Possible security hole for Dialers/troyan horses

Todd W trwww at sbcglobal.net
Thu Mar 1 19:38:37 CET 2007

From: Bartlomiej Zdanowski AutoGuard Ltd.

> While thinking of antythieft protection we came to some ideas about
> sending smses with stolen phone GPS coords. There were some
> ideas about silent voice calls with message that the phone is stolen.
> (for details see thread Itch3: Anti-lost/theft protection). But at this
> point we came to a serious problem of open phones. Sooner or later
> someone will write a Troyan Horse or some king of dialer (like for
> PC) looking like a solitaire or sth. When you will be enjoying free
> game it will send a bunch of smses for paid numbers or make expensive
> calls. THAT IS THE PROBLEM. Bigger than phone theft.

That's the problem with malware in general. You can't engineer stupidity out 
of your users. If you send your credit card number to shoddy looking web 
storefronts, you'll eventually have your identity and money stolen. If you 
open every email attachment sent to you from Timbuktu, expect that you are 
sharing your computer with every 419 scammer on the face of the earth.

> ...That's why commercial phone manufacturers don't allow to access
>  all the phone for java apps. To disallow hidden calls and smses.

I don't understand why people think this. I haven't ran in to a phone yet 
that I couldn't run my own apps on. A particular account may not have the 
proper level of network access, but that has nothing to do with the 
capabilities of the phone. Please stop spreading FUD.

> I suppose that access to calling, smses and gprs data cannot be disabled
> but at least we can add menu entry with summaries and statistics which
> application made calls and sent smses. Openmoko kernel should log any
> transmissions with it's length and cost (if such data is available).

Every phone I have seen keeps a log of calls made and messages sent. Web 
based account manager apps provide the same data. The monthly bill does 
also. I'm not understanding what else you would need?

> What do you think?

I think you are making a mountain out of a molehill. 

More information about the community mailing list