1. sloman's Avatar
    Hello. I am currently working on an academic white paper in regards to cell phone spyware. Maybe someone on this site can assist me. I am wanting to know if :

    1. Anyone has found spyware on their Blackberry, and if so,
    2. Which program (bug) was it (ie: Flexispy, Mobile spy, etc)? and...
    3. How did you eliminate it?

    If you would like to chat off line about your discoveries, please right me at tom@cellularforensics.com

    All info will be kept confidential. I currently am testing different spyware programs on my own phones but I would like to know what others have found and/or used on theirs. Again, this is purely for academic studies.

    Many thanks
    Tom
    Cellular Forensics, LLC
    12-27-08 05:27 PM
  2. Reed McLay's Avatar
    This will be very interesting. If malware is loose, the odds are good it will be reported here.

    To the best of my knowledge, it only exists as installable root kit applications. They are Trojans, but no infectious virus in the wild.
    12-27-08 05:45 PM
  3. sloman's Avatar
    FlexiSpy proports itself to be able to bug a blackberry. I have yet to test it, but I have seen a news report (video) where they actually used Flexispy on a win mo phone and it worked.
    12-27-08 06:11 PM
  4. Branta's Avatar
    If there's a Java oriented version it could work on a BlackBerry. The difficult tasks would be getting it installed without alerting the user, and getting any necessary permissions for the application (code signing and traceability).

    At this stage the smart money is all saying silent/unassisted install is not practical on current BlackBerry devices, so it would need either social engineering or piggybacked as a corrupted install for a legitimate product.

    IMO there very high risk behavior by some CB users with the fanatical chase for the latest leaked beta OS usually found as an anonymous upload on a third party hosting server. Beer-bet says most of the chasers don't/can't check what they are installing, or whether the install is still pure. Even more dangerous, some users have posted links to cracked OS files to remove provider (SIM) locks, so rootkit and anything else are a clear possibility. The thread is still around here if you know where to search.
    12-27-08 08:23 PM
  5. UncleMike's Avatar
    If there's a Java oriented version it could work on a BlackBerry. The difficult tasks would be getting it installed without alerting the user, and getting any necessary permissions for the application (code signing and traceability).

    At this stage the smart money is all saying silent/unassisted install is not practical on current BlackBerry devices, so it would need either social engineering or piggybacked as a corrupted install for a legitimate product.

    IMO there very high risk behavior by some CB users with the fanatical chase for the latest leaked beta OS usually found as an anonymous upload on a third party hosting server. Beer-bet says most of the chasers don't/can't check what they are installing, or whether the install is still pure. Even more dangerous, some users have posted links to cracked OS files to remove provider (SIM) locks, so rootkit and anything else are a clear possibility. The thread is still around here if you know where to search.
    Even the most intense security measures are no match for greatest security threat to any electronic device - a careless end user. (my original comment said something else, but apparently there is a filter somewhere that objected to my description of the end user's mental capacity).
    Last edited by UncleMike; 12-28-08 at 08:52 AM.
    12-28-08 08:50 AM
  6. Branta's Avatar
    You could probably omit "careless".

    Hint... the filter has the same mental capacity as some of the users. You can't say i-diot but you can have idiots. However, references to male genitalia are fairly efficiently scrubbed and the mods are (rightly) enthusiastic about catching deliberately mis-spelled variations.
    12-28-08 09:02 AM
  7. Shao128's Avatar
    Even the most intense security measures are no match for greatest security threat to any electronic device - a careless end user.
    I completely agree there. The Blackberry for example will always prompt when an appilcation initially asks for permission to access certain features of the OS (SMS, Call log, GPS etc). If spyware were to even get on the device the user would have to grant the application permission to do anything of any real damage. Also its very unlikely the spyware would be signed, so that would pop up another message when its installing.
    12-28-08 11:27 AM
  8. sloman's Avatar
    Thank you everyone. I agree with you all in regards to the careless user! I have gotten calls from A LOT of paranoid cell users. But one especially troubling is a lady who is being stalked in another state. She has a 'stalker' that has access to her SMS messages and sends them to her friends showing what he is capable of doing. When she uses another phone, it stops. When she goes back to the 8320, it starts up again. The police have no clue how to handle this.
    Any thoughts? I have walked her through her phone while on the phone with her and she has nothing in the apps to show a foreign app.
    Any wisdom would be greatly appreciated!
    Tom at Cellular Forensics, LLC
    12-28-08 04:57 PM
  9. Shao128's Avatar
    Some providers allow you to check txt messages online. All he would need then is her password to get in.

    Posted from my CrackBerry at wapforums.crackberry.com
    12-28-08 05:54 PM
  10. Branta's Avatar
    Thank you everyone. I agree with you all in regards to the careless user! I have gotten calls from A LOT of paranoid cell users. But one especially troubling is a lady who is being stalked in another state. She has a 'stalker' that has access to her SMS messages and sends them to her friends showing what he is capable of doing. When she uses another phone, it stops. When she goes back to the 8320, it starts up again. The police have no clue how to handle this.
    Any thoughts? I have walked her through her phone while on the phone with her and she has nothing in the apps to show a foreign app.
    Any wisdom would be greatly appreciated!
    Tom at Cellular Forensics, LLC
    This is easy. Backup the PIM data then Blow away the OS completely and install a clean OS, using a known clean PC host (one she's never been near before). There are excellent guides in our FAQ section, and if you need a consult with good references - Reed McLay (in this thread) wrote half of the guides.

    Configure the phone to use Content Protection (encryption) and with a good password on auto-lock. Don't enable Bluetooth, and train user to keep physical control at all times.

    DON'T restore any of the electronic PIM data yet - load critical contact info manually, and see how it goes. If PIM data is essential, launder it out from outlook into CSV then back - this should reveal anything hidden in there.

    Keep third party apps to an absolute minimum. Ideally None until the phone is proved secure.

    On the BIS website for her accounts, again using a known safe computer, change the password for the BIS config account, and also for each mailbox used. (Make the relevant changes at the mailboxes first) Also check the config of every BIS email setup to make sure no unexpected copies or forwarding are generated.

    Now suspect Her Computer, and probably a backdoor which allows remote access to her backups from the Blackberry. (assume she was a Good Girl and did daily backups to PC). The backed up data would have copies of all her PIM data and messaging traffic, including in/out SMS which was still stored on the phone at the time of backup.

    If problems are suspected to come through her PC at any stage this might also be due for the Big Reinstall. I'd put this as the most likely vector for either invasion into the phone, or direct monitoring of the PC. (This might be a good way to trace the offender, spyware always leaves an IP trail of some kind). Also check the cable modem or DSL router for DNS poisoning, that has been a problem recently - mostly when left on guessable or default passwords for configuration.

    Good Luck, it sounds like an interesting and deserving challenge
    12-28-08 06:09 PM
  11. Branta's Avatar
    Just a thought... If the user with stalker is on a BES (company) system everything can be monitored by the BES admins. That could be a source of the stalking, and could also provide logs to identify the stalker.
    12-28-08 06:19 PM
  12. sloman's Avatar
    Again, many thanks to everyone who responded.
    Victim advised me that she called TMobile and they assured her that the SMS messages do not get housed on their site (server?). That's why we did not suspect him of getting it through TMobile.

    It's like it's all in that phone. That seems to be where the problem lies.
    Now I will see about installing a clean new OS in her phone.
    I really appreciate the help. Oh and for the record, I am NOT making a dime off this client. She called me and I've been banging my head against the wall trying to figure out how to help her.
    12-28-08 06:22 PM
  13. sloman's Avatar
    Branta, you're saying that if he works with her, it's possible? Woulden't that be the only way to get in through the BES?
    12-28-08 06:24 PM
  14. Branta's Avatar
    Branta, you're saying that if he works with her, it's possible? Woulden't that be the only way to get in through the BES?
    Others here know BES better than me, but my understanding is that a BES admin has absolute access to monitor all traffic coming through the server from mobile devices. The latest builds are like God's Gift to a spook, everything is accessible to be monitored if the admin wants to look. Just about the only thing not recorded to the BES server is the voice content of calls.

    As far as monitoring the server side, hands-on is certainly possible. For remote access (not at the server keyboard) I have no idea but considering they are Windows boxes, and admins are as human as the rest of us - backdoors, official or unofficial remote access software, and compromised passwords are still in the melting pot.

    That doesn't mean the current BES admin(s) is/are the only suspect. If the admin is ruled out as the perp they may find a trail to indicate others have been snooping where they should not have been.

    If the victim is on a BES system it certainly makes the hunt easier than with a private user on BIS. It certainly provides a static and much more manageable pool of initial suspects - although this may be a little unsettling for the victim to consider.
    12-28-08 07:48 PM
LINK TO POST COPIED TO CLIPBOARD