Last summer, an enterprising app developer named Nick Lee created Handy Light, an iPhone flashlight app — one of many that simply turns the phone’s display into a bright light.
However, Lee, who was 15 years old at the time, added a hidden function to the app, which sold for 99 cents.
If the user adjusted a few settings and tapped a special color-coded sequence, Handy Light would secretly allow users to share the iPhone’s wireless Internet connection with other devices – a feature called “ tethering,” for which cellular carriers normally charge an extra $20 per month. Apple quickly pulled Handy Light from the App Store.
For the past several months, users of Android phones in China have been plagued by malware embedded in pirated apps found on third-party websites. Security experts have advised Android owners to download apps only from Google’s official Android Market.
That advice was good until last Tuesday (March 1), when no fewer than 50 infected apps were found in the Android Market itself. All secretly carried a nasty form of malware called DroidDream, and the Android Market now looks no safer than a back-alley electronics stall in Shanghai.
Under the radar
George Kurtz, chief technology officer with security software vendor McAfee, said it’s really quite easy to slip deceptive or malicious code into software, and then have it approved and made available in authorized app stores.
To prove his point, Kurtz took to the stage at a recent security conference to demonstrate a second flashlight app, this one created as a “proof of concept” by McAfee developers.
“We thought, ‘If someone could get a flashlight through the approval process that had wireless modem capabilities, what could the bad guys do?’” Kurtz said.
McAfee’s demonstration app searched Twitter for a specific hashtag. If it got it, the app would then go to a website to grab scripting language — used typically for games — supported by both Android and Apple’s iOS, which runs iPhones, iPads and iPod Touches.
“Once that script was downloaded, it turned the flashlight into a bot,” Kurtz said.
The phone was now able to be controlled remotely, in the same way that an infected “zombie” PC is controlled by a human “bot herder” and can become part of a “botnet.”
McAfee’s demonstration app was never intended for public release, but Kurtz thinks if it had been, it would have easily been approved by Apple’s App Store.
“I am confident it would have gone through,” he said, “because the code wasn’t part of the app until it was actually installed and loaded new script.”
(Unlike the App Store, Google’s Android Market does not pre-screen apps and instead relies on consumers to report problems.)
The ability to add malicious code after an installation that clears antivirus checks is one reason Kurtz thinks smartphone and tablet apps are where we’ll see the next big wave of malware.
DroidDream, the Trojan found in the Android Market this week, does just that. Some experts think it’s just a downloading shell, ready to remotely install any kind of malware on Android phones.
But even with the best app-vetting process — and especially with the explosion of growth in app development for different platforms — it’s difficult to catch every nuance in each new app submitted.
Privacy protections
Turning phones into bots isn’t the only issue to be concerned about, Kurtz adds.
“There are many apps that have privacy concerns, and people are wondering, “What information is that app exposing?’” he said. “If you have apps that interact with your contacts or e-mail or Twitter account, what information can the app creator get from your phone? It’s not just about security, but also about privacy.”
Apple’s App Store has a tight approval system, and iOS has the advantage of being a partly proprietary operating system. Apple tests submitted apps before release to make sure they don’t misbehave; Handy Light likely got through because the hidden feature’s activation was so complicated.
Apple’s review guidelines discuss a long list of regulations new apps must follow (they must not be offensive; they need to work across the iOS platform). But the guidelines say nothing about checking each app’s source code, which might have caught Handy Light (if not Kurtz’s code-altering proof-of-concept).
Research In Motion’s BlackBerry App World also uses a proprietary operating system and a strict approval process for apps.
Android, however, is an entirely open-source platform that already has seen numerous issues involving malicious code. And unlike BlackBerrys and iOS devices, which are tied to their authorized stores, Android devices allow the installation of apps from anywhere.
In the rapidly evolving smartphone field, security is often sacrificed for the sake of convenience. Phone manufacturers, wireless service providers, platform and app developers and retail stores are all trying to make as appealing an experience as possible, and in many cases the burden of security is placed on the least knowledgeable party: the consumer.
“I don’t think it is any secret that we’re going to see more malware introduced into the marketplace,” Kurtz said. ”Frankly, the bad guys are going to get better.”
- Android Malware Spreads From China to the U.S.
- Security and Privacy Software Review
- Track Your Cheating Spouse With New Phone Spying Software