Security Bytes

Feb 9 2010   2:20PM GMT

Spyware code targets BlackBerry users



Posted by: Robert Westervelt
Tags:
Application Security
mobile applications
mobile malware

Proof-of-concept code released by a security researcher could be tweaked for use on almost any device. Demonstrates need for caution with mobile applications.

A security researcher demonstrating some of the weaknesses in mobile devices has chosen to target Blackberrys with new proof-of-concept code that could be used to listen to conversations, view messages and track users of the device.

Tyler Shields, a senior researcher at application security testing vendor, Veracode, demonstrated his code at the Shmoocon hacker conference last weekend in Washington, D.C. The malicious application is not stealthy and doesn’t pose a major threat to users for now. It can view contacts and messages, listen to conversations and track the location of the device using its GPS system.

Shields and Chris Eng, Veracode’s senior director of security research said the project is purely educational. It demonstrates that a savvy attacker could develop a malicious application and if it passes the screening processes of an application store, could find its way onto user devices.

Eng wrote on the Veracode research blog:

Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort … We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World.

Called txsBBSpy, the code could be built into what appears to be an innocuous application. Once downloaded onto a device the application could quietly steal data, which could be sold on the black market. Applications that use stored data on a mobile device are required to ask permission, according to most OS maker terms and conditions.  Veracode also posted a video demonstration of the Blackberry spyware app.

In addition, OS makers, Apple, Symbian, Google Android and Research in Motion typically test applications for stability issues before making them available for download. Eng said the process poses a false sense of security for users because the applications rarely undergo security testing.

Tighter IT policies restricting users from downloading applications could significantly reduce the risk, but according to Shields, most enterprises have an “allow-all” policy. Enterprises can also reduce the risk by investigating applications themselves and then creating an approved list of applications for end-users, he said.

A number of spyware applications are being sold online. FlexiSpy must be manually downloaded onto a device, but once installed it can listen to conversations, log SMS and email messages and track a user.

In December, Google removed dozens of suspicious applications that had potential to steal banking credentials from users, from its Android Market online application store. Several banks and credit unions warned customers of the potential for fraud using the applications. The apps used the names of banks without permission and many security experts said it could have been used in a phishing scheme, though there were no reports of fraud.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • 1993
    Absolutely , that is article can be quite necessary to always be recommended to all or any those who have lived with this era. for the reason that from time to time in this way all people desires the presence of your understanding of technological innovation using many it has the develop. so that as having all things know-how also can end up being helped. [A href="http://itknowledgeexchange.techtarget.com/security-bytes/chinese-hacker-says-most-are-not-skilled-coders/#comments"]Chinese hacker says most are not skilled coders[/A] | [A href="http://genpocker.info/"]Hairstyles[/A]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: