Rogue app in Windows Phone Store stole customer data before being pulled

Windows Phone Phishing Hook

Getting phished online is one of the worst things that can happen. You unknowingly give up your personal information and login credentials to an unsavory party. It also recently happened in the Windows Phone Store to customers of Telfort, a telecommunication company in the Netherlands. The app has since been pulled, but serves as a reminder to think twice before downloading an app.

An unofficial app in the Windows Phone Store masquerading as an app for Telfort, a subsidiary of KPN, was pulled after leaking personal data from customers. Telfort shut down a portion of their site last week after it had learned that over a thousand passwords and phone numbers had been posted online. The section of the website that was shut down was the My Telfort page, which allowed customers to check their account and make changes. The move to shut down a portion of their site was preventative until they could figure out what was going on.

It later opened the My Telfort page after learning that it wasn’t a security breach in their network, but a rogue app collecting data from customers. The app had the official Telfort logo and asked customers for their login information so that they could check their account. The app has since been pulled from the Windows Phone Store.

Odds are you’ll never get phished in the Windows Phone Store if you’re savvy enough to be reading a site like Windows Phone Central. However, we’re all in the minority since we’re tech enthusiasts. Average users can easily be tricked into downloading an app that looks official and unknowingly give up their information.

Let this be a reminder to think twice before downloading an app that doesn’t look legit. Check who the developer is and what apps they’ve also worked on. Look at reviews already in the Windows Phone Store. Ask the community if the app looks like the real deal. There’s no perfect strategy to avoid getting phished and hacked, but the best strategy is to just use common sense.

Source: KPN, Via: ZDNet


Reader comments

Rogue app in Windows Phone Store stole customer data before being pulled


So kindly think twice before saying that android is full of malware, this can happen on any platform.
Leave the dumb comments for the isheep community

By definition, this is not malware. It's spyware. Malware is a program that destroys or greatly interferes with the devices software/hardware.

I'm not saying anything like that. What i meant was that such apps can exist in any platform. The age old isheep logic of "see no virus" despite the devices still at risks.

This is not a virus, though.  It is a developer who used his power in a way that it shouldn't be.  He requested data that he should not have requested, and used it in a way that he should not have, abusing the trust of people who buy apps.  It is also a case where it is possible that Microsoft could have done a better job of screening.  I've seen things in apps that go against the certification requirements, so no, the process is not perfect. 

As it is now, this can happen on every platform, but Apple and Microsoft seem to be the quickest to do something about it.  Additionally, Microsoft can automatically have the app removed from every phone out there (Google cannot).  All they have to do is pull the security certificate and when the app is launched again, the user will get a message that the app will be uninstalled, and when they tap OK, the app is gone.  It cannot be launched.  On Android, it's up to the user to 1) know that there's a problem with the app, and 2) uninstall the app himself.

I have been told that Apple can do something similar, but I do not develop for Apple, so I have not looked into it myself.

By the way, you're crazy to follow bit.ly links from anonymous sources as well! They can take you anywhere.

I'm not anonymous.  These are my bitmarks, and I am an ambassador in the WPCentral forums, so it's not like I'm unknown in these parts.

That may be, but (1) I have no idea who you are, and (2) what lippidp said about bit.ly links is true. Personally, the only shortlinks I trust from people I don't know/trust are TinyURL links, because you can check where a TinyURL will take you first.

Actually, you can also check a bitly link first as well. Just append a plus sign to the end of the URL, and it takes you to a page with info about the real link.

For example, hopmedic's first link would look like: http://bit.ly/1ch2Qpp+

Just add a + to the end of a bitly link to preview it safely. And it's not a virus: It doesn't replicate itself. It's just good, old-fashioned spyware.

Go have fun with your Analroid. Maybe the NSA or your country's spy agency will pay you a visit soon.

Please, don't mix malware with social engineering techniques.

This app shouldn't have been allowed, but it's NOT malware.

Awful to hear that. I have to be honest, my daughter has an Android phone and she downloads anything and everything. Her phone has some crazy stuff going off. Hopefully this is an isolated incident.

I don't know that I would call it a rogue app. Like the app went off by itself and stole data. The app did as it was designed. The issue is the app publisher.

The definition of rogue app is pretty much spot on here. A rogue app doesn't just describe an app not doing what it was designed to do - but can also describe one acting against the system and it's users in general. A "rogue spy" might be a perfectly functioning spy, but that doesn't mean he or she is good for the system they are supposed to be working for.

It might be best to stick with official apps, and to avoid 3rd-party apps that purport to do the same thing as official apps.

There are more than 200,000 good, honorable, legitimate third-party apps that do no harm.  To paint the vast majority of the Store with such a broad brush does the developers of those apps a disservice. 

Agreed. If I see a new app I tend to search a bit, whether here on WPC or elsewhere, before I download it. Case in point, type Facebook, Twitter.... In Marketplace and see how many try to mask themselves as official. People need to really pay attention to the developers and loosely on reviews before downloading willynilly.

Unrealistic precautionary advice.  What if it is a new developer that nobody has heard of yet.  All the good ones that exist today had to get a start somewhere.  What if this advice had been given a year ago?  Would we have as many people buying/downloading apps of the devs that were new?

The people approving the apps are the resposible party, not the people that downloaded under a belief that apps are screened before becoming available.

This has been my very concern with the race of WP to gain ground in the number of apps and not quality apps.

I bought so many Twitter apps, including Carbon, which got discontinued. The official Twitter app ended up being better than any 3rd-party knockoffs.

I can see your point but you cannot say its not the fault of the people downloading the apps. Blame lies on them as well for not being more careful about what they download. The old excuse that people don't know any better and trust the source just because it got approved doesn't fly anymore. Apps have been around long enough and thanks to a steady onslaught of media almost hourly, people really should, at this point, know better than to just be a click happy app grabber.

I can also see your point, but...you and I and everyone in this comment section understands and realizes that many users of apps do not fully understand them.  Doesn't research someone they don't know, and puts their full trust in a company that says they will check for them.  Does it suck?  Yes.  That is the world we now live in.

Be honest, do you/have you read every EULA on every piece of software you have ever installed, even if reinstalling a newer version from scratch of something you have used in the past?  Maybe, but I doubt it.

Sorry, but this should have been caught during the approval by the managers of the store.

I agree that yes, the approval process should be better but, as a quote from Albert Einstein Says: Two things are infinite, the universe and human stupidity, and the only thing I'm not sure about is the universe, people really should know better than trust everything. As far as EULAs, no I have not and it has bit me in the ass. Notably, an app I wrote back in the Windows Me days at college using a laptop supplied by the school, It was more feature rich than Paint Shop Pro (if you know anything about PSP). I was ready to market it and showed it to a professor for advice. The school put a cease order on me. Taught me a very good lesson about reading the fine print.

This is why we should report apps that seem fake to Microsoft, I've reported lots of BBM apps this week alone

why its surprising you?


almost every app in the wp store asks many permissions that shouldn't be given to them!!


flashlight apps need access to your microphones and phonebook etc..


apps to hide pictures (only) want access to my user account, phonebook and Internet service. and i don't agree with the claim that its for ads cause its the PAID app without any ads.


and more and more.


Read carefully, ask the developer questions, look for alternative apps and read the permissions they ask.

Also, many times the permissions that are requested are simply oversight.  I don't recall off the top of my head if it is so in WP8 SDK, but in the WP7 SDK, the file WMAppManifest.xml which is where you declare permissions, had every permission listed, and it was up to the developer to delete those not used.  I think it is the opposite in WP8, but I can't recall with certainty off the top of my head.

Agreed. Alot of times I think developers overlook it, not saying all but some. I also think alot of developers just click them because they are there, not knowing what they are. This holds even more true when you have someone who's developed their first app and way to excited about getting it published before checking everything.

Well, the light app needs the camera sensor to work on the side. I don't like it but if you use Occam's razor, it makes sense.

yes i know, and ehy it need the mic? and why some C# programing apps need mic also? or even my photo library? 

and the real fucked up thing about it, that there is no one to ask, only to report and thats it.


Reading the description of what the apps was intended to do I'm going call a Darwin on this.


Was this rogue apps downloaded from Window Store? If yes, I would have thought Microsoft would have checked and OK-ed.

Microsoft should add a way for companies to show that their app is official. Some short of logo would be nice to see in the information for an app so that a user can have confidence that it is from the company and not a third party app.

Guy in the chat room was just taling about how unsecure apps were in the Store. I wonder if he knows this pulled app. Hmmm?

People say Android Marketplace is a free for all for rogue Apps. People need to understand, other platforms do not extensively test all their Apps. This happens on EVERY platform.

Certification process isn't strict anymore. It was before, on early WP days, that certification could take 7 business days and apps were rejected by almost no reason. Today you submit an app and after a few hours is live. Much like Android. The truth is no company can just "validate" every app going into the store. It would be like checking every website when it goes online, its insane. What needs to evolve is users mind, to be aware.

I'm not sure if there is any "trusted publisher" attribution that will bypass intensive certification, but in my case I've noted it when I publish, even new apps.

this is what happens when they allow any bullshit app in the store. 100 facebook apps, 100 youtube apps and all kinds of rubbish in the store these days. Sort it out!

One of the Dropbox apps on WP7 did something similar. I use unique email addresses for everything I sign up for, & I've never given my dropbox email to anyone. I installed around 3 or 4 different dropbox apps on WP7 and a few weeks later that email started getting spammed heavily. Clearly one of the app devs were able to grab the email address and sell it. I was able to change it in dropbox and block that email address, but it's still shitty that it happened.

That's the good thing about OAUTH.  When you log into facebook for example, in an app, the way I understand it, the app doesn't get to see your username or password.  It takes you to a page, where you log in (app has no access to this info), and once successful and you've granted permission, the site sends a token back to the app.  That token becomes your authentication.

Now, I admit that I could be wrong, because I have not created any apps that require any kind of login, but the developer events that I've been to that have discussed OAUTH have left me with this impression.

This is exactly why I don't use any of the DVLUP app knock offs, I know just how easy it is to collect the user info then forward it on to its intended destination.