The Trojan in your pocket

Sat 4th Sept 10

I've just bought myself a Samsung Galaxy S and rather than go for a new one I picked one up from a second hand shop. I don't like the default ROM on the Galaxy and was thinking about putting a custom one on but then I got thinking about what if someone already had? Would I be able to tell?

Taking a step back, why would someone want to and how could they do it? First why, there are plenty of reasons I can think of, to profit they could have the phone send out premium SMS messages, if undetected this could make some easy money. What about putting a password collector into the browser? The phone obviously has Internet access so it could easily capture all sorts of credentials and send them back to the attacker. What about a backdoor that calls home so the attacker could access the phone whenever they wanted, a botnet client, something to purchase random apps from the Marketplace, the list goes on.

How could they do it? For just a one off the attacker could Trojan their own phone before selling it or trading it in. This would give them a single phone "bot" and assumes that they have a phone to trade in. The shop I bought my phone from allows a 7 day money back guarantee on phones so why not buy one, Trojan it then take it back. Repeat a few times and you could start a small army without any real outlay. If the expected profit was likely to be high an attacker could pick up a batch of second hand phones, Trojan them all and sell them around a neighborhood, they would loose money on difference between buy and sell price but that would be made up for in the resulting profits.

So how could this be detected? The premium SMS attack could be detected by standard log checking, i.e. checking your bill but some accounts charge extra for itemized bills and most only do online bills and not many people bother logging in to check. The other attacks are much harder and I'd say that unless you know how to extract a ROM from a phone, dissect it and work out what it is doing you don't have much chance. Because the Internet connection is over 3G you can't even easily sniff the traffic to spot what is coming in or going out.

Can you defend yourself? Well, you could put your own ROM on but that is pretty much guaranteed to invalidate your warranty so you might want to use the phone for a short while just to check it is physically working properly first and by that point you've already been owned.

I can't think of any other ways, firewalls and mobile AV would be useless as the Trojan would be in place at kernel level so could bypass any high level protection. If anyone else come up with a defence please let me know.

As an extension to this I was also thinking about where I would get a ROM from if I did want to put a new one on. Could an attacker perform a similar attack without any physical access to your phone and may be even do it legally? I think they could, it would be dubious legal ground but possible given the following...

I create my own ROM, add the "feature" to send a couple of premium SMS messages each night and put it on my site for download but to get to the download you have to agree to my EULA/terms and conditions. In that agreement I state that in return for my work you agree to spending £X each night on SMS messages. No one reads the agreements so no one would know about my sneaky feature and even if they did find out I could point out the fact that they agreed to it when they downloaded the ROM, so tough luck.

As I said, dubious legal ground but I'm sure there are more shady thing going on and being successfully gotten away with all the time.

So, do you know what is going on in your pocket? Do you have a second hand Trojan in there?

And finally, does anyone want to buy my old G1?