Smartphone security put on test

How the stolen data was sent to an e-mail inbox set up to receive it

Related Stories

BBC News has shown how straightforward it is to create a malicious application for a smartphone.

Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset.

The application was built using standard parts from the software toolkits that developers use to create programs for handsets.

This makes malicious applications hard to spot, say experts, because useful programs will use the same functions.

While the vast majority of malicious programs are designed to attack Windows PCs, there is evidence that some hi-tech criminals are starting to turn their attention to smartphones.

Booby-trapped applications for smartphones have been found online and in recent weeks Apple and Google have removed applications from their online stores over fears that they were malicious.

Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999.

At that time malicious programs were a nuisance. A decade on and they are big business, he said, with gangs of criminals churning out malware that tries to steal saleable information.

How we did it

Before starting this project, the last time I had anything serious to do with programming was in my teens.

At that time home computers in the form of the BBC Micro, Vic 20 and Sinclair ZX machines were in vogue. The proud owner of a Vic 20 I spent hours laboriously copying line after line of code out of magazines to get games running.

I approached this project more diligently. I bought text books, read online tutorials, pored over tips, tricks and sample code put on the web by developers to aid people like me.

My thought was to learn programming first, then get started on building a malicious application. Then I had an epiphany. Just as people don't have to be fluent in a foreign language to make themselves understood abroad, I didn't have to know everything before getting started.

It struck me too that the bad guys do not share my lofty aims. They are interested in results, the quicker the better. I realised it would be better to re-work existing code rather than start from scratch.

So I did. That decision sped up the creation of the spyware, as did the guidance of senior developer Tyler Shields from Veracode who helped to get it working.

The end result was a program that does not look great but gets the job done. The process has educated me about modern programming and put me on my guard about what goes on my phone.

Mobiles, he said, offered a potentially more tempting target to those criminals.

"Mobile phones are really personal devices," said Mr Wysopal. "You might have one computer for a family but every family member has a personal device and it is with them all the time."

Simeon Coney, a spokesman for mobile security firm AdaptiveMobile, said criminals were focused on handsets for one simple reason: money.

"In the PC domain the only way a criminal can generally take money from a user is by having them click on a web link, go to a website, purchase a product and enter their credit card details," said Mr Coney.

"In a mobile network the device is intrinsically linked to a payment plan, to a user's credit," he said. Nothing happens on a mobile network, no call is made or text is sent, without money changing hands.

Criminals have tapped into that revenue stream by getting phone owners to dial or contact premium rate numbers. Now they are turning their attention to applications and the lucrative information they scoop up.

The App Genome project by mobile security firm Lookout was set up to map what applications produced for smartphones do. It tried to find out if they do everything they claim and if they do more than expected.

The project has looked at 300,000 smartphone applications and mapped the internal functions of one-third of them.

It found that about one-third of applications it has studied seek to get at a user's location and about 10% try to get at contact and address lists. The study also found that a significant proportion of applications included code copied and pasted from other programs.

Code creator

To get a better understanding of the barriers to creating malicious programs the BBC downloaded a widely used application development kit, learned the basics of programming in Java and gathered some snippets of code already released on the net.

It was possible in a few weeks to put together a crude game that also, out of sight, gathered contacts, copied text messages, logged the phone's location and sent it to a specially set up e-mail address.

The spyware took up about 250 lines of the 1500 making up the entire program. The code was downloaded to a single handset but was not put on an application store.

All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.

"That's kind of the scary thing," said Mr Wysopal from Veracode.

"The face of the application, be it a game or a simple application that is for fun, can have behaviour that is not visible at the surface."

Start Quote

It's way less effort to hack into someone else's application, as you do not have to write it yourself”

End Quote Ilya Laurs GetJar

"There's been cases of spyware being detected on the internet, downloaded even from application stores or from other websites. We've detected it out there," said Mr Wysopal. "On the personal side there are cases of jilted lovers cyber-stalking their ex-boyfriend or ex-girlfriend through their phone."

The big application stores offering programs to mobile owners do police the software they are offering.

Apple vets applications and rejects those that fail its commercial and coding tests. Google said that applications for Android must declare all the information they will gather when they are downloaded. Blackberry maker RIM and Google use a code-signing system so they can turn off applications that prove to be malicious.

However, it can be difficult to separate malicious programs from legitimate ones because the connectedness of a mobile means many applications need access to contact lists and location data.

For example, gamers might want to brag to their friends about achievements, post high scores to Facebook or play with a friend if they are close by. All of which would need legitimate access to those sensitive details.

Safety steps

Ilya Laurs, founder of independent application site GetJar, said it was "very hard" for application stores to separate programs using personal information legitimately from those with a malicious intent.

Many handset hackers would likely copy existing applications and add-in malicious code, said Mr Laurs.

Credit card and mobile phone, Think Stock Large phone bills can be a sign that something is amiss

"It's way less effort to hack into someone else's application, as you do not have to write it yourself," he said.

Many would do that, said Mr Laurs, to ensure they hit plenty of victims.

"What's most important for hackers is how do they get scale," he said. "If they write their own application, such as a game, they may only get 200 downloads."

By contrast, he said, stealing a popular application, packing it with booby-trapped code and offering it for free can reap rewards.

Some application makers have found that 97% of the people using their software are doing so via pirated versions.

Application stores are making efforts to police the programs they offer. So far the number of booby-trapped applications remains low. But many feel the threat is only likely to grow.

Users can take a few simple steps to stay safe.

"Ask which developer an application is coming from, not just the site or carrier because that's only half of the story," said Mr Laurs. "Ask who they are and do you trust them."

Phone owners should also back up data on their handsets to a PC or net-based service to guard against problems.

Nigel Stanley, a security analyst at Bloor Research, said there were telltale signs that revealed if people had been caught out.

"A very obvious tell-tale sign on the phone is all of a sudden your battery life is deteriorating," he said. "You wake up one morning and your battery has been drained then that might indicate that some of the data has been taken off your phone overnight."

Smartphone owners should also keep an eye on their bill.

"Look at your billing information every month and if there are strange numbers appearing on your phone bill that might indicate that there is some software on there that is dialling out to premium-rate lines, billing you for a service that you have not authorised," he said.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

  • chocolate cake and strawberriesTrick your tongue

    Would this dessert taste different on a black plate?


  • Duke and Duchess of Cambridge and Prince George leaving New Zealand'Great ambassadors'

    How New Zealand reacted to William, Kate - and George


  • Major Power Failure ident on BBC2Going live

    Why BBC Two's launch was not all right on the night


  • Front display of radio Strange echoes

    The mysterious 'numbers stations' left over from the Cold War era


  • A letter from a Somali refugee to a Syrian child'Be a star'

    Children's uplifting letters of hope to homeless Syrians


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.