Windows Phone 8 malware? This teen hacker claims to have created a prototype

Windows Phone 8A teenage hacker prodigy in India claims to have developed a prototype of malware that will run on smartphones running Microsoft’s new Windows Phone 8 operating system – the first known instance of Windows Phone 8 malware.

The researcher responsible for the prototype, Shantanu Gawde, is known as India’s “youngest ethical hacker”. He says he will unveil the malware prototype at the Malcon security conference in New Delhi, India, later this month.

Gawde’s presentation will “demonstrate approaches and techniques for infecting… Windows Phone” including “how to steal contacts, upload pictures and steal private data of users, gain access to text messages etc.”

However, little is known about the malware. For example, whether it relies on an exploit of an underlying vulnerability in Windows Phone 8 or masquerades as a malicious mobile application.

Dave Forstrum, director at Trustworthy Computing, Microsoft, commented:

"Microsoft is aware of the upcoming presentation but further details have not been shared with us. As always, we will investigate any issues disclosed in the talk, and will take appropriate action to help protect our customers."

At 16, Gawde is the world’s youngest Microsoft Certified Application Developer (MCAD), having earned that designation at the age of just seven. In 2011, he presented a malware application that used Microsoft’s Kinect gesture recognition technology at the same conference.

The Windows Phone 8 mobile operating system was released on October 29. It marks a major re-make of the Windows Phone 7 OS and includes higher screen resolution and support for multi-core processors, as well as Near Field Communications (NFC), a wireless technology that is integral to evolving mobile payments solutions.

The new OS also boasts some additional security features, including secure boot and native 128-bit Bitlocker encryption.

Microsoft also claims that the apps available in its mobile application store are “certified” – and vetted for malicious code and other security issues.