A security researcher demonstrated a spyware program at the ShmooCon conference on Sunday that is capable of intercepting and recording text messages, emails, Web traffic and other data sent to and from BlackBerry devices.
Tyler Shields, a senior security researcher at Veracode, showed a demonstration of a program called txsBBSPY, which uses no vulnerabilities or exploits to do its work and is simply a legitimate application written for the BlackBerry. The application has the ability to access and dump the BlackBerry’s contacts, email messages, phone logs, the device’s current location and the recording made by the BlackBerry’s microphone.
It also can continuously monitor both incoming anf outgoing SMS messages, monitor connected and disconnected calls and track the device’s GPS coordinates in real time. The application supports a number of communication protocols, including HTTP, UDP, SMS and email, and can be controlled remotely via simple commands.
Shields has released the source code for txsBBSPY, as well as a slide deck with a detailed technical description of the application.
In a blog post on the Veracode site, Chris Eng says that it was unnecessary to try and plant txsBBSPY in the BlackBerry App World store, simply because BlackBerry users can install applications from anywhere, unlike iPhone users.
“Our goal was to demonstrate how BlackBerry applications can access and
leak sensitive information, using only RIM-provided APIs and no
trickery or exploits of any sort. We make no assumptions about how the
malicious application will be installed on the phone, and we haven’t
attempted to sneak a malicious application into BlackBerry App World.
BlackBerry apps can be installed from any location, plus, there are so
many examples of malware slipping through the screening processes of
the various app stores (Apple, Symbian, Android,
etc.) that we didn’t find it necessary to prove the point again. To
some degree, official app stores give users a false sense of security
because people will assume that everything in the store must be trustworthy,” Eng wrote.
The application was built using the controlled APIs that Research In Motion, the BlackBerry’s maker, makes available to developers. In order to sign a BlackBerry application developed using these APIs, the developer has to apply for the signing keys and pay a small fee. Once he has the keys, he can sign the application and a hash of the code is sent to RIM. However, RIM doesn’t get the full source code of the application.
From there, once the user installs txsBBSPY, the remote owner of the application has a direct line into the user’s BlackBerry device. In order to defend against this kind of attack, users could change the application permissions on their BlackBerrys to restrict what data applications have access to, Eng writes. IT staffs also could set up policies to prevent users from installing unapproved third-party applications.
“Finally, it should be noted that while we chose BlackBerry for our
proof-of-concept, this is not just a BlackBerry problem. All mobile
platforms provide similar mechanisms for writing applications that have
access to the user’s personal, potentially sensitive information,” Eng writes.
In a statement, RIM said it was important to understand that installing apps such as txsBBSPY requires user interaction.
“Applications containing spyware cannot be installed on
a BlackBerry smartphone without the user’s explicit consent unless of course
someone else gains physical possession of the user’s device along with
knowledge of any enabled password. Although it is important for users of all
types of computers and mobile devices to always exercise caution before
downloading apps, it is also important to understand the context in which the
risk of this spyware was described at the conference on Sunday and that the
spyware app cannot simply install itself stealthily on to a user’s device.
Further, a user can review and confirm the list of installed apps on their
device by looking in the ‘Options’ area at any time.”
