You will be billed $90,000 for this hacked cell phone call

Among the scary talks at the Black Hat security conference yesterday was one entitled “You will be billed $90,000 for this call.” That title was an exaggeration, but it certainly highlighted the risks facing users with unprotected mobile phones.

The talk by security expert Mikko Hypponen of security firm F-Secure showed how a compromised cell phone could make surreptitious long-distance calls that could cost you lots of money. It was one of a number of talks about the subject of hacking smartphones, which are vulnerable because they have the same capabilities and networking technology as computers. (See our roundup of all Black Hat and Defcon stories).

Hypponen, chief resource officer at F-Secure, followed the trail of hackers who hid malicious code in an anti-terrorist shooting game for smartphones. A hacker, apparently from Russia, hacked a legitimate game and planted a virus in it. The hacker then offered the tainted app for free on a copycat website.

“It is actually a very good game that suddenly was free,” the security researcher said. “Download sites thought it was the real deal.”

The malware was clever. The game software was modified to wait a while before its payload was triggered. The program hidden within it triggered eight phone calls that charged premium rates and billed the calls to the smartphone owner’s monthly bill. The malware stopped at just $12 per month worth of phone calls, so that it could escape notice. Hypponen said there were perhaps 500 pieces of malicious code targeting cell phones, far smaller than the number targeting PCs. But the number is growing.