Posted by: Robert Westervelt
Application Security, mobile applications, mobile malware
Proof-of-concept code released by a security researcher could be tweaked for use on almost any device. Demonstrates need for caution with mobile applications.
A security researcher demonstrating some of the weaknesses in mobile devices has chosen to target Blackberrys with new proof-of-concept code that could be used to listen to conversations, view messages and track users of the device.
Tyler Shields, a senior researcher at application security testing vendor, Veracode, demonstrated his code at the Shmoocon hacker conference last weekend in Washington, D.C. The malicious application is not stealthy and doesn’t pose a major threat to users for now. It can view contacts and messages, listen to conversations and track the location of the device using its GPS system.
Shields and Chris Eng, Veracode’s senior director of security research said the project is purely educational. It demonstrates that a savvy attacker could develop a malicious application and if it passes the screening processes of an application store, could find its way onto user devices.
Eng wrote on the Veracode research blog:
Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort … We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World.
Called txsBBSpy, the code could be built into what appears to be an innocuous application. Once downloaded onto a device the application could quietly steal data, which could be sold on the black market. Applications that use stored data on a mobile device are required to ask permission, according to most OS maker terms and conditions. Veracode also posted a video demonstration of the Blackberry spyware app.
In addition, OS makers, Apple, Symbian, Google Android and Research in Motion typically test applications for stability issues before making them available for download. Eng said the process poses a false sense of security for users because the applications rarely undergo security testing.
Tighter IT policies restricting users from downloading applications could significantly reduce the risk, but according to Shields, most enterprises have an “allow-all” policy. Enterprises can also reduce the risk by investigating applications themselves and then creating an approved list of applications for end-users, he said.
A number of spyware applications are being sold online. FlexiSpy must be manually downloaded onto a device, but once installed it can listen to conversations, log SMS and email messages and track a user.
In December, Google removed dozens of suspicious applications that had potential to steal banking credentials from users, from its Android Market online application store. Several banks and credit unions warned customers of the potential for fraud using the applications. The apps used the names of banks without permission and many security experts said it could have been used in a phishing scheme, though there were no reports of fraud.