Applications running on the Palm OS make use of a 4-byte Creator ID for identification purposes. If the Creator ID of a malicious application is defined to be the same as one of the built-in applications, it will be executed in place of the built-in application. Launching a Trojan program in this manner will appear transparent to the user until it is too late and the malicious action has occurred. Creator IDs of the basic built-in applications are listed in Table 1.
This behavior has characteristics of a list created in a Last In First Out (LIFO) fashion. Upon addition of a new piece of software to the system, its Creator ID is pushed onto the list. When a program is launched, a traversal of the list occurs to find the entry point to the program. When the first match on the Creator ID is found, the list traversal exits.
Table 1:
Creator IDs of the basic Palm OS built-in applications
