Has a teenage hacker created Windows Phone 8 Malware?

You’ll always hear an argument, when talking about any non-Microsoft OS, that viruses/malware/spyware are something you don’t need to worry too much about. Mac and Linux users are generally free from attack. Sure, there are security holes, but for the most part they remain unexploited and are patched on a more leisurely basis.

But Microsoft however, while they may not have coined the term ‘Patch Tuesday’ or reference it very often, use the second Tuesday of each month to release tested and approved updates to the public, patching found or known issues with their suite of software products. With over 90% of the desktop market, they are always going to be under threat of attack more than others.

Now phones are becoming more powerful, the OS’ shaping up to be very much like a desktop OS. And with Android and iOS dominating the market it’s quite surprising that Windows Phone 8, with such a small market share, is getting what could be its first piece of malware.

Known as India’s 'youngest ethical hacker', Shantanu Gawde says he will show the malware prototype at the MalCon Security Conference on November 23rd and 24th. His presentation will show "approaches and techniques for infecting... Windows Phone… how to steal contacts, upload pictures and steal private data of users, gain access to text messages etc.” However, as there is little known about the malware, there are questions around whether it relies on exploiting an OS vulnerability or just masquerades as a malicious mobile app.

Dave Forstrum, director at Trustworthy Computing, Microsoft has spoken out on the supposed malware:

Microsoft is aware of the upcoming presentation but further details have not been shared with us. As always, we will investigate any issues disclosed in the talk, and will take appropriate action to help protect our customers.

Gawde is only 16, and at the age of seven he became a Microsoft Certified Application Developer (MCAD) – the youngest person to do this. At MalCon in 2011, he demonstrated a malware application that used Kinect’s gesture recognition.

Source: Sophos

Report a problem with article
Previous Story

TechSpot: Call of Duty Black Ops II Benchmarked

Next Story

Twitter adds ability to e-mail tweets

15 Comments

Commenting is disabled on this article.

If it requires the user to run the app then its not that big of a deal. You would have to get it through the phone store. If that was the case IOS and android would have the same problem.

majortom1981 said,
If it requires the user to run the app then its not that big of a deal. You would have to get it through the phone store. If that was the case IOS and android would have the same problem.
They do. Having said that, Android is much more prone to this as the review process on iOS & Win Phone will catch some (but not all) of the malicious apps before anyone is exposed. Android relies on people to get hacked, realise that they've been hacked and then report it.

`Known as India's 'youngest ethical hacker'`
Sorry but no, ethical hackers work with companies to fix up problems, they don't do slideshows to potential other hackers of how to hack and cause problems, that's a black hat hacker.

n_K said,
`Known as India's 'youngest ethical hacker'`
Sorry but no, ethical hackers work with companies to fix up problems, they don't do slideshows to potential other hackers of how to hack and cause problems, that's a black hat hacker.

Maybe hes too young to work but if hes not, I'd say hes definitely talented enough to be yanked up by some company.

n_K said,
`Known as India's 'youngest ethical hacker'`
Sorry but no, ethical hackers work with companies to fix up problems, they don't do slideshows to potential other hackers of how to hack and cause problems, that's a black hat hacker.

Except MalCon isn't some hacker playground. These are security professional working together to research next generation malware. Aside from that, I don't recall seeing anywhere in this article that states Microsoft can't be present at MalCon, nor that Microsoft hasn't been in contact with Gawde. Has this "kid" shown malice in any way that you're aware of? From what research I've done, he researches possible security risks and then presents them to other professionals in the same field as well as the developer of the software/hardware. I fail to see what's "unethical" about him or what he does.

nekkidtruth said,

Except MalCon isn't some hacker playground. These are security professional working together to research next generation malware. Aside from that, I don't recall seeing anywhere in this article that states Microsoft can't be present at MalCon, nor that Microsoft hasn't been in contact with Gawde. Has this "kid" shown malice in any way that you're aware of? From what research I've done, he researches possible security risks and then presents them to other professionals in the same field as well as the developer of the software/hardware. I fail to see what's "unethical" about him or what he does.


A true ethical hacker tells or sells to the company the exploits and only talks about or publishes them once they've been patched, or if ever as some companies don't want them disclosed.
MalCon only professionals? That's like saying defcon is strictly professionals only too.

n_K said,

A true ethical hacker tells or sells to the company the exploits and only talks about or publishes them once they've been patched, or if ever as some companies don't want them disclosed.
MalCon only professionals? That's like saying defcon is strictly professionals only too.

Where did I say MalCon was strictly professionals? If things where done the way you describe them, people would never learn anything. Corporations such as Microsoft have shown time and time again that they are lazy when it comes to security anyway. This lights a fire under their butts. I still don't see how sharing with the professional security community his findings, is unethical.

nekkidtruth said,

Where did I say MalCon was strictly professionals? If things where done the way you describe them, people would never learn anything. Corporations such as Microsoft have shown time and time again that they are lazy when it comes to security anyway. This lights a fire under their butts. I still don't see how sharing with the professional security community his findings, is unethical.


His point is that sharing it before it has been patched is a unethical, not that sharing at all is unethical. Though, I agree with you, I don't see how it's unethical to share before it's been patched unless it's gonna cause real troubles doing so (which it might not, depending on the exploit).

Lamp Post said,

His point is that sharing it before it has been patched is a unethical, not that sharing at all is unethical. Though, I agree with you, I don't see how it's unethical to share before it's been patched unless it's gonna cause real troubles doing so (which it might not, depending on the exploit).

Yes precisely, though he mentions of it stealing all private data off a phone, depending on what you'd need to do in order to get that information it's either ethical or unethical. If for example you need a wp developer account and special leads and the actual physical phone then fair enough but if you can do it over the air to just anyone with a wp, that's very unethical in my mind.

n_K said,

Yes precisely, though he mentions of it stealing all private data off a phone, depending on what you'd need to do in order to get that information it's either ethical or unethical. If for example you need a wp developer account and special leads and the actual physical phone then fair enough but if you can do it over the air to just anyone with a wp, that's very unethical in my mind.

Fair enough.

Lamp Post said,

His point is that sharing it before it has been patched is a unethical, not that sharing at all is unethical. Though, I agree with you, I don't see how it's unethical to share before it's been patched unless it's gonna cause real troubles doing so (which it might not, depending on the exploit).
The ethical thing would be to let MS know as soon as he found it and at least give them head start patching it before telling a load of potentially malicious hackers about it. With these sort of things MS will give credit to the finder and are ok with people presenting it once it's no longer a major threat.

nekkidtruth said,
I don't recall seeing anywhere in this article that states Microsoft can't be present at MalCon, nor that Microsoft hasn't been in contact with Gawde.
The article quotes the MS spokesperson as saying "Microsoft is aware of the upcoming presentation but further details have not been shared with us"

nekkidtruth said,
Corporations such as Microsoft have shown time and time again that they are lazy when it comes to security anyway. This lights a fire under their butts. I still don't see how sharing with the professional security community his findings, is unethical.
You can't really accuse a company for being lazy for not fixing something they are unaware of. Microsoft is widely credited with doing more than any other developer to implement mitigations and build security into their processes from the start but it is impossible to find or prevent all security bugs.
Sharing with the security community in private is OK, telling everyone how to hack into millions of devices in the wild before telling the manufacturer and putting all those users at risk is unethical.

n_K said,
`Known as India's 'youngest ethical hacker'`
Sorry but no, ethical hackers work with companies to fix up problems, they don't do slideshows to potential other hackers of how to hack and cause problems, that's a black hat hacker.

Where have we heard lies before from India's young prodigies? I'd take this with a grain of salt.