Smartphone security put on test By Mark Ward

Technology correspondent, BBC News Published duration 9 August 2010

media caption How the stolen data was sent to an e-mail inbox set up to receive it

BBC News has shown how straightforward it is to create a malicious application for a smartphone.

Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset.

The application was built using standard parts from the software toolkits that developers use to create programs for handsets.

This makes malicious applications hard to spot, say experts, because useful programs will use the same functions.

While the vast majority of malicious programs are designed to attack Windows PCs, there is evidence that some hi-tech criminals are starting to turn their attention to smartphones.

Booby-trapped applications for smartphones have been found online and in recent weeks Apple and Google have removed applications from their online stores over fears that they were malicious.

Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999.

At that time malicious programs were a nuisance. A decade on and they are big business, he said, with gangs of criminals churning out malware that tries to steal saleable information.

Mobiles, he said, offered a potentially more tempting target to those criminals.

"Mobile phones are really personal devices," said Mr Wysopal. "You might have one computer for a family but every family member has a personal device and it is with them all the time."

Simeon Coney, a spokesman for mobile security firm AdaptiveMobile, said criminals were focused on handsets for one simple reason: money.

"In the PC domain the only way a criminal can generally take money from a user is by having them click on a web link, go to a website, purchase a product and enter their credit card details," said Mr Coney.

"In a mobile network the device is intrinsically linked to a payment plan, to a user's credit," he said. Nothing happens on a mobile network, no call is made or text is sent, without money changing hands.

Criminals have tapped into that revenue stream by getting phone owners to dial or contact premium rate numbers. Now they are turning their attention to applications and the lucrative information they scoop up.

The App Genome project by mobile security firm Lookout was set up to map what applications produced for smartphones do. It tried to find out if they do everything they claim and if they do more than expected.

The project has looked at 300,000 smartphone applications and mapped the internal functions of one-third of them.

It found that about one-third of applications it has studied seek to get at a user's location and about 10% try to get at contact and address lists. The study also found that a significant proportion of applications included code copied and pasted from other programs.

Code creator

To get a better understanding of the barriers to creating malicious programs the BBC downloaded a widely used application development kit, learned the basics of programming in Java and gathered some snippets of code already released on the net.

It was possible in a few weeks to put together a crude game that also, out of sight, gathered contacts, copied text messages, logged the phone's location and sent it to a specially set up e-mail address.

The spyware took up about 250 lines of the 1500 making up the entire program. The code was downloaded to a single handset but was not put on an application store.

All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.

"That's kind of the scary thing," said Mr Wysopal from Veracode.

"The face of the application, be it a game or a simple application that is for fun, can have behaviour that is not visible at the surface."

"There's been cases of spyware being detected on the internet, downloaded even from application stores or from other websites. We've detected it out there," said Mr Wysopal. "On the personal side there are cases of jilted lovers cyber-stalking their ex-boyfriend or ex-girlfriend through their phone."

The big application stores offering programs to mobile owners do police the software they are offering.

Apple vets applications and rejects those that fail its commercial and coding tests. Google said that applications for Android must declare all the information they will gather when they are downloaded. Blackberry maker RIM and Google use a code-signing system so they can turn off applications that prove to be malicious.

However, it can be difficult to separate malicious programs from legitimate ones because the connectedness of a mobile means many applications need access to contact lists and location data.

For example, gamers might want to brag to their friends about achievements, post high scores to Facebook or play with a friend if they are close by. All of which would need legitimate access to those sensitive details.

Safety steps

Ilya Laurs, founder of independent application site GetJar, said it was "very hard" for application stores to separate programs using personal information legitimately from those with a malicious intent.

Many handset hackers would likely copy existing applications and add-in malicious code, said Mr Laurs.

image caption Large phone bills can be a sign that something is amiss

"It's way less effort to hack into someone else's application, as you do not have to write it yourself," he said.

Many would do that, said Mr Laurs, to ensure they hit plenty of victims.

"What's most important for hackers is how do they get scale," he said. "If they write their own application, such as a game, they may only get 200 downloads."

By contrast, he said, stealing a popular application, packing it with booby-trapped code and offering it for free can reap rewards.

Some application makers have found that 97% of the people using their software are doing so via pirated versions.

Application stores are making efforts to police the programs they offer. So far the number of booby-trapped applications remains low. But many feel the threat is only likely to grow.

Users can take a few simple steps to stay safe.

"Ask which developer an application is coming from, not just the site or carrier because that's only half of the story," said Mr Laurs. "Ask who they are and do you trust them."

Phone owners should also back up data on their handsets to a PC or net-based service to guard against problems.

Nigel Stanley, a security analyst at Bloor Research, said there were telltale signs that revealed if people had been caught out.

"A very obvious tell-tale sign on the phone is all of a sudden your battery life is deteriorating," he said. "You wake up one morning and your battery has been drained then that might indicate that some of the data has been taken off your phone overnight."

Smartphone owners should also keep an eye on their bill.