Is Your BlackBerry App Spying on You?

[UPDATE, 2/10/2010: We've written a follow-up blog post to address some of the questions and misconceptions we've been seeing.]

Tyler Shields gave a presentation earlier today at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an appropriate time to raise awareness of what these applications are capable of.

Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort. We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World. BlackBerry apps can be installed from any location, plus, there are so many examples of malware slipping through the screening processes of the various app stores (Apple, Symbian, Android, etc.) that we didn’t find it necessary to prove the point again. To some degree, official app stores give users a false sense of security because people will assume that everything in the store must be trustworthy.

Here’s a video that demonstrates the features of Tyler’s proof-of-concept spyware. We show how it can be used to dump contacts and messages, intercept text messages, eavesdrop on the room, report on phone usage, and monitor GPS data. To view this in HD resolution, click through to Vimeo and use full screen mode for best results.

 

We’re also releasing source code. As far as we know, this is the first public release of source code that demonstrates such a broad range of malicious functionality on a BlackBerry device. Code reviewers and security practitioners can use it as an educational resource to help them recognize malicious behavior and understand the specific risks introduced. This is an important educational asset for those of us working to create more secure software. As for the bad guys, it would be naive to think that they don’t already know how to do this stuff. The code doesn’t go out of its way to be stealthy; in fact, it’s quite the opposite (by design).

Here are the goods:

Slides: Blackberry Mobile Spyware — The Monkey Steals the Berries
Source: txsBBSpy.java

So how can users protect themselves? There are a few places to defend against malware of this nature.

  1. Users can configure their default application permissions to be more restrictive. This way, if an application tries to use an API that accesses the user’s email or contact list, the OS will ask for permission. Avoid granting applications “trusted application” status, which grants untrusted applications additional privileges. Tyler’s slide deck shows the default and trusted permission sets in more detail.
  2. Corporations using a BlackBerry Enterprise Server can configure their IT policies to restrict their users from installing third-party applications, or whitelist certain approved applications (but brace yourself for the backlash)
  3. BlackBerry App World could introduce a rigorous security screening process that submitted applications must pass in order to be listed in the store.

If app stores don’t provide any security testing, the risk reduction responsibility falls to the enterprise. We recommend creating an approved list of applications that have undergone security testing.

Finally, it should be noted that while we chose BlackBerry for our proof-of-concept, this is not just a BlackBerry problem. All mobile platforms provide similar mechanisms for writing applications that have access to the user’s personal, potentially sensitive information. As consumers become increasingly dependent on their mobile devices, we are certain to see an uptick in the volume and sophistication of mobile malware.

Veracode Security Solutions
Veracode Security Threat Guides

pligg.com | February 8, 2010 7:15 am

Zero in a bit » Is Your BlackBerry App Spying on You?…

App (plus source) that allows a malicious party to “dump contacts and messages, intercept text messages, eavesdrop on the room, report on phone usage, and monitor GPS data.” Cool….

Marc Ruef | February 8, 2010 5:47 pm

Hello,

Great work: Very nice concept and a solid implementation!

I am going to publish an analysis of the Java source code you have released. It is planned to be published at the end of the week at our companies research blog: http://www.scip.ch/?labs (on German only)

The first sighting of your code has shown some minor defects: In switch(c) you are defining in “case {21-28}” the extraction method. Listed is “case 28″ as for EXFIL VIS DNS. But earlier “if (cmd.equals((String)”TXSEXFILDNS”)) c = 28;” seems to be missing.

Furthermore C = 35 seems to be a black hole. Are you willing to share if there was a feature which did not make it in the public release?

Anyway, keep up the great work!

Regards,

Marc

Tyler Shields | February 9, 2010 11:32 am

@Marc Ruef

Great catch ;) There is indeed a removed feature in that location of the code. Consider it a preview of additional things to be released at Source Boston conference in April.

Also for anyone else having a look through the code please feel free to send me any and all bugs. I’m not a full time developer and there is sure to be additional bugs in the code that need fixing.

Cheers and thanks!

–Tyler

not impressed | February 9, 2010 12:40 pm

well, I suppose if you hadn’t published it with the ‘spy’ and ‘security’ angle 80% of the people reading this wouldn’t… cheap shot at painting features as holes – lame and insulting!

Week 6 in Review – 2010 | Infosec Events | February 15, 2010 1:04 am

[...] Is Your BlackBerry App Spying on You? – veracode.com A demo on how BlackBerry apps can access and leak sensitive info using only RIM-provided APIs and no exploits of any sort. [...]

dario | August 8, 2010 3:31 pm

Hi,

May be, it’s too late and the code has already been updated, but with regards to Marc’s comments, I’m afraid there is no DNS exfiltration implementation. it’d be possible that Tyler were thinking on removing that feature as well.

Regards!

Darío.

Antair Blog | November 3, 2010 5:53 pm

[...] the demo at the Veracode [...]

James Aaron | October 21, 2011 3:52 pm

Is there any chance that this kind of spying app could install something malicious to my phone?

http://phonetapping.org

I want to try the location abilities, but don’t want my iPhone screwed up beyond recognition.

Thanks.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post