Forgot your password?
typodupeerror
Cellphones Security The Media

BBC Builds Smartphone Malware For Testing Purposes 60

Posted by Soulskill
from the mainstream-security-research dept.
siliconbits writes "BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset. The application was built using standard parts from the software toolkits that developers use to create programs for handsets. This makes malicious applications hard to spot, say experts, because useful programs will use the same functions."
This discussion has been archived. No new comments can be posted.

BBC Builds Smartphone Malware For Testing Purposes

Comments Filter:
  • by Anonymous Coward on Tuesday August 10, 2010 @02:20PM (#33206968)

    Same thing that happens on a regular desktop computer.... BUT ON A PHONE! So it's new news!

  • by 0123456 (636235) on Tuesday August 10, 2010 @02:40PM (#33207236)

    Someone should have patented installing a trojan... ON A PHONE... and then they could sue anyone else who did so.

  • No defense (Score:5, Insightful)

    by Caerdwyn (829058) on Tuesday August 10, 2010 @02:45PM (#33207298) Journal

    What's the difference between "malicious" and "beneficial", when it comes to software?

    Just about every "malicious" action that malware takes is not "malicious" for what it actually does (set cookies, record passwords, send data in response to user actions, create accounts, encrypt things). All of these things are also functions you sometimes want software to do. The maliciousness is in who data gets sent to, whether it does one thing when it presented another thing in the UI, or if it's not announced. Therefore, how can you programmatically tell malware from not-malware? You can't. And therefore, if the user has the ability to install software, all you have to do to get malware onto a device is lie about it.

    Malware isn't defined by what it does. It's defined by deception and lack of consent, and only by deception and lack of consent.

    And if you want widespread adoption of your malware? Just wait. Make the "trojan" part of the malware (the game, app, etc.) useful, and do ONLY that part, for a while. Don't start stealing passwords until 6 months later. Include the encryption-extortware in the 3.2 update. Cache the keystrokes and send them only when you embed a keyphrase in your product website, and upload them during an "expected" transaction such as an upgrade or content download. Build the reputation for trust and the block of reviews saying "it's never caused me trouble", then cash it in all at once.

    Short of human review of the software in question prior to general availability, you're screwed. (Even then you might be, as human review isn't infallable, but it's certainly not useless) With this in mind, whether you agree that it's worth the hassle/restrictions or not, isn't Apple's AppStore strategy just a little more understandable from an objective point of view?

    Maybe it's not ALL about moustache-twirling and staking out new liver donors. Maybe, just maybe, at least part of Apple's "walled garden" motives are benevolent. Maybe it's not a simple question, but a complex one, requiring not simple answers, but complex and rigorous thought. And maybe it's not black-and-white, but shades of gray with the weighting different for every user.

  • by yttrstein (891553) on Tuesday August 10, 2010 @03:04PM (#33207494) Homepage
    When someone's been to Blackhat recently. There were at least half a dozen step-by-step presentations about every aspect of cellphone malware.
  • The threat model (Score:3, Insightful)

    by tepples (727027) <tepples AT gmail DOT com> on Tuesday August 10, 2010 @03:04PM (#33207504) Homepage Journal

    What's the difference between "malicious" and "beneficial", when it comes to software?

    From the user's point of view, the threats are modeled rawther well on the Bitfrost page [laptop.org]. But from a platform owner's (e.g. Apple, Microsoft, Sony, Nintendo) point of view, the threats are anything that would either tarnish the brand or compete with the platform owner.

  • by Jahava (946858) on Tuesday August 10, 2010 @03:13PM (#33207616)

    I'll open with a disclaimer: most of my smartphone experience and awareness is centered around Android phones. That said, this article is yet another with a standard theme: "Remember, you stupid public, that smartphones are still computers". This is another in the a set of articles about people who write phone applications requesting a smorgasbord [wikipedia.org] of permissions, receiving them from the user, and using them maliciously. Put simply, this is another in the formulaic series:

    Mystique of Computers * Fear of Malware * Novelty of Phones = Profit

    Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999.

    No offense, but Chris Wysopal is an idiot. Modern smartphones run every application in a sandboxed per-application environment with fine-grained permission controls that are, to some degree, opaque to the user. These applications, by a well-defined default, must exist in a central repository managed by a powerful authority and receive realtime user reviews. This is nothing like PCs in 1999 (remember, that was Windows 98). Then again, he's certainly quite biased, as his company [veracode.com] makes a living certifying applications.

    All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.

    Yes, of course they were. BBC didn't actually do anything innovative, like find an exploitation or break out of the sandbox. They just abused the OS's granted privileges to the fullest extent. Is this actually a problem? Given any set of privileges and any degree of fine-grained control, you can still abuse whatever you're given to the fullest extent.

    At least one fundamental thing failed here: the user installed a phone game that requested privileges [android.com] such as:

    • SEND_SMS: Allows an application to send SMS messages.
    • INTERNET: Allows applications to open network sockets.
    • READ_CONTACTS: Allows an application to read the user's contacts data.
    • READ_OWNER_DATA: Allows an application to read the owner's data.
    • ... to name a few

    As the owner and user of the device, it is ultimately your responsibility to determine what software you install on your phone. If you are downloading a single-player game that asks for these kinds of permissions, you had damned well better check out the source of that game. If it's not a company that you are comfortable trusting and you still install it, then you are (frankly) stupid. BBC does, of course, presume that its users are stupid.

    But that's the problem ... no amount of protection will allow stupid people have free access to a computer and remain protected. You have to strip away something from one of these factors ... either whittle down free access or reduce the base of stupid users. Better design models only serve to decrease the thresholds required for either.

    Is there an inherent issue with those kinds of permissions being available and grantable? Sure, there is! Applications, especially closed-source ones, are effectively black boxes. The permissions that I am presented with at installation-time are, in fact, my only real insight as to what the application is capable of doing. Arguing for a finer grain of control is pointless, though. Regardless of what permissions are grantable, you will never circumvent the fundamental problem that stupid users will blindly install applications. Presenting them with more information will not change that fact.

    It is the job of the OS vendor (Apple, Google, RIM, etc.) to declare a set of permissions that reasonably mitigates the dangers of overly-gener

  • Malware, eh? (Score:3, Insightful)

    by mujadaddy (1238164) on Tuesday August 10, 2010 @03:23PM (#33207774)
    Does it send an SMS to a premium number in Russia [slashdot.org]?
  • How it is news (Score:3, Insightful)

    by SuperKendall (25149) on Tuesday August 10, 2010 @04:24PM (#33208646)

    Same thing that happens on a regular desktop computer.... BUT ON A PHONE! So it's new news!

    The news is that phone OS'es are being shipped in 2010 that aren't preventing the common security problems we've seen on desktops for the past few decades.

An optimist believes we live in the best world possible; a pessimist fears this is true.

Working...