Symbian signs malware app by mistake

July 20, 2009 // 1:20 p.m.

Tags: #digital-rights-management #drm #malware #s60 #symbian

Companies: #symbian-foundation

The Symbian Foundation had egg on its face recently as the news broke that it had digitally signed a Trojan application – allowing it to be installed on mobile handsets without warning.

As reported over on CNet, the Foundation admitted to digitally signing the Sexy Space Trojan horse application without fully checking its capabilities – a bit of a problem when you realise that the application has been expressly developed to create a mobile information gathering botnet.

All applications installed on a handset running Symbian OS must be digitally signed in order to prevent malware and stop users installing pirated versions of popular apps: while tech-savvy users used to be able to sign their own applications via a developer certification, this has recently been made more difficult – and does not give full access to the inner workings of the 'phone. Instead, developers are expected to submit their applications to the Symbian Foundation who – supposedly – vet the software and issue a digital signature. Once signed, the application can be installed on any Symbian handset without any warning messages being displayed beyond the usual “Are you sure you wish to install...

Chief security technologist at Symbian, Craig Heath, has stated that the company does “try to filter out the bad eggs” as part of the signing process, and readily admits to a failure of the system in the case of Sexy Space. The issue was two-fold: as the application was not detected by automated virus scanners, the issue was not found until after the signature had been issued; this was compounded by an error in the certificate revocation servers which allowed the application to remain available for a week after the issue had come to light.

In order to prevent this kind of embarrassing slip-up, Heath has said that the company is looking to improve its automated scanning infrastructure, as well as improving the human element of the checks as well.

Does this demonstrate the truth behind DRM, or is it just an easy mistake to make on the Symbian Foundation's part? Share your thoughts over in the forums.
Discuss this in the forums

QUICK COMMENT

Week in review

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU