BBC Builds Smartphone Malware For Testing Purposes

siliconbits writes "BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset. The application was built using standard parts from the software toolkits that developers use to create programs for handsets. This makes malicious applications hard to spot, say experts, because useful programs will use the same functions."

"Please turn on JavaScript...

[The+MAZZTer]

Please turn on JavaScript. Media requires JavaScript to play.

OK I'll just....

...heeeey wait a minute. You almost had me there, but you'll have to try harder than that!

Not iPhone or Android

[LinuxIsGarbage]

We know it's impossible for Apple or Linux to get malware, so clearly it was only done for Windows Mobile.

I didn't see them mention it, but I think it's actually a blackberry?

Re:Is this going to be the new trend?

[0123456]

Someone should have patented installing a trojan... ON A PHONE... and then they could sue anyone else who did so.

No defense

[Caerdwyn]

What's the difference between "malicious" and "beneficial", when it comes to software?

Just about every "malicious" action that malware takes is not "malicious" for what it actually does (set cookies, record passwords, send data in response to user actions, create accounts, encrypt things). All of these things are also functions you sometimes want software to do. The maliciousness is in who data gets sent to, whether it does one thing when it presented another thing in the UI, or if it's not announced. Therefore, how can you programmatically tell malware from not-malware? You can't. And therefore, if the user has the ability to install software, all you have to do to get malware onto a device is lie about it.

Malware isn't defined by what it does. It's defined by deception and lack of consent, and only by deception and lack of consent.

And if you want widespread adoption of your malware? Just wait. Make the "trojan" part of the malware (the game, app, etc.) useful, and do ONLY that part, for a while. Don't start stealing passwords until 6 months later. Include the encryption-extortware in the 3.2 update. Cache the keystrokes and send them only when you embed a keyphrase in your product website, and upload them during an "expected" transaction such as an upgrade or content download. Build the reputation for trust and the block of reviews saying "it's never caused me trouble", then cash it in all at once.

Short of human review of the software in question prior to general availability, you're screwed. (Even then you might be, as human review isn't infallable, but it's certainly not useless) With this in mind, whether you agree that it's worth the hassle/restrictions or not, isn't Apple's AppStore strategy just a little more understandable from an objective point of view?

Maybe it's not ALL about moustache-twirling and staking out new liver donors. Maybe, just maybe, at least part of Apple's "walled garden" motives are benevolent. Maybe it's not a simple question, but a complex one, requiring not simple answers, but complex and rigorous thought. And maybe it's not black-and-white, but shades of gray with the weighting different for every user.

Re:No defense

Apple's walled garden does nothing to prevent the kind of malware you described. They don't actually inspect an app's code, they just run it (in an emulator presumably) and see if it does anything they don't like. Getting hidden malicious functionality through the approval process would be a cinch.

Re:No defense

[erroneus]

Why does this remind me of Bonzi buddy?

I gave my sons their own computer when they were in elementary school. At the time, it was somewhat rare and they were excited by it. They had internet access which I vaguely watched... (meaning checking for porn) and all seemed well.

Keep in mind that I had NEVER had problems with pop-ups and malware or any of that before simply because I instinctively knew better as do many people here on slashdot. (Not many of us had to learn the hard way... we pretty much already knew... what? install this program to see the video? WE don't fall for that one... but many do!) So it didn't occur to me that my sons were not yet as skeptical as I.

So yeah... Bonzi buddy. They found this cute thing and installed it and it was fun for them to play with. It told jokes and they could type things in for it to say. Before long, the computer was doing things they didn't tell it to do. I remember the first time my younger son rushed downstairs to tell on his older brother for having naked pictures on the computer screen! The older followed behind closely and explained that they just started appearing out of nowhere! (Pop-ups! I had HEARD about them but never saw them before at the time!)

So I reloaded the machine, let them install Bonzi buddy again and before long it was happening again. Didn't take me long to realize what Bonzi buddy was up to. Sad part was that Bonzi buddy attracted kids and exploited them with along with the adults.

In short, there's nothing new or revolutionary in your idea. It has been done a lot already.

In fact, Microsoft did that too. They could have secured their OSes from being copied from the very beginning. Instead, they used piracy (free copying) as a means of distribution to choke out the competition. Then, once they achieved the "critical mass" their revealed secret documents spoke of, they started locking their software down more and more. It's not like free copying wasn't a problem from the beginning... it's just that it was also useful in the beginning and stopped being useful once their ends were achieved.

Re:No defense

[VortexCortex]

Apple's walled garden does nothing to prevent the kind of malware you described.
Getting hidden malicious functionality through the approval process would be a cinch.

Yep, even teenagers can get trojan apps past Apple's approval process.

Re:No defense

[scamper_22]

How about requiring all software be written and approved and digitally signed by licensed engineers with legal responsibility.

That way, if malware gets in, you have someone to blame.

Pardon me for combining job protection with societal benefit :P... you know... like how doctors and lawyers do.
Sure it stifles open access... but at the benefit of quality and job protection...

Fearmongering Bullshit...

[Jahava]

I'll open with a disclaimer: most of my smartphone experience and awareness is centered around Android phones. That said, this article is yet another with a standard theme: "Remember, you stupid public, that smartphones are still computers". This is another in the a set of articles about people who write phone applications requesting a smorgasbord of permissions, receiving them from the user, and using them maliciously. Put simply, this is another in the formulaic series:

Mystique of Computers * Fear of Malware * Novelty of Phones = Profit

Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999.

No offense, but Chris Wysopal is an idiot. Modern smartphones run every application in a sandboxed per-application environment with fine-grained permission controls that are, to some degree, opaque to the user. These applications, by a well-defined default, must exist in a central repository managed by a powerful authority and receive realtime user reviews. This is nothing like PCs in 1999 (remember, that was Windows 98). Then again, he's certainly quite biased, as his company makes a living certifying applications.

All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.

Yes, of course they were. BBC didn't actually do anything innovative, like find an exploitation or break out of the sandbox. They just abused the OS's granted privileges to the fullest extent. Is this actually a problem? Given any set of privileges and any degree of fine-grained control, you can still abuse whatever you're given to the fullest extent.

At least one fundamental thing failed here: the user installed a phone game that requested privileges such as:

• SEND_SMS: Allows an application to send SMS messages.
• INTERNET: Allows applications to open network sockets.
• READ_CONTACTS: Allows an application to read the user's contacts data.
• READ_OWNER_DATA: Allows an application to read the owner's data.
• ... to name a few

As the owner and user of the device, it is ultimately your responsibility to determine what software you install on your phone. If you are downloading a single-player game that asks for these kinds of permissions, you had damned well better check out the source of that game. If it's not a company that you are comfortable trusting and you still install it, then you are (frankly) stupid. BBC does, of course, presume that its users are stupid.

But that's the problem ... no amount of protection will allow stupid people have free access to a computer and remain protected. You have to strip away something from one of these factors ... either whittle down free access or reduce the base of stupid users. Better design models only serve to decrease the thresholds required for either.

Is there an inherent issue with those kinds of permissions being available and grantable? Sure, there is! Applications, especially closed-source ones, are effectively black boxes. The permissions that I am presented with at installation-time are, in fact, my only real insight as to what the application is capable of doing. Arguing for a finer grain of control is pointless, though. Regardless of what permissions are grantable, you will never circumvent the fundamental problem that stupid users will blindly install applications. Presenting them with more information will not change that fact.

It is the job of the OS vendor (Apple, Google, RIM, etc.) to declare a set of permissions that reasonably mitigates the dangers of overly-gener

Re:How it is news

[BasilBrush]

In many ways mobile phones are more secure than desktops. Sandboxes for apps, strong permissions schemes, app certification etc. But to counterbalance that, they have new facilities as standard that are more dangerous if compromised. Mobile phone charges, SMS, GPS, microphone, camera etc.