Risk
2/8/2010
10:08 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Hacker Unleashes BlackBerry Spyware Source Code

Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages and email, eavesdrop, and track victim's physical location via smartphone's GPS

A researcher at the ShmooCon hacker conference yesterday demonstrated how BlackBerry applications can be used to expose sensitive information without the use of exploits.

Tyler Shields, senior researcher for Veracode's Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, D.C., that forces the victim's BlackBerry to hand over its contacts and messages. The app also can grab text messages, listen in on the victim, as well as track his physical location via the phone's GPS.

(To view a images from ShmooCon, including Shields using his spyware, go here).

The spyware sits on the victim's smartphone, and an attacker can remotely use the app to dump the user's contact list, email inbox, and SMS message. It even keeps the attacker updated on new contacts the victim adds to his contact list. "This is a proof-of-concept to demonstrate how mobile spyware and applications for malicious behavior are trivial to write just by using the APIs of the mobile OS itself," Shields says.

Smartphones are expected to become the next big target as they get more functionality and applications, yet remain notoriously unprotected, with only 23 percent of its users deploying security on these devices. And smartphone vendors for the most part have been lax in how they vet applications written for their products, security experts say.

"Personal information is traveling from the PC to the smartphone. The same data they are attacking on the PC is now on a lower-security form factor where security is less mature," Shields says. "It makes sense that [attackers] will follow the money to that new device."

His spyware app, TXSBBSpy, could be plugged into an innocuous-looking video game or other application that a user would download. Then the bad guys could harvest contacts they could sell for spamming purposes, for instance, he says. Although Shields' spyware app is only a blueprint for writing a spyware app, writing one of these apps is simple, he says.

"If we try to tell ourselves that the bad guys don't already know how to do this, we're lying. This is trivial to create," he says. Shields has posted a video demo of his BlackBerry spyware tool.

Indeed, smartphone apps were a hot topic last week: A researcher at Black Hat DC demonstrated his own spyware app for iPhones, SpyPhone, which can harvest email addresses as well as information from the user's Safari searches and his or her keyboard cache. Nicolas Seriot, a software engineer and scientific collaborator at the Swiss University of Applied Sciences, says Apple iPhone's review process for apps doesn't stop these types of malicious apps from being downloaded to iPhone users.

Veracode's Shields says app stores such as BlackBerry's, where users download free or fee-based applications for their phones, can be misleading to users. "The app store makes the problem worse by giving customers a sense of security, so they don't necessarily screen for this 'trust' button," Shields says.

The problem is that mobile spyware is "trivial" to create, and the security model of most mobile platforms is inadequate because no one uses the security features and sandboxing methods that protect user data, he says.

Shields recommends that enterprises using BlackBerry Enterprise Server set policies that restrict users from downloading third-party applications or whitelist the ones that are vetted and acceptable.

Users can also configure their default app permissions so that when an app tries to access a user's email or contact list, the OS prompts the user for permission. Shields says to avoid setting an app to "trusted application status."

A RIM spokesperson noted in a statement responding to Shields' research that a spyware app can't install itself on a BlackBerry. "Applications containing spyware cannot be installed on a BlackBerry smartphone without the user's explicit consent, unless of course someone else gains physical possession of the user's device along with knowledge of any enabled password," the spokesperson said.

Users also "can review and confirm the list of installed apps on their device by looking in the 'Options' area at any time," the RIM spokesperson said.

As for app store owners like BlackBerry AppWorld, Apple iTunes, and Google Android Marketplace, Shields recommends the vendors check the security of all applications in these stores. That way, apps would undergo a rigorous vetting process before they hit the stores. "Some are [doing this], but I'm not sure to what degree," he says. "Regardless of what they are catching or not, they are not telling us what they are looking for."

Shields' TXSBBSpy spyware, meanwhile, isn't the first such tool for the BlackBerry. There's the controversial tool FlexiSPY, aimed at tracking employees, children, or cheating spouses, but considered by anti-malware companies as malicious code. And there has been at least one documented case of a major spyware infiltration on the BlackBerry: Users in the United Erab Emirates last year were sent a spyware-laden update to their BlackBerrys on the Etisalat network.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web