During the Etisalat controversy, one company that has been really helpful in determining exactly what is going on is SMobile Systems. They have sent me a technical analysis of the “upgrade” which I think the BlackBerry community would be interested in reading.
Affected Operating Systems: BlackBerry
Discovery Date: 07/08/2009
Research Engineers: Troy Vennon, David Stroop, Mayank Aggarwal
Detailed Information: Etisalat.A[MA] is a spyware application that was WAP pushed to BlackBerry subscribers of the Etisalat network in the United Arab Emerites (UAE) as an approved performance patch that was described as a fix to network problems users had experienced the previous few weeks. The true nature of the spyware is to intercept BlackBerry user’s email messages and forward the messages to a monitoring agent inside the Etisalat network. The patch was delivered in both .jar and .cod form. The .jar file contains the following classes:
The included classes allow the application to hook into folder updates, message store, outbound messages, and radio events:
Upon installation, the spyware application attempts to register the device by sending the following information to the registration server from the responseToCentral method found in Send.java:
Time and Date
Reason: Which can be either “Service change” or “Network Started”
State: Is device running or stopped.
These commands are available in Commands.java which calls the MsgOut constructor and passes the message to MsgOut.java. A response from the registration server is expected with the following information:
After registration has occurred, the application will remain inactive until a “start” command is received from the controlling agent. This command email will be immediately deleted. There are a possible four commands (version, bCkp, start, stop), which are encrypted.
Once the application has been activated, it will listen for email messages. When a message is received the Recv class inspects the message to determine if it contains one of the 4 possible embedded commands. If it does not, it UTF-8 encodes the message, GZIP’s it, AES encrypts the message using a static key of “EtisalatIsAProviderForBlackBerry”, then Base64 encodes the whole thing. The message will then be forwarded via an HTTP Post to http://10.116.3.99:7095/bbupgr. The following information is included in the message being sent to the controlling agent:
It is assumed that the receiving HTTP server will then construct an email and forward the received information to the following email addresses:
Detection and Removal: Detected with SMobile VirusGuard virus definitions from 2009-07-15. Choosing to remove the spyware will force the handset to reboot. Upon reboot, the user will be forced to go through the setup wizard process to reconfigure network settings that were lost when the application was removed. This setup wizard process will not affect any custom applicatons or data.