PhoneSnoop, which runs on the victim's phone, lets an attacker stealthily call the targeted BlackBerry, answer the call, turn on the speakerphone, and let the attacker listen in on the victim. "It's as if someone called you, you picked up your phone, left the speakerphone on, [and left the call connected]," says Eric Chien, senior manager for security response at Symantec. The app has to be configured to recognize the attacker's phone number, and it automatically and quickly answers it to evade detection, he says.
Sheran Gunasekera, the developer of PhoneSnoop, says he was surprised US-CERT identified his app in an advisory. "I am happy that they did, though, because it's one step further in getting the word out," says Gunasekera, who is director of IT security at Hermis Consulting in Jakarta, Indonesia. "I think the reason my app was flagged was because it's free and more easily accessible" than more expensive commercial spy tools.
Gunasekera -- who says his app was intended as a proof-of-concept of how smartphones could be abused -- says he wanted his tool to let more users see what the threat could really be. "Although I did my best to make the app non-stealthy, I guess CERT thought it still had potential for abuse," he says.
The attacker would have to either access the victim's BlackBerry to install PhoneSnoop or send it disguised as another app, Symantec's Chie says. And the attacker has to configure it with his phone number so the app can recognize it and automatically engage the call and speakerphone. "Someone could take this concept and package it as a game, for example," to get the victim to install it, he says.
The call itself is relatively inconspicuous. "The chances of your seeing the call coming in are very [slim]. It's designed so that you won't hear the phone ring," Chien says. "Your chances of beating the app [to the call] are very low."
PhoneSnoop's creator, meanwhile, says his goal with the app was to raise awareness of this type of snooping vulnerability in the smartphone. Gunasekera says he plans to release a paper on how to protect against such a snooping attack. He also has released a tool aimed at detecting hidden programs and processes on the devices, called Kisses.
"I'm quite keen in driving up the awareness and also helping users protect themselves, so I'll be working on constantly updating both sets of tools, and they will be released free of charge," Gunasekera says.
But the problem isn't in the BlackBerry platform, he notes. "It's the users. The only way attacks like this can succeed is because people can be tricked or social-engineered. For example, I can release my application disguised as a game or a simple picture slide show/wallpaper downloader. While it appears harmless to a user, in reality it's actually spying on him," Gunasekera says. "Alternatively, I can physically install the tool on a phone."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.