Feeds

back to article Even a CHILD can make a Trojan to pillage Windows Phone 8

A teenager has crafted prototype malware for Windows Phone 8 just weeks after the official unveiling of the smartphone platform. The proof-of-concept code is due to be demonstrated by Shantanu Gawde at the International Malware Conference (MalCon) in New Delhi, India on 24 November. Gawde, who is a member of the Indian …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

So what he has done is written a program that uses the standard APIs to get data and send it off?

The point is that an application needs to go through the approval process before going to the store. So while anyone can write malware, getting it out into the wild is more difficult now.

There are all manner of sneaky tricks you can do to get around such checks, you app could have a logic bomb in there so the negative effects only take effect after a time.

4
2
FAIL

Details are thin so it's unclear whether the malware exploits a vulnerability in Windows Phone 8 or it simply tricks users into doing something daft,

Whilst it's quite possible that's what he's done, by no means is it clear that that's what he has done. It remains possible that he's found a vuln and exploited it.

No cause for panic, certainly, but given the sparse info I wouldn't go as far as to disregard it (yet) either.

Once he's revealed it at MalCon we'll know, but for the moment Windows Phone is Schroedingers Cat

4
0
Gold badge
Coat

but for the moment Windows Phone is Schroedingers Cat

You mean the way it's both dead and alive at the same time, depending on who you speak to?

16
0
Silver badge
Trollface

"The point is that an application needs to go through the approval process before going to the store. So while anyone can write malware, getting it out into the wild is more difficult now."

Furthermore, when you install something from the store, you can see the permissions list for what it can access. So if you're installing a game and it says it wants to access your People hub, you can ask why it would need that and say no. And if something does make it through, when MS pull it, you will know about it.

This is a really shoddy and sensationalistic article. No details other than those which suggest it's just a regular program relying on user authorisation. They just wanted to try and force a headline about A CHILD CAN CRACK WP8!

Trollface for the Reg hack that wrote this article. No wonder I'm getting more of my news from The Verge these days (much like The Reg is ;)

3
2
Bronze badge
Mushroom

Quite - unless he has bypassed application signing and the App Store completely then it's a non event.

2
1

You mean the way it's both dead and alive at the same time, depending on who you speak to?

</thread>

0
0
Holmes

Information is indeed so thin that this should not be news. Any registered app can do that.

2
1
Silver badge

That's why I both like and hate the Android scheme

When you download an app you can see what permissions it wants and check if that matches what you think it does.

Which is great.

However, you can't tell it "No, Farcebook, you may not have access to my contacts", which is crap.

However, in iOS and Windows Phone, you have no way of knowing what a given app does - once on board it is permitted to do anything at all to things like contacts etc in the "shared storage" areas, and you have no way of knowing beforehand that it even could.

So you are completely reliant on the curation of their app stores.

2
0
Bronze badge

Re: That's why I both like and hate the Android scheme

Yes - and many useful apps ask for many more permissions than you think they probably need.

Much like clickwrap licence agreements, the temptation is just to click "OK" without actually thinking about it.

2
0
Silver badge

> Any registered app can do that.

Which is why we need more specific controls on what apps can do.

"internet access" is rubbish as a control, we need, "wants to access http://appsite.com/*"

How about, "wants to access contacts - create unique myapp view of addressbook?"

Perhaps the OS could then run through the possible results at installation time: this app can read contacts from your addressbook and transfer data to/from http://mysite.com"

I install very little on my phone - I must be old - there's very little out there that I feel I need.

0
0
Bronze badge

Re: That's why I both like and hate the Android scheme

@Richard 12

Can't speak for WP8 but iOS apps request permissions which can be later reviewed and or revoked in Settings > Privacy.

Same caveats apply, if you deny a mapping app access to location services, a camera app access to the camera or a social app access to your contacts they probably wont work as intended or possibly at all.

One difference seems to be that Android asks for all 'required' permissions at install while iOS asks for permissions individually, as features that require them are used.

0
0
Bronze badge

Re: That's why I both like and hate the Android scheme

Not true, Windows Phone does show you what permissions are required by an application before you install it (and for particularly sensitive ones like location pops up an allow/deny box when you first run the app too).

1
0
Bronze badge

Re: > Any registered app can do that.

Perhaps the OS could then run through the possible results at installation time: this app can read contacts from your addressbook and transfer data to/from http://mysite.com"

It's a nice theory, but utterly unworkable in practice. Even assuming you could constrain an app in that fashion, you'd end up providing a massive list of requirements to end users which nobody would read (resulting ultimately in malware finding it easier to request permissions and get away with it). Similarly the experience for devs would be pretty horrific if they had to cope with every possible combination of users picking and choosing permissions that can be granted. Ultimately it's better for all to encourage devs to request the minimum permissions necessary and for users to avoid apps that want more than seems reasonable.

0
0
Anonymous Coward

Whatever he has found - if it's an actual vulnerability then it likely won't be a concern for long. WP8 can update over the air with no carrier involvement if necessary.

1
0
Silver badge

Re: > Any registered app can do that.

"It's a nice theory, but utterly unworkable in practice. Even assuming you could constrain an app in that fashion..."

It's not apps generally, but the new system of web-plugins for MS Office 2013 actually *does* do this. Sort of. There's a deployment system for them, written in XML, that defines what they may do right down to whitelists of websites or servers if you want. It's not a general app thing, but if you're running a corporate environment and you want to use a plugin for Office and know that it is only capable of communicating with server X or can only affect particular files on the system or what have you, then you can check the deployment code for the plugin and know that (vulnerabilities not withstanding), it can't do anything else.

Far better than a pile of VB code.

0
0
Anonymous Coward

Re: That's why I both like and hate the Android scheme

Dalvik is a VM, right? Would be cool if it virtualised access to protected data.

0
0
Joke

THAT'S the Windows we all know and love!!! I knew it'd still be there under all that Metro UI

5
3

Don't panic, Don't panic (sorry couldn't resist a little homage to the late Clive Dunn)

But since there are very few Windows phone 8 users its hardly a problem at the moment

5
0
Anonymous Coward

A Use At Last

Come on be generous, at last someone has found a use for Windows Phone, even if it is only trying to write malicious softwear for the darned thing!

0
0
Silver badge
WTF?

15?

Infected by Hollywood's Über-Kids expectations, are we?

0
0
Joke

Wonder whos code he stole

Usually its either an incredibly exceptional 15 year old with some form of 'communicative' disorder, or hes used portions of others code / API's...

It's incredible how much code is available. I wonder if it involves Bluetooth or... Device specific vulnerabilities?

There are heuristics available for Windows Mobile devices, not that most people would believe that even Android and Blackberry require protection (notice the abscence of iOS, just like every other apple technology... "it MUST be unhackable" LOL

0
0
Coat

"it's unclear whether [it] simply tricks users into doing something daft"

Arguably that mission was already accomplished by the salesperson... when they convinced the punter to buy the WinMoPho in the first place.

Boom boom!

Yes, yes I'm leaving...

5
0

I suppose

That at least he has proved you can write an application on windows that can get the data you need. A much bigger challenge would be to go through the pain and misery involved in writing either an iPhone or linux application..

1
2

This post has been deleted by a moderator

Bronze badge
Mushroom

Re: I suppose

I hope that'a joke. IOS has over 300 known vulnerabilities, versus 1 known DoS issue via SMS for Windows Phone, and 1 known vulnerability for all versions of Windows Mobile.

And as to Linux - that's about as bad as it gets. For instance SUSE 10, over 3,500 known vulnerabilities. Hence why internet facing Linux servers are much more likely to be exploited than Windows servers.

To put that in perspective, even Windows XP - which is 10 years old - only has about 450 known vulnerabilities....

See Secunia.org.

1
5

Re: I suppose

Hence why internet facing Linux servers are much more likely to be exploited than Windows servers.

OK, I'm deliberately ignoring the rest of what you wrote here, but - To use the old Windows fanboy argument "Could that be because no-one uses Windows Servers for anything serious?"

Vulnerability counts are useless without severity ratings. If those 3500 vulns are all low-risk (potential DoS maybe?) that's still a lot better than having 1 critical vulnerability. I can't be arsed to look it up, but I suspect there may be an element of that (though some of those 3500 should, statistically, be high-risk).

I'll finish by pointing out that I'd fully expect something that's had 10 years of security fixes to have a low vulnerability count.

But you go back to your FUD spreading, I've other things to be doing

3
1
Silver badge

Re: I suppose

"iPhone and Linux are secure, real devs program for those environments."

Now I know that you're an idiot. Having spent a merry month last September sorting out vulnerabilities in some code written and running on a Linux platform, I can tell you that there are good and bad programmers everywhere.

1
1
Silver badge

Re: I suppose

@RICHTO. I'm not sure that what you post really makes much difference (I haven't checked your figures). There certainly are vulnerabilities for both Linux distributions and Windows Server. A competent cracker will be running through all the latest ones if they're targetting your servers. Whilst number of vulnerabilities is obviously relevant, the far more significant factor is actually how quickly they are updated and how rigorous the sysadmins are in both applying those updates and in configuring things right in the first place.

I use Linux servers for the time being (I have one Windows Server I was asked to set up for a colleague) but I would take a Linux server managed by someone who knew what they were doing and wasn't overworked, over a Windows server managed by a different person, and vice versa any day of the week.

Show me stats not on numbers of vulnerabilities, but on how quickly they are made available to the users, and you might start to convince me. But other than that, Sysadmin competency is the first weakness, ime.

(Caveat: I am a programmer and a project manager, not a sysadmin. But I've known enough).

1
1

This post has been deleted by a moderator

Anonymous Coward

Re: I suppose

@Eadon: The second sign of someone who doesn't know what they're talking about on security is when they say things like:

"iPhone and Linux are secure, real devs program for those environments."

When you live in a glass house, don't throw stones, OK?

1
1

This post has been deleted by a moderator

Silver badge

Re: I suppose

"Hiding behind AC RICTHO?"

I doubt it. You made the argument that if someone is a Linux developer they are a good developer and if they are a Windows developer they are a bad developer. That is so laughably stupid that anyone might point it out.

But as a Linux developer, I thank you for the compliment. (Idiot)

1
1
Facepalm

Re: I suppose

"And as to Linux - that's about as bad as it gets. For instance SUSE 10, over 3,500 known vulnerabilities. Hence why internet facing Linux servers are much more likely to be exploited than Windows servers."

If you know anything about Linux distributions then you would know that most distributions maintain a repository of thousands of non-core OS programs - only a fraction of which are needed to be installed to function as an "internet facing Linux server".

Your homework is to work out which programs are required in an "internet facing Linux server" and tally up the corresponding vulnerabilities and come back with a figure much lower than "over 3,500".

1
0
Bronze badge
Mushroom

Re: I suppose

Jeff Jones already did that analysis several times. Linux has more vulnerabilites that are on average more critical and take longer to get fixed (more days at risk) than Windows. Even with a 'package adjusted' Linux distribution that matches the functionality that Windows Server has in the box this is still the case.

0
2
Bronze badge
Mushroom

Re: I suppose

Here you go: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-02-77-29-91/vista_2D00_one_2D00_year_2D00_vuln_2D00_report.pdf

0
2
Silver badge

Common problem of App-Stores

If they don't select, you'll have malware. If they do select, it's usually seen as unfair and/or censorship.

The problem is that the selection is done by an outside central organization you have to trust.

Linux distributions like Ubuntu and Debian do it differently. They select packages for you, and you can get involved in that, if you want. If you don't trust a certain distribution or repository, you can simply go to another one, or even use multiple repositories at the same time.

1
0
Bronze badge
Mushroom

Re: Common problem of App-Stores

Select packages for you - so that would be selecting like Google, Apple and Microsoft then (with various levels of control)

Use multiple Respositories - like unlocking an Android handset you mean?

So basically they do it exactly the same, except they seem to be better at blocking crapware than Google...

1
4

Re: Common problem of App-Stores

It's the control that makes the difference.

None of the App-Stores actually 'select' in truth, apps are submitted and they are either approved or rejected (in the case of Google, simply the former).

Using multiple Repo's isn't that dissimilar to allowing an Android handset to install from external sources (don't know why you said unlock, have you ever actually used one?), but it's also not exactly the same. It's vaguely similar to installing a different App-Store, I guess, though it still doesn't quite translate.

0
0
Joke

That's the great thing about Window Phone

The rapid development abilities for malware writers - one of their biggest developer groups!

1
0
Holmes

Due to be demonstrated on 24 November

But no point in waiting until it actually is news, I suppose?

Just another eleven days, and there may be a story, instead of some guesses.

1
0
This topic is closed for new posts.