back to article Espionage app updated for Windows phones

A software developer has updated an application that turns smartphones into sophisticated espionage tools that secretly zap contacts, calendar items, and geographic locations to servers of an attacker's choice. For now, Phone Creeper works only on handsets that run Microsoft's Windows Mobile operating system. But Chetstriker, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Jobs Horns

    If it wasn't for black hats there'd be no need for Fsecure and its competitors

    If it wasn't for black hats, there'd be no need for Fsecure and its competitors.

    If it wasn't for black hats and the resultant need for the overhead of anti-virus scanners and secure code, there'd be no need for multi-core processors in regular desktops.

    A strong malware industry and strong malware hobbiests are essential to support the AV industry, as well as to support the advanced obsolescence that drives the hardware industry.

    It isn't Fsecure that will pay the economic price for malware distribution, it is computer consumers, computer service consumers, and service providers paying, through AV and hardware purchases.

    So naturally AV companies and hardware manufacturers are not going to push for the criminal prosecution of malware creators and malware distributors.

    1. Anonymous Coward
      FAIL

      Err nope....

      Sorry but i dont buy that, i have 3 computers at home and 2 "smartphones" (i hate that word)

      none of them have any anti virus software installed on them, all my computers are run through a firewall, and never in many years of service have i ever had a virus etc, the overhead of an AV program if you choose wisely is very little, you do not need multi processor computers to run them, multiprocessor CPU etc are very useful for many other tasks tho, to name a few, video editing, graphics design, sound editing, servers, VPCs, many app multi tasking, compiling, gaming, video decoding/encoding, photo editing, should i go on?, please remove head from cloud.

      the single biggest reason people get virus installed and mal/spyware for that matter is because the user has done something stupid. end of story

      with regards to this article, if i leave my phone unattended anything could happen to it, infact i have tracking software that is properly built into it(will survive a hardreset unlike this one from the article) that does exactly what this program does so i can keep track of it if i lose it. if you leave your phone around i can copy your contacts and messages without having to install anything on it, i can do this via my phone, or use the amazing technological advance known as a pen.

      So my answer to you is, if the world wasnt full of idiots, or and perhaps more politically correct, if people had more education on the use of technology, there wouldnt need to be AV software, and the creators of software like this can go about their HOBBIES which is exactly what it is as they see fit

      1. Charles Manning

        What is stupid?

        Unfortunately most of the Great Unwashed don't know what "stupid" means. To most people there is just "the computer" and they cannot tell where the boundaries of trust are. They get used to downloading stuff and running it. They get used to installing Adobe viewer to view PDFs when "the computer" tells them to. When "the computer" tells them, to download a codec so they can watch a cute kitten video or pron, then will just do it.

        Even the reasonably wary are easily tricked. Easy enough for a useful looking utility (eg. an editor or diff viewer) on a reasonably legit looking site to harbour a trojan.

        It's pretty obvious what is dangerous when you're driving a car. If the satnav tells you to drive over a cliff, you'll probably not do it (though some have).

      2. Stone Fox
        Welcome

        so...

        How do you know you've never had a virus if you've never had any virus detection software? ;D

        (Welcome mat for the virii!)

        1. Anonymous Coward
          Grenade

          never said i didnt have any, just said i dont use it :)

          because periodically the OS drives are taken off line and checked, Network traffic is monitored and nothing comes in or out without my hardware firewall knowing about it. as i said, the only way someone can get a virus or anything installed on their computer is if someone has sat down at the keyboard and installed something to allow them to do it, there is no other way, you can go on about remote control but again someone would need to allow access to that, and you will note ive specificly stated i do use firewalls.

          yes it is easy to do it by mistake and infact on one of my computers i intentially infect it to learn the best way of removing it, it can not spread by its self, it needs a medium, usually email or web access and in all cases the user must do something to install it.

      3. Anonymous Coward
        IT Angle

        PCs a full time job

        The trouble with PCs is that it's a full time job not to "do anything stupid" and the user often needs to be a Desktop support type to keep things running smoothly. So just to make sure things are up to date is part of using a Windows Machine. AV is becoming less and less effective too with the only real alternative being application white listing.

        Driveby Downloads are not the user doing anything stupid but the web developers ignoring the need to protect against SQL injection leading to legitimate sites punting Malware.

        Run Windows as a user account will help but Malware authors have started installing under user profile defeating this advice and things like Flash run outside of the Browser environment and has it's own data leaking cookies.

        Microsoft got their act together with patching sometime ago so the focus became Adobe, Apple & Oracle who all put out widely used and like all software often full of bugs which over time have become routinely exploited and until recently had rather poor update systems which installed more software (ie: Apple used to punt the awful Safari if you had iTunes/Quicktime if the "stupid user" didn't pay attention) Secunia PSI will help address this but you will find things like Flash and Java leave old versions and PSI also will slow down an older PC.

        The problem with Windows is that is it widely used and suffers from the legacy of Windows for Workgroups and Windows 95 which had no permissions so once Windows 2000 and beyond became the norm everybody run as an administrator and while not perfect the Unix permissions are more solid but even the "we won't get Malware" Mac users can be duped by installing software laced with Malware and of course there won't be many with AV installed, personally I think once Malware authors put there mind to it there will be rich pickings from Apple machines.

        I've recently started using Ubuntu on a modest Asus Notebook and am impressed by it's performance compared to Windows 7 on the same machine and Ubuntu repository for software and Software updates are relatively seamless but the downsides are poor multitouch mouse pad support and printer support is lacking and power management is not quite up to scratch but I expect this to change over the next year or so.

    2. Anonymous Coward
      Linux

      windows

      if it wasn't for windows there'd be no need for fsecure nor any other commercial av/security firms

  2. T-Unit
    Stop

    XDA Devs is not a hacking collective!

    I doubt I'll be the last XDA member to come on here and say this but it is NOT a hacking collective or anything of the sort. It is, as the name suggests, a group of developers but also enthusiasts, fans and pasing visitors who are looking to get the best out of their smartphone. Some of the work revolves around custom firmware but a lot more of it is about new apps, themes, ways of doing things and discussion about new devices or how-to guides.

    Please don't go all Daily Mail on us.

    1. Rob

      I second that...

      ... I'm an occassional visitor/member of the forum and without the free help I get from that site and it's members my phones wouldn't be as usable as they are, they have some talented people who give a lot of free time to 'just help' others fix problems or customise something.

  3. Polhotpot
    WTF?

    Back to front

    “Striker does't seem like a bad guy in our book, but a silently installing espionage suite should be detected by a security suite,”

    Isn't the job of a security suite to detect bad stuff, whether or not the bad stuff wants detecting?

    Or are F-Secure just complaining because they haven't figured out how to detect it yet?

  4. Reg Sim
    Paris Hilton

    I suspect...

    ..until I get a MS smart phone, I will not bother with AV, in fact, if I get one of them that does not have an SD slot, how does this work?.

    I will consider AV protection for my smart phone (which ever type I get) when the nasty stuff starts coming from on-line rather than somebody manually sticking it on my dog-n-bone.

    I wonder if we will see the return of diallers, the like of which I have not seen since I switched from modems to broadband. Now that would pose an issue depending on your data plan.

    I suppose technically this 'tool' is a dialler. I wonder if you can get it to silently phone a premium rate number? or sux up all your months data allowance by being a zombie and doing DOS attacks whilst your in the park playing with your dog?

    - ahh yes, the old 'zombie-in-you-pocket'.

    Paris, because I just don't know.

  5. Neal 5

    yes, malware

    but can you see the market that will use this. How about parents who want to know their children are safe, or maybe who wants to find out if there spouse/fiance isn't in fact that cheating "bitch" your best mate tells you he/she is.

    1. Charles Manning

      I'm sorry to tell you this but she is.

      She decided to shag someone who knows their there from their their.

    2. Gil Grissum
      Thumb Up

      Hmmmm...

      Good point. I'll have to keep this in mind....

  6. John Smith 19 Gold badge
    Thumb Up

    Perhaps his *point* was

    Windows (and I suspect) Android *allow* this behavior to happen.

    Apps that install silently and leave *no* trace on running program and process lists.

    How is this *not* a faulty design?

    Before anyone gets *too* overboard on his demo let's keep in mind it does need *physical* access to the phone (SD card insertion).

    But of course you have to ask if this is what "amateur" developers (of phone compromising software) can deliver what are the "pros" capable of?

    And what will be found on a closer look at Android's API?

    1. dssf

      If an amateur can do this, then the capabilities of the pros means that

      "Privacy *IS* dead.

  7. Tzael
    Unhappy

    Misleading

    Nice attempt to try and discredit Windows Phone 7. Although you didn't mention that operating system by name, nowhere in your article did you attempt to make the distinction between old Windows Mobile and new Windows Phone.

    The two are completely different and this article appears to be nothing more than an attempt by The Register to turn people against a new product that has barely launched. Shame on you.

    Phone Creeper has been out for more than a year, yet this is the first The Register has ever reported about it... I wonder why?

  8. Anonymous Coward
    Thumb Down

    what is wrong here

    Here we have a criminal openly posting criminal apps and what is done about it, nothing, talk about a upside down world, if it were up to me he would be looking at a life in prison for being a criminal and who is to pay for the the damage he causes, why the user of course. Its time these scum were put into jail where they belong, he is claiming that he is doing it because he could.

    Its time we stopped being a society where these scum get away with causing these problems for society, a stiff life sentence would sort out a lot of these problems. http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_down_32.png

  9. Mark 65
    Big Brother

    Errm...

    "It doesn't show up under a phone's installed or running programs, and by default it reinstalls itself if it's removed."

    I'd say that if it can reinstall itself then it has truly been removed, just parts of it have been deleted.

  10. Anonymous Coward
    Troll

    /me turns over ipod touch

    Hmm, no usb/sd card slot...

This topic is closed for new posts.

Other stories you might like

  • The App Gap and supply chains: Purism CEO on what's ahead for the Librem 5 USA
    Freedoms eroded, iOS-Android duopoly under fire, chip sources questioned – it's all an opportunity for this phone

    Interview In June, Purism began shipping a privacy-focused smartphone called Librem 5 USA that runs on a version of Linux called PureOS rather than Android or iOS. As the name suggests, it's made in America – all the electronics are assembled in its Carlsbad, California facility, using as many US-fabricated parts as possible.

    While past privacy-focused phones, such as Silent Circle's Android-based Blackphone failed to win much market share, the political situation is different now than it was seven years ago.

    Supply-chain provenance has become more important in recent years, thanks to concerns about the national security implications of foreign-made tech gear. The Librem 5 USA comes at a cost, starting at $1,999, though there are now US government agencies willing to pay that price for homegrown hardware they can trust – and evidently tech enthusiasts, too.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022