[Daniel.Black]

According to an article over at NetworkWorld, spyware writer Tyler Shields with Veracode Research Lab, has released spyware source code (TXSBBspy) which is essentially a blueprint on how to develop spyware for the BlackBerry. He calls the source code a blueprint for malware on the BlackBerry, showing how it’s possible to remotely dump all the contents, send the contents via e-mail, and conduct real-time monitoring of phone messages.

His reasoning is that by doing this it will open everyone's eyes to the very real threat that exists with embedded spyware in applications.

“The Blackberry ‘sandbox’ keeps you from getting into the operating system level. It’s effective for that,” says Tyler Shields, senior researcher at Veracode Research Lab and author of the Blackberry spyware. “BlackBerry is one of the better operating systems in regards to security,” he says, “but in the sandbox you can steal data.”

The source code released apparently shows how easy it is for a developer to code malware into their application which then can harvest emails and personal information and send it on to the third party, unbeknownst to the BlackBerry owner.



[source: NetworkWorld]

[JRSCCivic98]

Nice find... as I said before... everything is hackable. I haven't read the full article yet, but there's no doubt that some of this will require at least some form of social engineering to implement, which is how most stuff needs to happen now anyway.

I think it's safe to say that Blackberry users have always had the "Mac Mentality" when it comes to how safe they are.... and we all know there's threats for a Mac, if hackers and devs are bothered enough to spend time developing for said platform.

Never doubt what a person's mind can do... it's by far a much better CPU and OS then any machine out there currently.

[Shao128]

Anybody spending 5 minutes of browsing through the API docs has figured this out. The article makes it sound as if it was some big secret. JRSCCivic98 is correct though, it requires social engineering, the user has to install the app themselves and grant it trusted status, not to mention the additional prompts when the app tries to set a listener for the first time.

[belfastdispatcher]

LOL, is BES not the biggest spyware there is? Any spyware in bis needs a certain degree of user error to work, don't download anything you are not sure of.

Posted from my CrackBerry at wapforums.crackberry.com

[Xopher]

Unlike the iPhone SMS hack that was out last summer, this one would need an app installed on the BB to work.

If I remember correctly, each app that uses RIM's secure APIs need to be signed. This would give RIM a way to track down who wrote the app, or at least to whom they designated the API keys. That's not saying someone couldn't get the keys and do this, but that there would at least be a trail to follow for finding the malicious programmer.

[catseyenu]

This is pretty cool from a technical standpoint, not so cool if it happens to you.
No, it's not new but it is informative & helps to raise awareness on the native api calls and app permissions.
CNET is covering this as well.

BlackBerry has spyware risk too, researcher says | InSecurity Complex - CNET News

Good video demo:

TXSBBSpy Demo on Vimeo

[JRSCCivic98]

Unlike the iPhone SMS hack that was out last summer, this one would need an app installed on the BB to work.

If I remember correctly, each app that uses RIM's secure APIs need to be signed. This would give RIM a way to track down who wrote the app, or at least to whom they designated the API keys. That's not saying someone couldn't get the keys and do this, but that there would at least be a trail to follow for finding the malicious programmer.

So did the iPhone SMS hack. It only worked on Jailbroken iPhones where the user happened to leave SSH running on the handset.

[Xopher]

So did the iPhone SMS hack. It only worked on Jailbroken iPhones where the user happened to leave SSH running on the handset.

So ,there we go.

[mtv.fan]

There's nothing "hacked" here. They simply made a program that uses the API and if a person is stupid enough to install it, then the program is running correctly. It would be the same as SmrtGuard.

The person who installed it clicked "Allow" on the screen that gave the program access to this data.

The user is at fault, not the BlackBerry. BlackBerry has security features built in in their IT Policy to block people from doing such dumb things as well.

[N E O]

As far as I no, BlackBerry will always ask a users permission once installing anything. Thats what I love

[djackson02]

Anything is hackable it's only a matter of time, now some will have to be more careful with downloads