Programs for BlackBerrys, iPhones and Android devices may be secretly accessing sensitive data.
By Andy Greenberg
As smart phones start resembling full-fledged computers, cybersecurity researchers say it’s only a matter of time until digital criminals redirect their spyware schemes from PCs to the moving targets in our pockets. When that assault begins, those researchers say it may come in through the front door: the app store.
At two recent cybersecurity conferences, researchers demonstrated applications designed to show just how much personal data a rogue smart phone app could access. Though companies like Apple ( AAPL – news – people ), RIM ( RIMM – news – people ) and Google ( GOOG – news – people ) say they filter those programs for spam and malware, researchers argue it may be all too easy to slip a data collection function into an otherwise innocent-seeming app.
At the Black Hat conference in early February, Nicolas Seriot, a cybersecurity researcher at the Swiss University of Applied Sciences, showed off a proof-of-concept app that probes the depths of personal information on Apple’s iPhone. His program, called Spyphone, can pick up information ranging from a user’s contact list and phone numbers and e-mail addresses to location via wi-fi networks and GPS, functions that he says could easily be tucked behind a game or another innocuous facade.
“You don’t want to use a device where the Breakout game you’re playing is secretly accessing and modifying your address book,” says Seriot.
Days later at the Shmoocon security conference, Veracode security researcher Tyler Shields showed off a similar trick for a BlackBerry, using an app he’d written called TXSBBSpy that can monitor calls, text messages, Web browsing history and even activate the device’s microphone. “Imagine a free voice recorder app,” says Shields. “If they’ve implemented the microphone function, they can listen to whatever they want and exfiltrate the audio data.”
There’s no doubt, Shields says, that phones are still much safer from spying software than PCs, which allow software to be installed from any source, often invisibly, as in the case of “drive-by downloads” by infected Web pages or booby-trapped e-mail attachments. But the wide privileges given to phone apps still create exploitable vulnerabilities in devices, says Shields.
As the app store model spreads beyond phones to devices like Apple’s iPad, surreptitious data collection techniques could start to creep into some apps. “There’s really no transparency and a false sense of security,” says Shields.
The threat of spying App store programs is mostly theoretical, but researchers cite a few early instances of the scheme. In September of last year iPhone users told French blog Mac4Ever that a traffic-monitoring application called MogoRoad surreptitiously grabbed their phone numbers and called the user to try and persuade them to upgrade the free software to a paid version. Just two months later, iPhone users filed a class-action lawsuit against game developer Storm8, whose software was collecting their phone numbers. Storm8 later claimed that it had only taken the numbers to identify specific devices, and it removed the feature.