There are a couple of interesting takeaways from this story in RCR News.
The first is that the virus described, which uses a secret SMS message to eavesdrop on just about anything the target device does, appears to be potentially very dangerous.
The other element of interest is how the virus, called RexSpy, came about. SecurStar Gmbh, a German firm, is credited in the story as having developed the Trojan as a "demonstration."
We are making no accusations against SecurStar and have no reason to think the company has anything but the good of the public in mind. We question, however, the appropriateness of developing something dangerous for any reason. Remember, it was just this summer that Consumer Reports got its figurative head handed to it for creating 5,500 viruses as part of a spyware test.
A medical firm developing a real virus in order to demonstrate the seriousness of an illness would be in big trouble. The situation would be even worse if it was even plausible that the reason it developed the virus was to show how efficient its products are in treating it.
In this case, it doesn't seem that creating the Trojan even was necessary. In the story, the company's CEO, Wilfried Hafner, is quoted as saying that "any programmer can develop a similar Trojan horse application without any great investment of time or effort."
This cuts both ways: If creating RexSpy was so easy, then perhaps it's no big deal that SecurStar did so. Certainly, it doesn't approach what Consumer Reports did in terms of sheer numbers. On the other hand, if creation of the Trojan is so simple, why bother?
Could the net impact be to call attention to the vulnerability -- and lead savvy developers to use it as a stepping stone to the creation of more sophisticated viruses that, perhaps, wouldn't be as easy to disarm? After all, innocuous proof-of-concept viruses such as Cabir often are followed by the real and dangerous deal. Creating anything bad is playing with fire.
Proving out vulnerabilities by writing actual viruses may be necessary and a normal way for security researchers to do things. We also are aware, however, that this is an increasingly competitive business, so we hope people aren't taking unnecessary risks. Whatever the dynamics, developing test tube viruses seems like something that should be done with extreme discretion and a minimum of publicity.