Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Expensive malware appears for Microsoft's Windows Mobile

Malware embedded into legitimate-looking games designed for Windows Mobile has appeared, automatically dialing up foreign telephone services to ring up hundreds of dollars in illicit charges for users behind their backs.

The discovery, reported by John Hering of the Lookout security firm, was covered in a report by Reuters, which inaccurately described the malware a "virus" and misleadingly referred to the exploit as being orchestrated by "hackers."

In reality, the malware was simply the product of malicious mobile software developers who misrepresented their work as safe, and distributed it through "sites that provide legitimate software for mobile devices."

No malware for iPhone, despite its market share

The fraudulent mobile software for Microsoft's smartphone platform punctuates the warnings Apple has been sounding about security-free software distribution, and underlines why the company has maintained a strict policy that forces iPhone mobile developers to get their work approved by and cryptographically signed for distribution by Apple itself.

Critics have chafed at Apple's secure software signing model and have praised Google's alternative Android model, which enables users to download software from any source, without any security model in place, at their own risk.

The appearance of malware on Windows Mobile is particularly interesting because the motivation of this assault was entirely financial. That being the case, the fact that the malicious developers targeted Windows Mobile, which is almost entirely limited to the US and now trails Symbian (42%), RIM (21%), and Apple's iPhone OS (15%) in market share (9% over the last year), throws decades of Windows-based punditry on its head because "malicious hackers" supposedly only target the largest platform.

Mobile security evolving

Symbian, long the global leader in smartphones, was actually targeted by Cabir, one of the first real viruses to spread among smartphones. However, that discovery lead to a stronger push for platform security, which resulted in support for mandatory code signing in the Symbian OS 9.

RIM also includes code signing in its BlackBerry SDK, a model Apple followed and expanded upon with a much less expensive code signing program and app approval process than those that were in place at Symbian and RIM when the iPhone 2.0 SDK and iTunes App Store debuted two years ago.

Like Android, Windows Mobile offers some optional code signing capabilities but does not enforce these, enabling users to find and install software without any proof of its security or legitimacy. Both also therefore have no mechanism for killing an app that goes rogue after it has been distributed.

So far, Apple has never revoked a developer's certificate or killed an active app installed by users, even for apps it has retroactively removed from the App Store for reasons other than being malware. Apple has pulled apps from iTunes that have violated its privacy policies in invasive but not malicious ways until the developer addressed the issues.

iPhone security features deter malware

Just the fact that Apple has a real security policy in place for iPhone mobile software in its iTunes App Store serves as a strong deterrent for rogue developers from even attempting to distribute malicious iPhone OS software like the tainted games discovered for Windows Mobile.

Jim Finkle, writing for Reuters, claimed that "hackers are increasingly targeting smartphone users as sales of the sophisticated mobile devices have soared with the success of Apple Inc's iPhone and Google Inc's Android operating system," but in reality, any attacks aimed at iPhone users are not software based expressly because of Apple's strict security policy, and must be limited to social engineering exploits that prey upon people directly, rather than infecting their devices with malware.

Android users (just like Mac and Windows users) have no similar security protection in place, and should be very careful about downloading software, even from legitimate appearing websites. Unlike desktop malware, which is somewhat limited in the scope of damage it can cause, mobile malware has the ability to rapidly run up very expensive mobile bills for weeks before the user is likely to even notice a problem.



92 Comments

technohermit 18 Years · 563 comments

Yet another reason I'm looking for Little Snitch for iPhone OS. I'd like to know what is being sent out; I will determine if it should go through, thank you.

stevetim 16 Years · 482 comments

when i get windows mobile 7 should i install norton, mccafee or avg anti-virus on my phone?

planet blue 14 Years · 53 comments

What a crappy article. Should we have Apple tell us what we can and cannot put on our Macs too, so we never get a virus? This article just reeks of desperate justification for Apple’s policies.

I love Apple as much as the next guy, but damn, I just cannot handle when people claim censorship and gate-keeping are positive things.

"They who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” - Benjamin Franklin

Can’t the solution be to let us check a box to install unauthorized apps, a la Android? Seems like the best of both worlds. Apple stops taking heat, and it would be the users liability if stuff like this happened. At the same time, it would allow for some of the amazing Cydia apps to get a broader audience.

anantksundaram 18 Years · 20391 comments

Quote:
Originally Posted by Planet Blue

What a crappy article. Should we have Apple tell us what we can and cannot put on our Macs too, so we never get a virus? This article just reeks of desperate justification for Apple?s policies.

I love Apple as much as the next guy, but damn, I just cannot handle when people claim censorship and gate-keeping are positive things.

"They who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.? - Benjamin Franklin

Can?t the solution be to let us check a box to install unauthorized apps (*cough* Android *cough*)? Seems like the best of both worlds. Apple stops taking heat, and its the users liability if stuff like this happened. At the same time, it would allow for some of the amazing Cydia apps to get a broader audience.

There are lots of 'uncensored' choices out there for people like you, and you should go there for your smartphone experience. I am (and millions like me are) perfectly happy with my (our) experience.

And, there is no need for drama-queen quotes over something as trivial as this.

As for Android, their similar problems are just beginning. See this report from today's Wall street Journal: http://online.wsj.com/article/SB1000...ses+phone+apps

Good luck.

market_player 14 Years · 138 comments

Quote:
Originally Posted by Planet Blue

What a crappy article. Should we have Apple tell us what we can and cannot put on our Macs too, so we never get a virus? This article just reeks of desperate justification for Apple?s policies.

I love Apple as much as the next guy, but damn, I just cannot handle when people claim censorship and gate-keeping are positive things.

"They who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.? - Benjamin Franklin

Can?t the solution be to let us check a box to install unauthorized apps, a la Android? Seems like the best of both worlds. Apple stops taking heat, and it would be the users liability if stuff like this happened. At the same time, it would allow for some of the amazing Cydia apps to get a broader audience.

Apple's act is a very simple one for you to make a decision on then mate, don't buy an iPhone.

Problem solved.