The application disguises itself as a benign messaging app that sends and intercepts text messages, resulting in unauthorized and undetected credit transfers to another phone number.
“The potential impact of the app is in the loss of millions of dollars from the accounts of phone subscribers. The vulnerability exists on most smartphone operating systems, and affects many operators in the region, including the two operators in Lebanon who were informed about this vulnerability”, said Imad ElHajj, one of the AUB researchers who developed the app.
A prototype application was demonstrated on a Samsung smartphone running the Android 2.3 operating system over both Lebanese mobile network operators – mtc touch and Alfa. The malware was not detected by any virus detection tools and could be published on Google’s Play Store, the researchers explained.
Other AUB researchers involved in the project include Ayman Kayssi, Ali Chehab, and Khodor Hamandi. The research was funded by Canada’s TELUS.