BBC experiments with mobile spyware as it creates and tests a malicious application

The deliberate development of a malicious smartphone application by the BBC has demonstrated how easy it is to spy and steal from owners.

A report by the BBC said that it had built an application using standard parts from the software toolkits that developers use to create programs for handsets. With application stores revealed to have been hosting suspicious apps, it was claimed that the use of standard toolkits is making malicious applications hard to spot, as programs will use the same functions.

BBC News technology correspondent Mark Ward explained that he re-worked some existing code to develop a ‘program that does not look great but gets the job done'. The results were a crude game of noughts and crosses that gathered contacts, copied text messages, logged the phone's location and sent it to a specially set up email address.

Chris Wysopal, CTO of Veracode, helped the BBC with its project. He has previously warned that applications can be used maliciously and recently called for application stores to be clearer on whether they are testing for security flaws or not.

Talking to SC Magazine, Wysopal said that Veracode had created spyware as part of its research with developer Tyler Shields who was preparing a presentation on the subject, and the BBC reporter said that he was interested in creating some spyware.

Wysopal said: “We pointed him to some public resources and some sample AIMs and SDKs but we did not write it, the biggest input we had was helping him write code in Java. This was only put on one phone; I don't think it is ethical to put it out for other people on the web.”

In this instance, the spyware took up about 250 lines of 1,500 making up the entire program. The code was downloaded to a single handset but was not put on an application store. All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.

Last year the BBC's technology programme Click was criticised over its decision to acquire a botnet to send out spam to two specific test email addresses. Many security vendors and researchers were critical of this action; among them was Graham Cluley, senior technology consultant at Sophos.

Asked if this experiment would warrant such a backlash, Cluley said: “As far as I can tell they haven't done anything ‘wrong' as such. In other words, they haven't broken into people's computers without their permission, or put the public at risk through their behaviour.

“As far as I can tell, this was a ‘laboratory' experiment done as a proof-of-concept.  Of course, it didn't prove anything that we didn't already know - but there's no denying that it will have helped raise awareness amongst some people that such things are possible.”

Asked if the use of available software would make similar malicious applications harder to detect, Wysopal said: “It is a real challenge to spot the difference between a legitimate application and a malicious application. It can look legitimate as it looks like a real application and does not use any other APIs.”

The journalist in this instance was not a code writing expert, asked if this represented how easy Java was to use for a novice, Wysopal said that Java is pretty easy to figure out for anyone who has done any programming at all, and anyone can create an application.

Asked if ultimately research like this could raise awareness, Wysopal said: “Yes I think it does, one of the things about it is that it is so easy and I think that this proves that you don't need to be a head of state or be government sponsored to create spyware and I hope it does raise some eyebrows.”

Sign up to our newsletters