A weakness in the Palm Pre operating system could allow remote bugging of the device, according to a British security company.
A specially-crafted vCard, or virtual business card, could be used to exploit the vulnerability in the Palm Pre's WebOS operating system as the handheld does not employ any security measures, Basingstoke-based WMR InfoSecurity said on Wednesday.
The company discovered that a malicious vCard can be transferred to the phone using SMS, Bluetooth or via the web browser. Simply viewing the vCard is enough to fully compromise the business-focused handheld, which results in the intruder being able to remotely bug the device, it said.
Once exposed, recordings can be fully controlled by the attacker. The phone can be forced to transmit and record audio and data at the hacker's will, either continuously or on-demand, according to Alex Fidgin, the director of MWR Security.
Recordings of bugged calls can then be sent without the owner's permission back to the source of the malicious vCard, using either Wi-Fi or 3G connections at intervals of the hacker's choosing.
Fidgin said that WMR InfoSecurity informed Palm of the flaw when it was discovered in May, but that it has still not been addressed by the handset maker.
"The flaw could have been 'fixed' when the mobile phone companies issued new operating software recently, but they did nothing," said Fidgin.
Palm, which was acquired by HP in April, declined to confirm the existence of the flaw or give a timescale for a patch, saying it does not comment on specific security issues. It also would not comment directly on WMR InfoSecurity's statement that it had given the handheld company three months to put a fix in place before it went public with the vulnerability.
"Palm takes security very seriously... We do thoroughly investigate any potential security risks brought to our attention. We have procedures in place for security researchers to responsibly report risks and we partner with them to make sure any vulnerabilities are addressed and pushed to WebOS users via our over-the-air update system," said a spokeswoman for the handheld company.
Also on Wednesday, MWR InfoSecurity said it had discovered a flaw in the Google Android OS. The vulnerability allows the transmission of confidential information, such as online banking credentials, passwords and email, if the user visits a malicious web page from the Android browser.
Google said that it is not aware of any devices being exploited via the hole. It also noted that the bug is not specific to Android, as Apple's Safari and other mobile browsers are built on the same WebKit platform. The company added that the weakness had been patched in the Android Froyo update.
"As always, mobile phone users can protect themselves by only visiting web sites they trust," Google's spokeswoman said.
The Android platform has also become the target of its first SMS Trojan, which sends out premium-rate text messages from a users' phone with their consent. The malicious app arrives disguised as a media player. However, security experts believe that the risk to the UK market is minimal as the attack centres on a Russian shortcode text service.