[catseyenu]

After reading the CERT Warning regarding the P.O.C. PhoneSnoop, I ran across Kisses in the PhoneSnoop author's comments.
Is anyone familiar with the author & his work, is this company considered trust worthy?
I would hate to see anyone installing rogue "security software" especially myself.

[catseyenu]

Looks like Brian Krebs from the Washington Post covered the author to some degree..

Security Fix - DHS: PhoneSnoop app bugs BlackBerrys

/still digging..

[berryite]

Looks like Brian Krebs from the Washington Post covered the author to some degree..

Security Fix - DHS: PhoneSnoop app bugs BlackBerrys

Interesting. But it appears this is not a threat unless someone gets their hands on your phone without your permission and you ignore the icon PhoneSnoop leaves in your application profile.

[SplinterCell]

The developer of "Kisses" was questioned hard and left speechless HERE. The scamster and developer of "Kisses of Death" was trying to debate the issues and was just plain-out, shut-up and busted! I would stay far away from Kisses, it's a trap!


Regards,
Chris

[DH350nWo]

Kisses installs PhoneSnoop on your phone. This topic was covered about 2 weeks ago but the mods removed the thread.

Posted from my CrackBerry at wapforums.crackberry.com

[catseyenu]

Interesting. But it appears this is not a threat unless someone gets their hands on your phone without your permission and you ignore the icon PhoneSnoop leaves in your application profile.

You know, that's what got my attention.. I let someone I don't know use my phone last night because "their battery was dead".
He was in sight the whole time and it looks like he made 2 call to the same number but being the suspicious creature that I am I started wondering if and OTA install could be accomplished with a simple phone call.

/I'm not paranoid, I'm just drawn this way.

Edit: Also I saw some discussion on hiding the icon and or code injection.

[catseyenu]

The developer of "Kisses" was questioned hard and left speechless HERE. The scamster and developer of "Kisses of Death" was trying to debate the issues and was just plain-out, shut-up and busted! I would stay far away from Kisses, it's a trap!

That may be your take but I see it a little differently.

[SplinterCell]

Well, please explain to myself and others how you see it.

[catseyenu]

Double post?

[catseyenu]

After a little research I found not only Brian Krebs at the Washington Post's even handed discussion of the author and his tools, Sheran Gunasekera was also interviewed by Dark Reading as well as by PCWorld.
He explains in his blog how PhoneSnoop came about after his presentation of Bugs at the Hack In The Box (HITB) security conference as a promise to other security researchers.
I even went so far as to contact Brian Krebs, who I've had the pleasure of dealing with on several occasions in the past, who shared his surprise at the reception Sheran received from some of the BB forums.
My findings in short, Sheran Gunasekera is a valid & known security researcher who has been kind enough to develop and share a legitimate Blackberry security application with the community.

[SplinterCell]

I'm still not installing Kisses; however, you have explained this in a way that Sheran could not. Even after reading his rant and most everything that I researched prior gave me every reason not to trust him. Even after multiple Google searches, Bryan's write-up and the US-CERT warning it was all grounds to raise the red flag.

It's you actually contacting Brian Krebs that has me thinking that I may be wrong about Sheran. Still not interested in any Kisses, but nevertheless, I may have held the wrong opinion.

I am still a lottle confused as to why he's asking for donations to purchase Flexispy and MobileSpy; when he says Kisses already detects them?


Nice homework,
Chris

[catseyenu]

I am still a lottle confused as to why he's asking for donations to purchase Flexispy and MobileSpy; when he says Kisses already detects them?

I'm not privy or up to date on the time line of requests and needs of Sheran but it's not unusual at all to make resource requests for research purposes.
Also, these types of programs are known to change to avoid detection.
Keeping up with the latest variants can be an expensive "hobby".
I've seen more than one Anti-malware company go udders vertical trying to keep up.

[ronin2046]

Oh ****! I installed Kisses before reading this thread, but I uninstalled it.

Is my BB compromised?

[catseyenu]

Oh ****! I installed Kisses before reading this thread, but I uninstalled it.

Is my BB compromised?

Did you read the entire thread?
No, you're not compromised.
Even Symantec states

We’d consider this application just a proof of concept for a variety of reasons, including the author himself designing it as such:

[ronin2046]

Did you read the entire thread?
No, you're not compromised.
Even Symantec states

Yeah, I figured it didn't do any harm.

[catseyenu]

Looks like InfoWorld has a write up on Kisses.

Poisoned BlackBerry phones cured with 'Kisses' | Security Central - InfoWorld

[davidnc]

I don't trust the developer of this app. Just my opinion ! I have researched it in depth as well as followed on CB.

[griffin.ge]

I'm not sure I fully understand. If Kisses is such a controversial application, and possibly a piece of spyware, why did CB showcase it in the app roundup blog? Some people say that it actually installs the phonesnoop application, but aren't the file sizes completely different for the two separate apps?

I haven't really researched it like some others have, which is why I'm just asking. But can anyone actually show proof that Kisses is actually a compromising piece of spyware? I'm a little nervous because I installed it a little while ago, but have since deleted it. idk....