UAE spying on citizens through an Etisalat BlackBerry update?

72 Comments

big-brother-bw

Etisalat, the carrier responsible for bringing the BlackBerry solution to the United Arab Emirates, released a very suspect official update. A member on the official support forums did some detective work, and found some suspicious code in the update. According to the user:

“Blackberry subscribers for Etisalat (one of the official service providers in the UAE) received a WAP Push to download a JAR named “registration”

The description of the “update” was as follows:

“Etisalat network upgrade for Blackberry service. Please download to ensure continuous service quality.”

I called the operator’s hotline inquiring about the update, and they confirmed it’s an “official” update that’s meant to enhance network stability which users experienced last few weeks, causing email and BBM delays. But anyone with two functional braincells would imagine such an update/fix would be done at the network side, rather than with an obscure piece of code pushed to client handsets as a WAP Push, rather than a service book.

Out of curiosity, I downloaded, unpacked and decoded the file, and can’t help but feel something is fishy here.

Following is a list of the class files within registration.jar:

/Interceptor.class
/Registration.cod
/Registration.csl
/Registration.cso
/META-INF/MANIFEST.MF
/com/ss8/interceptor/app/Commands.class
/com/ss8/interceptor/app/Transmit.class
/com/ss8/interceptor/app/MsgOut.class
/com/ss8/interceptor/app/Log.class
/com/ss8/interceptor/app/Main$1.class
/com/ss8/interceptor/app/StatusChange.class
/com/ss8/interceptor/app/Send.class
/com/ss8/interceptor/app/Main.class
/com/ss8/interceptor/app/Recv.class
/com/ss8/interceptor/app/Constants.class
/com/ss8/interceptor/tcp/smtp/SMTPHeader.class
/com/ss8/interceptor/tcp/smtp/SMTP.class
com/ss8/interceptor/tcp/HTTPDeliver.class
com/ss8/interceptor/tcp/SocketBase.class

I put up the original JAD/JAR/COD File along with the unpacked classes and decoded ones in one zip file at http://iihs.net/registration.zip and attached it here for those interested in having a look.

There are interesting references in the software to alternate APN, as well as some BB PINs to relay certain messages through. The whole thing seems VERY fishy.

Any JAVA Developers out there willing to take a look as well and help me make sense out of this?”

  • Aws

    The following workaround to overcome the battery life and excessive heating problem.

    1- Go to Options

    2- Select Advanced Options

    3- Select Applications

    4- Press the Menu button

    5- Under which select “Modules”

    6- Start typing the word Registration

    7- Once found press the Menu button again

    8- Under which select “Edit Permissions”

    9- Select all the three options and whatever under it to Deny, therefore you will end up with the following

    + Connection Deny

    + Interactions Deny

    + User Data. Deny

    10- Once done press the Menu button again.

    11- Select Save

    It is important to save the new settings. The blackberry may ask you to reboot to accept the changes made.

    The above workaround has solved problem for most of the Users, and I do not take any responsibility on my part. What you’ve got to lose I did it solved my problem but unfortunatly the update is not removable.

    Best Regards,

  • http://SolutiontoEtisalatnewPatch Aws

    The following workaround to overcome the battery life and excessive heating problem.

    1- Go to Options

    2- Select Advanced Options

    3- Select Applications

    4- Press the Menu button

    5- Under which select “Modules”

    6- Start typing the word Registration

    7- Once found press the Menu button again

    8- Under which select “Edit Permissions”

    9- Select all the three options and whatever under it to Deny, therefore you will end up with the following

    + Connection Deny

    + Interactions Deny

    + User Data. Deny

    10- Once done press the Menu button again.

    11- Select Save

    It is important to save the new settings. The blackberry may ask you to reboot to accept the changes made.

    The above workaround has solved problem for most of the Users, and I do not take any responsibility on my part. What you’ve got to lose I did it solved my problem but unfortunatly the update is not removable.

    Best Regards,

  • http://blog.grospolina.net/ steely

    snip-snap from “Transmit.class”,
    –snip–
    http://10.116.3.99:7095/bbupgr ÷ ø /register /store  regbb@etisalat.ae etisalat_upgr@etisalat.ae  
     
     
    ù ú #com/ss8/interceptor/tcp/HTTPDeliver S û ü ý þ ÿ  java/lang/InterruptedException !com/ss8/interceptor/tcp/smtp/SMTP 10.116.3.99 bb_register@etislat.ae  mail.etisalat.ae ƒ „ ,net/rim/device/api/crypto/AESEncryptorEngine net/rim/device/api/crypto/AESKey EtisalatIsAProviderForBlackBerry ] ^ S é S e com/ss8/interceptor/app/Transmit
    –snap–
    and from the registration.cod:
    –snip–
    $ØMessage-ID: <  $ØName:  $ØNetworkStarted_  $ØPOST  $ØPlatformVersion ‘ $ØProfile/MIDP-2.0 Configuration/CLDC-1.0  $ØReason $ØRegistration
    $ØReply-To:  $ØSender:  $ØSent:  $ØServiceChange_  $ØState $ØSubject:  $ØTime  $ØTo:  $ØUName:  $ØUTF-8  $ØUnsupported content type
    –snap–
    this is botnet, isn’t it?
    I think they got hacked by “3rd party”.
    I#m sry that i can’t run it,
    but i wonder what “registration”means

  • http://blog.grospolina.net/ steely

    snip-snap from “Transmit.class”,
    –snip–
    http://10.116.3.99:7095/bbupgr ÷ ø /register /store  regbb@etisalat.ae etisalat_upgr@etisalat.ae  
     
     
    ù ú #com/ss8/interceptor/tcp/HTTPDeliver S û ü ý þ ÿ  java/lang/InterruptedException !com/ss8/interceptor/tcp/smtp/SMTP 10.116.3.99 bb_register@etislat.ae  mail.etisalat.ae ƒ „ ,net/rim/device/api/crypto/AESEncryptorEngine net/rim/device/api/crypto/AESKey EtisalatIsAProviderForBlackBerry ] ^ S é S e com/ss8/interceptor/app/Transmit
    –snap–
    and from the registration.cod:
    –snip–
    $ØMessage-ID: <  $ØName:  $ØNetworkStarted_  $ØPOST  $ØPlatformVersion ‘ $ØProfile/MIDP-2.0 Configuration/CLDC-1.0  $ØReason $ØRegistration
    $ØReply-To:  $ØSender:  $ØSent:  $ØServiceChange_  $ØState $ØSubject:  $ØTime  $ØTo:  $ØUName:  $ØUTF-8  $ØUnsupported content type
    –snap–
    this is botnet, isn’t it?
    I think they got hacked by “3rd party”.
    I#m sry that i can’t run it,
    but i wonder what “registration”means

  • Tim Thompson

    Does anyone know if this will affect only Etisalat hosted BB customers or any BB that ‘roams’ whilst in the UAE.
    We have an office in Dubai where the users have UK based Vodafone BB’s which connect to our BES in the UK.

    Cheers
    Tim

  • Tim Thompson

    Does anyone know if this will affect only Etisalat hosted BB customers or any BB that ‘roams’ whilst in the UAE.
    We have an office in Dubai where the users have UK based Vodafone BB’s which connect to our BES in the UK.

    Cheers
    Tim

  • http://veracode.com/blog Chris

    Here’s an analysis of the Etisalat spyware that I wrote up yesterday:

    http://www.veracode.com/blog/2009/07/blackberry-spyware-dissected/

  • http://veracode.com/blog Chris

    Here’s an analysis of the Etisalat spyware that I wrote up yesterday:

    http://www.veracode.com/blog/2009/07/blackberry-spyware-dissected/

  • ae

    AWS:by attemting your remedy I get a pop-up every few second informing me ‘the application Registration has attemped to open an external connection which is not allowed by the current settings’

    This whole thing is driving me mad. Please someone offer solution!!

    :@

  • ae

    AWS:by attemting your remedy I get a pop-up every few second informing me ‘the application Registration has attemped to open an external connection which is not allowed by the current settings’

    This whole thing is driving me mad. Please someone offer solution!!

    :@

  • http://chirashi.zensay.com/ Ch0pstick

    I’ve released a free tool that helps you reveal the Etisalat BB spyware. Once its revealed, you can uninstall it yourself. If you need more info, please visit: http://bit.ly/info/YNFsP

  • http://chirashi.zensay.com Ch0pstick

    I’ve released a free tool that helps you reveal the Etisalat BB spyware. Once its revealed, you can uninstall it yourself. If you need more info, please visit: http://bit.ly/info/YNFsP

  • Ahmed khalil

    From blackberry site
    Recently an update may have been provided to you by Etisalat for your BlackBerry Handheld via a WAP push. The Etisalat update is not a RIM-authorized update and was not developed by RIM. Independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server. RIM has developed this software (“Software”) that will enable you to remove the Etisalat update.

    You can find the update on the following link
    http://na.blackberry.com/eng/ataglance/security/regappremover.jsp

  • Ahmed khalil

    From blackberry site
    Recently an update may have been provided to you by Etisalat for your BlackBerry Handheld via a WAP push. The Etisalat update is not a RIM-authorized update and was not developed by RIM. Independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server. RIM has developed this software (“Software”) that will enable you to remove the Etisalat update.

    You can find the update on the following link
    http://na.blackberry.com/eng/ataglance/security/regappremover.jsp

  • muhammad mushtaq

    dear sir.
    i apply for black berrry hand set but 3 week as passed i didnt got my hand set i apply as staff offer
    reply me as soon as posible
    thanks and regard muhammad mushtaq
    cel#0507598599

  • muhammad mushtaq

    dear sir.
    i apply for black berrry hand set but 3 week as passed i didnt got my hand set i apply as staff offer
    reply me as soon as posible
    thanks and regard muhammad mushtaq
    cel#0507598599

  • muhammad mushtaq

    i didnt got any in formation

  • muhammad mushtaq

    i didnt got any in formation

  • http://www.spyphoneguy.com/2009/01/12/flexispy-blackberry-spy-phone-review-how-to-be-a-blackberry-spy/ BlackBerry Spy

    I just have to read everything blackberry! I enjoy reading all about the new software, and models, and uses for my beloved blackberry. I havent been to your pages before. I found you while searching online.

  • Williams J.carter

    Hello, my name is Mr.Williams J.carter, We give out legitimate loans to serious individuals or business firms that are in need of loans.We are a God fearing Loan Firm that is prepared to meet the needs of individuals who aspire to be greater in the front line of capital accumulation.Loan are offer at a subsidies interest rate that is favorable to all a sundries.We are ready to talk with you about how we can meet your financial needs.if interested in this great offer then, Contact us now via email:georgiacapital@9.cn

    We apologize if by mistake,we have obtained wrong address or you are bothered by such mail being sent to you.Only once it will come to you in accordance with the Law.In compliance with LSSI-CE 34/2002 of July 11,specially stating the use of article 21 on marketing communications/advertising,we inform you that your email address is included in a database and in an advertising site designed to disseminate information of services and products offered exclusively for you which is the User.Following the rules of advertisement,this e-mail cannot in any measure be considered spam or scam related since it includes a way to be removed from the mailing list or site(S1618 Decree approved by the 105th Congress International Standards Standardization)

  • Williams J.carter

    Hello, my name is Mr.Williams J.carter, We give out legitimate loans to serious individuals or business firms that are in need of loans.We are a God fearing Loan Firm that is prepared to meet the needs of individuals who aspire to be greater in the front line of capital accumulation.Loan are offer at a subsidies interest rate that is favorable to all a sundries.We are ready to talk with you about how we can meet your financial needs.if interested in this great offer then, Contact us now via email:georgiacapital@9.cn

    We apologize if by mistake,we have obtained wrong address or you are bothered by such mail being sent to you.Only once it will come to you in accordance with the Law.In compliance with LSSI-CE 34/2002 of July 11,specially stating the use of article 21 on marketing communications/advertising,we inform you that your email address is included in a database and in an advertising site designed to disseminate information of services and products offered exclusively for you which is the User.Following the rules of advertisement,this e-mail cannot in any measure be considered spam or scam related since it includes a way to be removed from the mailing list or site(S1618 Decree approved by the 105th Congress International Standards Standardization)

  • Noomu

    please fuck off