[Infowarrior] - BlackBerry Spyware Wasn’t Ready for Prime Time

Richard Forno rforno at infowarrior.org
Wed Jul 22 01:16:16 UTC 2009 

Researcher: BlackBerry Spyware Wasn’t Ready for Prime Time
	• By Kim Zetter
	• July 21, 2009  |
	• 2:47 pm  |

http://www.wired.com/threatlevel/2009/07/blackberry-spyware/
A BlackBerry software upgrade in the Middle East that turned out to be  
an e-mail interception program was likely a buggy beta version of a  
U.S.-made surveillance product, according to an analyst who dissected  
the malicious code.

Sheran Gunasekera, who works as a security consultant in Asia,  
released a white paper examining the spyware. (.pdf) Gunasekera said  
the software had no protective measures to obfuscate it, making it  
easy to decompile and examine — an unusual flaw for a program designed  
for surreptitious interception.

What’s more, command messages sent to the BlackBerry to initiate and  
halt interception can be transmitted to the device through e-mail or  
BlackBerry’s proprietary PIN messaging system. But the PIN messages  
are visible on the handheld’s screen for a fraction of a second when  
they arrive and a copy of commands sent via e-mail appear in the  
user’s inbox, which would conceivably alert an observant user to  
suspicious activity. Gunasekera says the e-mail command function is  
turned off by default, apparently because of this glitch.

The spyware came to light when Etisalat, a phone and internet service  
provider in the United Arab Emirates, pushed out a message to its more  
than 100,000 UAE BlackBerry subscribers on July 8, notifying them that  
they needed to install a “performance-enhancement patch” to their  
devices. Users complained that after installing the patch, the  
performance of their device degraded and the battery drained.

Another researcher named Nigel Gourlay was the first to examine the  
code and report that it was spyware, designed to intercept a user’s e- 
mail messages. The program appeared to be written by a U.S.-based  
company named SS8, which markets surveillance tools to law-enforcement  
and intelligence agencies. The company hasn’t responded to repeated  
inquiries from Threat Level.

Etisalat has not responded directly to criticism that it abused the  
trust of customers by lying to them about the nature of the program.  
Lawful interception in the United States is generally done at the ISP  
level, not at the client level, although the FBI is allowed to install  
spyware on an individual suspect’s computing device after obtaining a  
warrant.

Research-in-Motion, which makes the BlackBerry, issued a statement  
saying that it did not authorize the upgrade and “was not involved in  
any way in the testing, promotion or distribution of this software  
application.”

The company has issued a free tool to help BlackBerry users remove the  
spyware from their phones.

Gunasekera said the SS8 spyware is designed to check whether it’s  
visible in the BlackBerry application folder every time the handheld  
is rebooted. If it is, it hides itself.

The spyware has limited functionality in its present form, because it  
intercepts only outgoing e-mail messages sent by the user, not  
incoming ones. It also doesn’t intercept instant messages, BlackBerry  
PIN messages, phone calls, SMS messages or Bluetooth, wireless or GPS  
data. Nor does it have the ability to be silently updated with a newer  
version of the program.

The performance degradation and battery drain were caused in part  
because the program regularly checked every message folder for new  
messages, draining the processing power.

Gunasekera says now that the source code has been released, it can be  
easily modified by anyone and used to intercept messages from  
unsuspecting BlackBerry users who are tricked into installing the  
program.

“[T]here may be possibilities that other, less ethical groups, use  
this software to aid them in rapidly developing and deploying improved  
versions of the spyware,” he writes on his blog.

Gunasekera has provided a tool on his site to help users search their  
phones for this or other spyware. He has included source code for the  
tool, but Threat Level recommends consumers use the official tool  
provided by Research-in-Motion.

More information about the Infowarrior mailing list