BBC Creates Data-Stealing Smartphone App

A reporter at the BBC has created a smartphone application which spies on the owner of the device, in an attempt to prove how straightforward it is to create malicious software for mobiles.

Reporter Mark Ward designed a simple noughts and crosses game using a popular smartphone application toolkit. However, the crude game was a cover for a piece of malware, which hid under the hood gathering contacts, copying text messages, logging the phone’s location and sending it to a specially set up email address.

According to BBC News, the spyware takes up about 250 lines of the 1500 making up the entire program, but is hard to detect because all of the information-stealing elements use the same functions as legitimate smartphone applications.

Smartphone security

Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, told the news agency that smartphones are now at the point the PC was in 1999. “At that time malicious programs were a nuisance. A decade on and they are big business, he said, with gangs of criminals churning out malware that tries to steal saleable information.”

The security of mobile devices is becoming a growing concern, with many security companies now investing in specialised software to protect smartphones. In July, for example, McAfee announced plans to acquire mobile security vendor TenCube – its second mobile security acquisition in two months.

Awareness Technologies also recently bought LegiTime Technology, a provider of smartphone authentication and management solutions; Juniper Networks has acquired SMobile Systems, a provider of security solutions for smartphones and tablets; and Symantec last month released a beta of Norton Smartphone Security for Android, an app for remote device lockout, anti-malware protection and call blocking.

It is undeniable that, as device manufacturers continue to add processing power and storage capacity, and platform vendors provide more applications for generating and consuming data, the greater the security threat to these devices will become. However, as eWEEK reporter Larry Walsh suggests, if future smartphone security is to succeed it will require new thinking, business models and training on the part of the network and mobility channels.

BBC botnet project

The BBC made a point of stating in its report that the malware code was downloaded to a single phone, and was not put on an application store. This follows criticism of the Corporation last year, after it bought a botnet and used it to control and modify other people’s computers, in order to demonstrate what botnets can do.

The BBC claimed at the time that no laws were broken, but some commentators cited the Computer Misuse Act, which states that unauthorised actions on a computer (like sending emails from it or changing the wallpaper) are violations.

“Malware researchers routinely deal with botnets for analysis purposes. It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for “testing” purposes,” said Alex Eckelberry, CEO of Sunbelt Software. “And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea. You don’t know what accidental harm you may cause. You also don’t really know what’s on the user’s system that will simply restart the whole process.”