Malicious apps hard to spot
The BBC discovered making a malicious app was surprisingly easy. It reportedly downloaded a popular app development kit, gathered bits of code already on the web and learnt the basics of Java to program the app.
"It was possible in a few weeks to put together a crude game that also, out of sight, gathered contacts, copied text messages, logged the phone's location and sent it to a specially set up e-mail address," the BBC said.
The broadcaster said the code, of which 250 of the 1,500 lines was spyware, was only downloaded onto handsets and not made available on any app stores, despite all the info-nabbing parts being legitimate functions used for less admirable purposes.
Wysopal reportedly said: "That's kind of the scary thing, the face of the application, be it a game or a simple application that is for fun, can have behaviour that is not visible at the surface."
He told the BBC spyware-ridden apps have been downloaded from app stores, but the large stores do try and police the software they offer.
Apple's strict rules on apps may be frowned upon by open-source fans but it reportedly scrutinises and rejects apps that fail its coding and commercial tests, while Google insists all its Android apps make it clear what information they intend to gather. In fact, Google and RIM have the power to switch off any Android or BlackBerry apps that seem malicious.
Experts warn it can be tricky to spot booby-trapped apps as plenty of legitimate ones use location data and contact lists too. Worryingly some which link to Facebook can open up even more info for apps to steal.
They also reportedly predict the number of booby-trapped apps will grow as it is much more time effective for hackers to steal or adapt popular free apps that attract large numbers of people than build thier own from scratch.
App makers reportedly said over 95 percent of software users choose pirated versions, increasing their chances of catching spyware.
UPDATE - 16.00, 10 August 2010
Norton issued a statement in response to the BBC's experiment, penned by one of its security experts:
"Smartphones do pose a greater risk for the potential exploitation and invasion of an individual and their identity. The smartphone is a truly personal device. The fact that it also has a camera and a microphone provides two new vectors for hackers to exploit people. There is an explosion in applications (apps) and Android is growing really fast, but who is vetting these apps? If you install an app on an Android device you are confronted with a number of screens pointing out that the app will have access to your smartphone. People do not understand what is going on and, for the moment, they don't really care."
- Con Mallon
