John Hering of Lookout has reported that a number of apps for smartphones running Windows Mobile that look like legitimate games also have autodialling functionality. According to Elinor Mills' article at http://news.cnet.com/8301-27080_3-20006882-245.html, they call up premium rate phone services in Somalia and elsewhere (Italy and the South Pole have been mentioned), and include apps like:

  • 3D Anti-Terrorist game
  • PDA Poker Art
  • Codec pack for Windows Mobile 1.0

They are reported as being distributed on a number of legitimate download sites, including DoDownload, GearDownload, and Software112, Reuters have also picked up the story here, and Apple Insider picked up in turn on that. That post objects to the use here and there of the description of the attack as "a virus" (fair enough - I haven't seen any indication of self-replication), and also describes it as "the product of malicious mobile software developers who misrepresented their work as safe": that's kind of interesting, as other reports talk about legitimate apps having been Trojanized, which from the CNET article seems to have been Hering's original suggestion.

However, Apple Insider have chosen to present the issue as a "it couldn't happen to the iPhone" fest, and I have to take issue with some of those points.

Given how little Windows Mobile malware there actually is, the statement that this case "throws decades of Windows-based punditry on its head because 'malicious hackers' supposedly only target the largest platform" is more than a little overstated. At best, it seems to assume that the iPhone model of application whitelisting/codesigning is pretty close to perfect.

While I'd agree that Lookout's lumping in iPhones with Androids is a bit - well, Apples and Oranges - I think it's as well to remember that there has been a significant targeting of jailbroken and unlocked iPhones. The standard response to this inconvenient fact from Apple and its fans tends to be that in that case, it's the victim's own fault. Not a position I'd be very comfortable with, frankly, but tenable if you can guarantee that security breaches that affect jailbroken iPhones will never have any effect on users of unbroken/locked iPhones.

But can we assume that apart from the tens of thousands of iPhone users who've chosen to jailbreak, there is no risk to anyone who uses one of the things? Actually, no.

  • Nicolas Seriot recently demonstrated a rogue app at Blackhat that can access personal data "in spite of AppStore tight reviews" and has discussed the many ways in which a rogue app might be slipped past AppStore vetting.
  • The iPhone exploit developed by Vincenzo Iozzo and Ralf-Philipp Weinmann with help from Halvar Flake for CanSecWest 2010 used return-oriented programming to evade the iPhone’s code-signing mechanism and build a web page that enables the attacker to steal the iPhone’s SMS database. No jailbreaking necessary.

Security based on restricted privilege can fail dramatically where there's an incentive to bypass it (social engineering is one source of such an incentive). You also need to allow for the ingenuity of hobby hackers, professional vulnerability hunters, and career criminals. To say nothing of a potential conjunction of social engineering and technical vulnerability.

I'm not into scaremongering. But sometimes you have to take you head out of the sand and check that you're not missing anything that won't miss you...

David Harley FBCS CITP CISSP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com/