Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/29/2009
01:11 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

US-CERT Warns Of BlackBerry-Spying Application

Free PhoneSnoop app listens in on BlackBerry users

The US-CERT has issued a warning about a new, free BlackBerry application that transforms the phone into a bugging device.

PhoneSnoop, which runs on the victim's phone, lets an attacker stealthily call the targeted BlackBerry, answer the call, turn on the speakerphone, and let the attacker listen in on the victim. "It's as if someone called you, you picked up your phone, left the speakerphone on, [and left the call connected]," says Eric Chien, senior manager for security response at Symantec. The app has to be configured to recognize the attacker's phone number, and it automatically and quickly answers it to evade detection, he says.

Sheran Gunasekera, the developer of PhoneSnoop, says he was surprised US-CERT identified his app in an advisory. "I am happy that they did, though, because it's one step further in getting the word out," says Gunasekera, who is director of IT security at Hermis Consulting in Jakarta, Indonesia. "I think the reason my app was flagged was because it's free and more easily accessible" than more expensive commercial spy tools.

Gunasekera -- who says his app was intended as a proof-of-concept of how smartphones could be abused -- says he wanted his tool to let more users see what the threat could really be. "Although I did my best to make the app non-stealthy, I guess CERT thought it still had potential for abuse," he says.

The attacker would have to either access the victim's BlackBerry to install PhoneSnoop or send it disguised as another app, Symantec's Chie says. And the attacker has to configure it with his phone number so the app can recognize it and automatically engage the call and speakerphone. "Someone could take this concept and package it as a game, for example," to get the victim to install it, he says.

The call itself is relatively inconspicuous. "The chances of your seeing the call coming in are very [slim]. It's designed so that you won't hear the phone ring," Chien says. "Your chances of beating the app [to the call] are very low."

PhoneSnoop's creator, meanwhile, says his goal with the app was to raise awareness of this type of snooping vulnerability in the smartphone. Gunasekera says he plans to release a paper on how to protect against such a snooping attack. He also has released a tool aimed at detecting hidden programs and processes on the devices, called Kisses.

"I'm quite keen in driving up the awareness and also helping users protect themselves, so I'll be working on constantly updating both sets of tools, and they will be released free of charge," Gunasekera says.

But the problem isn't in the BlackBerry platform, he notes. "It's the users. The only way attacks like this can succeed is because people can be tricked or social-engineered. For example, I can release my application disguised as a game or a simple picture slide show/wallpaper downloader. While it appears harmless to a user, in reality it's actually spying on him," Gunasekera says. "Alternatively, I can physically install the tool on a phone."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0565
PUBLISHED: 2020-02-25
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
CVE-2020-9393
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
CVE-2020-9394
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
CVE-2019-3999
PUBLISHED: 2020-02-25
Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
CVE-2020-8809
PUBLISHED: 2020-02-25
Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker ...