Watch That App!

Researchers at the American University of Beirut (AUB) have succeeded in creating a mobile application that is capable of transferring prepaid phone credits without the phone user’s authorization or knowledge.

The vulnerability was discovered by the AUB’s Network Security Group at the American as part of a research project funded by TELUS Corporation of Canada. A team led by Imad ElHajj, lead researcher and professor of electrical and computer engineering at AUB created the app, which masquerades as a benign messaging app that, once installed, starts sending and intercepting SMS messages, causing unauthorized credit transfers to another phone number without being detected.

“The potential impact of the app is in the loss of millions of dollars from the accounts of phone subscribers,” says professor ElHajj. “The vulnerability exists on most smartphone operating systems, and affects many operators in the region, including the two operators in Lebanon who were informed about this vulnerability.”

A prototype app was demoed on a Samsung smartphone running the Android 2.3 OS over both Lebanese mobile network operators. The malware was not detected by any virus detection tools, and could be published on Google’s Play Store.