Prototype malware for Windows Phone 8 OS allegedly created

Details are murky but according to the site Naked Security, a young “ethical hacker" named Shantanu Gawde has created the world’s first Windows Phone 8 malware. The program can reportedly “…steal contacts, upload pictures and steal private data of users, gain access to text messages etc." and details about the exploit will be revealed at the Malcon security conference in New Delhi, India, later in November.

Gawde is evidently a well-known computer prodigy, being the world's youngest Microsoft Certified Application Developer (MCAD) at age 16. What is more impressive is that he earned that designation when he was aged 7. Microsoft has been made aware of the presentation but not the details and are promising action upon any weaknesses found, should they be revealed as legitimate concerns.

Windows Phone 8 is theoretically more secure than its predecessor due to secure boot and native 128-bit Bitlocker encryption though there is one area where a potential hole can be exploited: sideloading XAP files via the microSD card.  Though most Windows Phone 8 devices don’t even have a microSD slot, in theory files can be loaded from the card via the Store app. The only other option would of course be an exploit via Microsoft’s Store certification overlooking a flaw or a weakness found in the browser.

We’ll just have to wait for Gawde to reveal his cards in a few weeks to see if this is a one in a million weakeness or something that every Windows Phone user should be concerned. Either way, no matter what happens we’re still confident that Windows Phone 8 is more secure than Android. And that platform’s security weakness has not hindered sales one bit.

Source: Naked Security


Reader comments

Prototype malware for Windows Phone 8 OS allegedly created

  1. We don't know what the exploit is yet, so whether or not the Store is implicated is far from clear
  2. The program itself is uninteresting, it's the method of the exploit which could theoretically replicated by anyone, should the details be revealed
  3. Obviously he's not going to release the code but someone else may figure it out 
  4. Security holes are still security holes. It's the degree to which it can be exploited that is of concern.
  5. Programs, even legitimately installed and signed, should not be able to do what he is alleging

“…steal contacts, upload pictures and steal private data of users, gain access to text messages etc"
Aren't these APIs built into the operating system? Doesn't seem like it would be hard or even an "exploit" to do this. People would be pissed if their third party applications weren't allowed to access photos or the internet, which is all you need to do what this "malware" does.

It really depends.  Everything can be hacked ect with the right access.  If this requires an app to be installed, then its no big deal.  Thats the reason Apple & MS decided on controlled store fronts.  A Browser directed malware exploit would be bad, but even iOS had an issue with that not long ago.  They are easily fixed.

I find it crazy that he doesn't release the details of the issue to Microsoft before showing the exploit to the PUBLIC. That means any hackers could use the exploit before Microsoft makes a fix.

I find it crazy that he doesn't release the details of the issue to Microsoft before showing the exploit to the PUBLIC. That means any hackers could use the exploit before Microsoft makes a fix.

there are new ways to install apps in WP8 that don't require a dev unlock but do require a company app to install through. so it's not like malware can really get in from there

WP may be more secure and android undoubtedly less so but you can be sure the mainstream tech press will turn the story on its head and try to portray WP as the more vulnerable OS, convieniently ignoring the multitude of android malware and confirmed infections to date.

Possible although I think the public has made it clear that they're not too concerned about security on smartphones, despite the negative press for Android about privacy.

And WP8 *is* a brand new OS, so there could be some serious holes that need to be filled. That is totally plausible.

Would not be surprised if this turns out to be one of those 'IF you do this (not normally possible) and then IF this is available (not under normal circumstances) and IF you then are are able to access that (not normally possible) by going through this (not normally available) you MAY be able to get to this info provided you can get out of THIS (not normally possible).'
The average journalist will then paraphrase to; 'You can steal THIS, so WP8 is a security risk'

I fail to see why this sort of hacking person, if they are so innocent, just doesn't give the information to Microsoft.  All that publishing about it does is spread the information about the weakness around to people who want to exploit it.

I gotta feeling this is gonna turn out as the infamous SMS bug. No credible source confirmed it, noone has seen it in the wild or has been able to reproduce it, Microsoft never officialy patched it and the world has forgotten about it.
And also, the kid might be just looking for his another 15 minutes of fame.

I can't say I'm surprised. I expecting something like this to happen ever since they merged Windows Phone with the NT kernel. That opened up a whole host of new vulnerabilities that weren't there using the previous CE kernel.

Encryption does nothing for addressing malware concerns, you do know this, right? There were no vulnerabilities in WP7 that could get at all of your contacts and images. It simply never existed.
WP8 is barely out for a week or two and already this vulnerability sprouts its ugly head. Switching to the NT kernel did some awesome and amazing things for the platform. It also allows for more cross-platform exposure to malware and other vulnerabilities as well due to the tightly shared kernel.

How do you know WP7 didn't have problems?

Oh, that's right. You don't. The fact that hackers can "fully unlock" ROMs through exploits shows that WP7 is far from bulletproof.

Jesus christ people, chill the fuck out. You're acting like I just punched your first-born child.
You better get used to what I'm saying, because I guarantee you'll see more news of this.

Meh...To be honest, Ive never quite believed the hype on this kid.  MCAD is not as hard as it seems since there are cheat programs you can use to study, and when I took mine, the class was pretty much a rehearsal for the test.  And when I say rehearsal, i mean, it was pretty much the test on the questions were out of order....No real learning.

The kid got his MCAD at the age of 7!! That is impressive and worth the hype considering what I did when I was 7! Now let's hear what you did when you were that young...

Better now than later, windows any day over android, don't have to check every single app for malware...

You could have ended the article without the jab at android...just saying. It had nothing to do wit the article but you shoehorned it in, phil would be sad sir! 

@futurix, Yeah and here in the US, childhood rocks! Struggling with broken families, being bullied at school and kids having unsafe sex at 10 and 11 is not very cool either. 

This is what I deal with in India..i Remember my teachers telling me to work hard after this guy was in the news .. It ain't easy to be an Indian..

Thank you Mr.Gawde for being a good hacker instead of a bad hacker. If it wasn't for people like you cyber security would be non-existence.

A prodigy, haven't seen one that has contributed to the good of humanity. We still wait to see a time machine, a worm hole, a transporter, a ship traveling a light speed, a fountain of youth, a mech. No, this youth prodigy or the many that is have nothing better bug create a virus/malware for WP. God, please be serious. There are so many good things i could do with their gift!!!!!!!!

This is my guess, what this malware thing about :

  • Register as WP developer
  • Make a simple game or app which have all permissions to access user data. Yes WP8 gives these APIs, after user consent, just like all other mobile platforms.
  • Submit to AppHub
  • Users install the app which shows what data access permissions this will have
  • Upon using the app, it reads and sends all the data to own server 
  • User is hacked!!

I call it nonsense, this is possible on all platforms. Even today ad SDKs collect more data than you imagine. This the reason I install apps from recognized publishers. And avoid ad ware apps at most.
// chall3ng3r //

@wpcentral, html formatting doesn't work. I put fairly good time formatting my last comment,  see its just posted as plain test, removing all bullet point I used.
Fix it, ASAP. 
// chall3ng3r //

There seems to be lots of confusion about the WP app security model. Let me clarify:
- Each app has a "manifest" file that specifies what services it requires (e.g. location, media library, identity)
- Microsoft has a "manifest checker" program. They run this on submitted apps to check if the manifest is indeed correct
- If so, it gets signed by Microsoft and put in the marketplace. Otherwise it gets rejected.
- When you install an app, you agree to allow the access to the services specified in it's manifest. (Provided it's signed of course!)
Thus security relies on the following:
- Microsoft's private key used for app signing
- The signing and verifiing mechanism (RSA?)
- You having the correct public key
- The app manifest checker program
- Only certified apps being executed
Therefore a "hack" on WP must be via:
- A vulnerability in an app with permissions to access sensitive services (e.g. IE)
- A flaw in the manifest checker (e.g. not detecting that an app accesses location)
- A leak of Microsoft's public key (and a deployment vector for the illegitimately certified app)
- A cryptographic break of the signing mechanism (but then apps are the least of your worries)
To me this sounds like a flaw in the manifest checker, but I'd have to know more to be sure.
This is why you should always be very wary about side-loading apps from sources other than Microsoft.