Possible security hole for Dialers/troyan horses

[Krzysztof Kajkowski]

2007/3/1, Bartlomiej Zdanowski AutoGuard Ltd. <b.zdanowski at autoguard.pl>:

>  THAT IS THE PROBLEM. Bigger than phone theft. That's why commercial phone
> manufacturers don't allow to access all the phone for java apps. To disallow
> hidden calls and smses.

IMHO this is not main reason why commercial manufacturers don't allow
access all phone for java apps but this is not the point. We have
similiar situation in Linux - we can download software from net,
install it (even on user account) and run it without knowing that it
makes some nasty stuff in the background (for example sending spams).
Such trojan are not so popular, why? I think it's because openess of
Linux and it's apps and that they are not spreading automaticly. As
for the first reason - most of us don't bother to download closed
source apps for linux. If we do, we download it from big vendors such
as Sun, VMware etc. I doubt if anyone would be stupid enough to run
binary from unknown source. Second reason if that trojan which
requires human to spread are not likely to emerge in big numbers
(epidemic).

I think that such appilcations (dialers etc) are not likely to wide
spread. Main source for applications for OpenMoko will be official
repositories and GSM providers. For first source we would have source
code to review. On the other hand GSM operators and other software
vendors should not add malware to its apps - it would kill them in the
long run. However there might be such attempts to create GSM trojans
and we should be aware to enable user to protect itself. The question
is how to do that?

What do you think?

cayco