Windows Mobile Security News is still, well...News!

Meet the so-called "trojan" WinCE/InfoJack...

If a trojan aimed at WM fails in the wild, is it still a trojan? Yep, it is, if that's what really happened. That part is still not exactly clear, at least to me. Last week, Pocket PC Thoughts reported about a Windows Mobile malware product discovered in China, that appears to have acted like a trojan, disabling Windows Mobile installation security, and ex-filtrating info outbound to the author of the code. The program author claims to have needed the info to determine the different mobile platforms that were accessing the vendors' web-site...uh-huh, whatever... The trojan was bundled in amongst apps like google maps, which is a little scary, and I commend Paul Martin at Thoughts for having the temerity for reporting it (even if a bit tougue-in-cheek). The subject of protecting WM from a viral attack is considered by many in the industry to be a somewhat quixotic pursuit. The comments and follow-up blogging on Thoughts even point an accusatory finger at McAfee's Avert Labs for either drumming it up, or at least hyping it. I asked Seth Fogie, one of the guys at Airscanner what he thought about all this. Airscanner is one of the few Windows Mobile security vendors out there still on patrol. He now has me more worried about using the free remote control program "MyMobiler", than downloading a trojan. Maybe it was better to stay ignorant...

WinCE/InfoJack installs an autorun on your SD card...yikes!

Ok, so the internet sky isn't falling, and the seas boiling with mobile bots and worms ready to fry our handhelds alive and burn our eyes out of our skulls in the process, but that's not to say that a major Windows Mobile infection with destructive payloads is not possible. It is possible, but apparently, just not that attractive (yet), however there are more devious things that can be done on a mobile platform if you stop to consider--like for instance spying. A cell-phone usually has a GPS, camera, microphone, etc, and is designed almost totally around the concept of quick messaging. I asked Seth if Airscanner's protection suites could have stopped the InfoJack trojan behavior, and about WM security in general. See Seth's eye-opening responses below:

"This is a tricky one. It is real, but was it malicious?

The software really didn't do anything malicious in nature. It did make
some changes that turn off code signing, but for what would seem is a
valid reason. Autorun is long known about. However, the post fails to
mention that when the autorun executes, the system the card was inserted into will still have code signing enabled, which will cause the device to toss up the code signing prompt with a warning that a potential piece of malicious code is running...

While our software would not have detected this, simply because it
wasn't really a threat, we are taking the prudent approach and adding a
check for any exe that messes with the specific registry settings that
controls code signing.

Ironically, there are much bigger and more realistic threats out there.
For example, MyMobiler...a free download that allows remote control of a
device includes an undocumented FTP server with static user/pass of
admin. While the software is not malicious, it could be exploited to be
so...

So, in short - the InfoJack, while irresponsible, is probably not
malicious."

In addition to being one of the few vendors in the WM software space to develop their own security brand of mobile products like Anti-Virus, Sniffer, Encryption, etc. (also an SP&PPC Mag 2007 Best Software Award winner), Airscanner's experts have a trove of security-related articles available at their site. Seth also shared a few nuggets of an upcoming report on a mobile application called FlexiSPY (and it's vulnerabilities to being exploited). The app allows remote mobile monitoring as a feature (which I could see law enforcement growing interested in), but could easily be hijacked to allow malicious activities and injection of false information into the backend logs of e-mail, chats, and messaging that the app monitors. Now that's scary. The full report is not yet releasable, but when I get the green light, I promise to post back and share some excerpts. What do you think about the state of WM security? Is it really as safe as we think, or are we coming to the end of the quiet years?