and Facebook chain letters waste time and bandwidth.  Best to nip it in the bud by deleting the message upon its arrival in your inbox, before you embarrass yourself in front of your friends and family by forwarding it on.

# Orang-utans are skeptical of changes in their cages, and the zookeeper is very fond of rum #

Yesterday, I told you about the shenanigans that have been troubling the lovely people at Houston Zoo.  They have been bombarded with phone calls after a nuisance text message was sent to thousands of people telling them to call their main switchboard.

I’m indebted, therefore, to veteran security commentator Steve Gold who has been in touch to tell me that Houston is not the only zoological park to have been on the receiving end of such a prank.

According to the Irish Independent, the switchboard of Dublin Zoo similarly reached thermal death point in late April after at least 5000 people were spammed an SMS text message to their mobile phones telling them to ring a number urgently and ask for a fictitious person.  The number was, of course, that of the main phoneline to Dublin Zoo and the fake names all animal-related (Rory Lion, Anna Conda, C Lion or G Raffe according to the news reports).

Amongst all the intrigue it’s important to remember that there is a serious point here.  Spamming a lot of people via text message appears to be an effective way of generating a flash-flood denial-of-service attack against the telephone system of someone you don’t like.  As mobile operators give more and more “free texts per month” as part of their calling-plans maybe we’ll see more spammers using SMS to clog up phonelines.

Regardless of the motive, it all seems rather bizarre - surely the Dublin and Houston Zoo incidents can’t be unrelated?  What is odd is that zoos appear to be the focus of attacks so far.  Could it be that the Nigerian 419 scammers have given up trying to send us $1.5 million inheritances and are now being paid by sub-Saharan safari parks to put European zoos out of business?  If you have any ideas then please let me know.

Readers who have a love of flightless birds with comedy walks will be pleased to hear that you can adopt a penguin via the Dublin Zoo website.

* Image source: MmMmMmMatt’s Flickr photostream (Creative Commons 2.0)

# Someone told me it’s all happening at the zoo.. #

File this one under “bizarre”.  Officials at Houston Zoo have called in the FBI, after a bizarre spam of SMS text messages caused their phone switchboard to be swamped.

According to a report in the Houston Chronicle, the zoo’s main switchboard has been bombarded with calls since late April.  Receiving ten times the normal number of calls is no fun, particularly when the phone callers are not asking about zoo opening hours, or wondering how to adopt a penguin, but instead following up an unsolicited text message they have received.

The tidalwave of phone calls have been prompted by a cryptic SMS message that cellphone owners have received.  The following messages are reported to have been sent:

• “Somebody talking down on you,  look for them”
• “Hey y is someone calln me and lookn for u n askn me where r u at n where u live heres tha # tell then to stop calln me”

The message is followed by Houston Zoo’s main switchboard number (which, as I’m feeling kind, I’ll choose not to reproduce here).

Brian Hill, a spokesperson for the zoo (How do you get to be a spokesperson for a zoo? What kind of fantastic job is that? In a bizarre reversal on Dr Dolittle you would be actually talking for the animals! Anyway, I digress..), has called on people who receive the mysterious text message not to call the number.

At the moment it is unclear what the motivation behind the sending of the messages could be.  It’s possible someone has a vendetta against the zoo (I have visions of a parakeet who failed the entrance audition), and has decided to initiate what is effectively a denial-of-service attack against the zoo’s phone system.

Similar tactics have caused problems for organizations in the past.  Long term readers of the Sophos website may remember the case of an email claiming that the receipient had had their credit card debited for an Apple iPod, only to find that the phone number to query the order was for the Cambridgeshire Police Force.

* Image source: B&M Photography’s Flickr photostream (Creative Commons 2.0)