The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.
The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said Thursday. Heath said the group is working on improving its security-auditing procedure.
"When software is submitted, we do try to filter out the bad eggs," Heath told ZDNet UK. "When apps are submitted, they are scanned. We are looking at how they could be scanned better."
Developers must submit the mobile applications they build to the Symbian Foundation for checking for the applications to be accepted by handsets with the Symbian operating system. Once the submission has been accepted, the applications are digitally signed by Symbian. Digital signatures, which are cryptographic security features, are designed to provide an amount of assurance that software for download comes from a trusted source.
The first stage of Symbian's signing process, antivirus scanning, is done automatically using an antivirus engine. Once an application has been submitted and scanned, random samples are then submitted for human audit.
In the case of the low-risk Sexy Space Trojan, which was disguised as a legitimate application called ACSServer.exe, the Trojan had not been subjected to human scrutiny, Heath said.
The Symbian Foundation became aware that Sexy Space was a Trojan two weeks ago, and the signature was revoked then, Heath said. However, an error on Symbian's servers meant the application was available for download until this week.
On the Symbian Signed Web site, the group's antivirus-scanning provider is identified as Finnish company F-Secure. Mikko Hyppönen, F-Secure's chief research officer, told ZDNet UK on Friday that the malware authors had probably tested their Trojan against the F-Secure antivirus engine to circumvent security measures.
"Virus writers scan their malware, and keep modifying it until it passes the filters," Hyppönen says. "Obviously, the signing process can be and has been circumvented."
Symbian uses graded signing processes for mobile applications, according to Hyppönen. The Sexy Space malware went through its express signing process, which is designed for freeware. "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all," Hyppönen said.
Symbian is in the process of upgrading its automated scanning processes, Heath said, adding that human auditing is also going to be improved. However, human auditing will probably not be expanded, as this introduces cost and time delays into the process, he said.
The group is looking to automate more of the work involved in publishing applications. "Today, most of the processes behind (Symbian) require manual tasks," the organization said in a blog post on the launch of its new Symbian Horizon program. "Our goal for the near future is to develop a system that will automate this work allowing us to scale the program to include as many apps as possible."
The Symbian Horizon program intends to select applications submitted by developers and then support them through their development and submission to mobile app stores. Symbian said that one of the aims of Horizon was to automate the publication of apps as far as possible.
Tom Espiner of ZDNet UK reported from London.
Wednesday's two big technology stories--Google's Chrome-based operating system and cyberattacks against U.S. and South Korean government Web sites are oddly related. The stories are connected because if Google does well at gaining market share for its browser, we could see fewer successful attacks. Or maybe we'll see more attacks.
The reason hackers succeeded in launching denial-of-service attacks against government computers in the U.S. and South Korea is because they were able to enlist an army of "zombie" computers to carry out the attack. And what do those computers likely have in common? The vast majority of them likely run Microsoft Windows.
Whether Windows is inherently less secure than Mac OS X or Linux is debatable, but one thing is for sure--it's more popular and therefore a more attractive target to hackers. Indeed with nearly 90 percent of the world's PCs running Windows, it's something of a "single point of failure." Figure out how to infect Windows PCs and you can stage a very successful attack.
Linux--which is the underpinning of Google Chrome--is not entirely exempt from malicious software but historically Linux machines are less likely to be infected. So it stands to reason that the more machines running non-Windows software, the safer we'll all be.
But there's another side to this story. The Chrome OS will be far more Web-centric than Windows, which means that many--if not most--of its applications will be running over the Internet. What's more, people's data will be stored "in the cloud," much of it on servers run by Google. So while Google may help reduce Microsoft's potential as a single point of failure, it increases its own. If hackers were successful in launching an attack on Google, that would affect not only people's ability to use Google apps, but the integrity of their data.
Although there weren't any reported data breaches, there was a day in May of this year when Google sites were partially inaccessible as a result of a technical glitch. On that day, millions of people were unable to use Google services, including Google Docs and Spreadsheets. Say what you want about Microsoft, but even if the company totally shut down its Web operations, its operating system and PC applications would still run.
Personally, I'm a big believer in competition and like cloud computing, so I welcome Google's entry into the operating system arena. But like almost anything worthwhile, it's not without risk.
- prev
- 1
- next
