Network News

X My Profile
View More Activity

DHS: PhoneSnoop app bugs BlackBerrys

The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) is warning BlackBerry users about a spyware program that allows attackers to turn a target's handset into a microphone that can be accessed remotely.

PhoneSnoop is a free, remote spying application designed for BlackBerry phones. The app works by intercepting phone calls from a predetermined 'trigger' number. When PhoneSnoop detects an incoming call from that number, it accepts the call and turns on the BlackBerry's speaker phone, effectively allowing the caller to listen in on the target's surroundings.

phonesnoop.JPG

There are some very real limitations of this spying app: For starters, an attacker would need to have physical access to the victim's phone in order to install the app. PhoneSnoop also can't listen in on the victim's phone calls, and it leaves a conspicuous new program icon in the victim's app list.

Still, the alert serves as a useful reminder on the importance of maintaining proper physical security around the communications devices most of us depend upon. I am often asked about the threat to mobile phones from viruses and the sorts of spyware that typically assails PCs, and my response is always that the physical threat -- particularly the prospect of having your phone lost or stolen (however briefly) -- should be the user's primary concern.

PhoneSnoop was written and released by Sheran Gunasekera, a Sri Lankan programmer who heads the security division for Hermis Consulting, an Indonesian consulting firm that gets paid to conduct physical and network penetration tests for banks and telecommunications providers.

Gunasekera said he built PhoneSnoop as a proof-of-concept app, and as such it is not very stealthy. Still, he said, apps like PhoneSnoop could be silently bundled with other apps that the BlackBerry user wants to download, and could be set to run in the background without obvious notifications. BlackBerry apps also can be set so that they do not include program icons, or so that they simply don't show up in the list of running applications.

"BlackBerry is one of the most secure platforms out there, so what I wanted to do was highlight that even though you have a secure platform, in the end the user is probably going to be the weakest link," Gunasekera said.

PhoneSnoop isn't exactly new or feature-rich, but it is free. Applications like Flexispy and Mobile Spy can be used to intercept and relay a user's text messages, phone call logs and even GPS coordinates. Still, these other apps can cost between $250 to $300.

The BlackBerry does have some built-in defenses, if the user chooses to turn them on. As Symantec notes in its blog post about this app, you can require that a personal identification number (PIN) be provided before any apps can be installed. Also, a BlackBerry Enterprise Server can be configured to prevent applications from installing or running properly, and can remotely wipe a BlackBerry of any data should its owner lose or misplace the device.

Gunasekera added that he expects to soon release other applications to help users better secure their phones against snooping or theft. One free program he already released -- called Kisses -- can detect applications installed on a BlackBerry that have been designed to remain hidden (including programs like Flexispy).

By Brian Krebs  |  October 29, 2009; 12:45 PM ET
Categories:  Latest Warnings , Safety Tips , U.S. Government  | Tags: flexispy, mobile spy, phonesnoop, us-cert  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Nastygram: Spoofed FDIC bank fail e-mail
Next: A makeover for federal cybersecurity reporting

Comments

Another way that this can be used is by "leaving behind" a phone that has this app installed. Then when you leave the area, you can call it, and listen in on the conversations being done near the phone.

So let's say a husband wanted to hear what his wife was doing at home... he'd leave his phone home, and then call it to hear what's going on at home.

Or a salesman could "accidentally" leave the phone at his prospective customers location, and when he leaves could call it, and then might hear a discussion about internal corp info.

Pretty scary

Posted by: awaybbl | October 29, 2009 3:19 PM | Report abuse

So anyone else getting an e-mail that purports to be from the Post that claims it's a newsletter called "Afternoon Buzz"? With subject "Since you read your morning paper…"

Everytime I get one it has a different salutation, none of them, so far, being my name. Today it's "Dear CROXTON".

Naturally I've added a spam filter.

Posted by: wiredog | October 29, 2009 4:11 PM | Report abuse

Was going to write BK a note (apparently he has me blocked or his spam filter thinks I'm x-rated {:-P) about an AP story that broke earlier this evening. The AZ Supreme Court ruled that "Meta Data" in Public Records is itself a Public Record and must be disclosed upon request.

So then I read this ...

I have lots of questions ... Is a Public Record created in real time ? If you packet-ize audio, for compression or whatever, is it then a document piece ?

This could cause some real suitability problems for some professions and they don't call them 'CrackBerrys' because of the color. If you're a non-addict, it should be fun to watch.

Posted by: gannon_dick | October 30, 2009 2:43 AM | Report abuse

"There are some very real limitations of this spying app... it leaves a conspicuous new program icon in the victim's app list."

Sure, but anyone with physical access to the device to perform the install can hide the icon. Most users don't know the Hide function exists and only learn of it when a favorite icon goes missing.

Posted by: mythril43 | October 30, 2009 3:02 PM | Report abuse

@mythrill43,

I'd even bet that Mr. Gunasekera knows how to inject the right key stream to autohide the icon.

Posted by: awaybbl | October 31, 2009 10:28 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company