SMobile Systems release complete technical analysis of Etisalat update

30 Comments

blackberry security shield

During the Etisalat controversy, one company that has been really helpful in determining exactly what is going on is SMobile Systems. They have sent me a technical analysis of the “upgrade” which I think the BlackBerry community would be interested in reading.

Etisalat.A[MA]

Affected Operating Systems: BlackBerry

Discovery Date: 07/08/2009

Overview
: Spyware

Research Engineers: Troy Vennon, David Stroop, Mayank Aggarwal

Detailed Information: Etisalat.A[MA] is a spyware application that was WAP pushed to BlackBerry subscribers of the Etisalat network in the United Arab Emerites (UAE) as an approved performance patch that was described as a fix to network problems users had experienced the previous few weeks. The true nature of the spyware is to intercept BlackBerry user’s email messages and forward the messages to a monitoring agent inside the Etisalat network. The patch was delivered in both .jar and .cod form. The .jar file contains the following classes:

META-INF/

META-INF/MANIFEST.MF

Registration.cod

Registration.csl

Registration.cso

com/

com/ss8/

com/ss8/interceptor/

com/ss8/interceptor/app/

com/ss8/interceptor/app/Commands.class

com/ss8/interceptor/app/Constants.class

com/ss8/interceptor/app/Log.class

com/ss8/interceptor/app/Main$1.class

com/ss8/interceptor/app/Main.class

com/ss8/interceptor/app/MsgOut.class

com/ss8/interceptor/app/Recv.class

com/ss8/interceptor/app/Send.class

com/ss8/interceptor/app/StatusChange.class

com/ss8/interceptor/app/Transmit.class

com/ss8/interceptor/tcp/

com/ss8/interceptor/tcp/HTTPDeliver.class

com/ss8/interceptor/tcp/smtp/

com/ss8/interceptor/tcp/smtp/SMTPHeader.class

com/ss8/interceptor/tcp/SocketBase.class

Interceptor.class

The included classes allow the application to hook into folder updates, message store, outbound messages, and radio events:

  • The Recv.class allows the application to monitor for inbound messages by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.event.StoreListener
  • The Send.class allows the application to monitor outbound messages, though it’s only used to forward messags on later, by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.SendListener.
  • The StatusChange.class allows the application to monitor radio events such as a change of network. It removes and re-registers the Recv listener when certain network changes occur.
  • Upon installation, the spyware application attempts to register the device by sending the following information to the registration server from the responseToCentral method found in Send.java:

    version: 4.91
    Copyright message
    Time and Date
    Pin no.
    Phone No
    IMEI
    IMSI
    Serial No:
    Device Name:
    Device Manufacture
    Platform Version
    Reason: Which can be either “Service change” or “Network Started”
    State: Is device running or stopped.

    These commands are available in Commands.java which calls the MsgOut constructor and passes the message to MsgOut.java. A response from the registration server is expected with the following information:

  • version:4.91
  • Time and Date
  • After registration has occurred, the application will remain inactive until a “start” command is received from the controlling agent. This command email will be immediately deleted. There are a possible four commands (version, bCkp, start, stop), which are encrypted.

    Once the application has been activated, it will listen for email messages. When a message is received the Recv class inspects the message to determine if it contains one of the 4 possible embedded commands. If it does not, it UTF-8 encodes the message, GZIP’s it, AES encrypts the message using a static key of “EtisalatIsAProviderForBlackBerry”, then Base64 encodes the whole thing. The message will then be forwarded via an HTTP Post to http://10.116.3.99:7095/bbupgr. The following information is included in the message being sent to the controlling agent:

  • Message Subject
  • Body of the Message
  • From Address
  • To Address
  • It is assumed that the receiving HTTP server will then construct an email and forward the received information to the following email addresses:

  • regbb@etisalat.ae
  • etisalat_upgr@etisalat.ae

  • Detection and Removal
    : Detected with SMobile VirusGuard virus definitions from 2009-07-15. Choosing to remove the spyware will force the handset to reboot. Upon reboot, the user will be forced to go through the setup wizard process to reconfigure network settings that were lost when the application was removed. This setup wizard process will not affect any custom applicatons or data.

    • http://twitter.com/BlackBerryCool/statuses/2760076650 BlackBerryCool (BlackBerry Coo

      SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/jdlacey/statuses/2760151628 jdlacey (jdlacey)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/jdlacey/statuses/2760151628 jdlacey (jdlacey)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/jdlacey/statuses/2760151628 jdlacey (jdlacey)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/jdlacey/statuses/2760151628 jdlacey (jdlacey)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/jdlacey/statuses/2760151628 jdlacey (jdlacey)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/iskandar_ahmat/statuses/2762159348 iskandar_ahmat (Iskandar Ahmat

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/iskandar_ahmat/statuses/2762159348 iskandar_ahmat (Iskandar Ahmat

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/iskandar_ahmat/statuses/2762159348 iskandar_ahmat (Iskandar Ahmat

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/iskandar_ahmat/statuses/2762159348 iskandar_ahmat (Iskandar Ahmat

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/tmhmM

    • http://twitter.com/wmchan/statuses/2766068752 wmchan (William Chan)

      #blackberry SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/11L6Ut

    • http://twitter.com/wmchan/statuses/2766068752 wmchan (William Chan)

      #blackberry SMobile Systems release complete technical analysis of Etisalat update http://bit.ly/11L6Ut

    • http://ccarticles.com Winson Yeung from UAW Article Writing Service

      First, thanks for the great review about the unique article wizard. I have great success with the UAW as well to generate massive backlinks to my website and getting them ranked on search engine.Some update for Unique Article Wizard, they have upgraded their whole system to a more user-friendly and design-friendly interface which make it even easier to use the uaw submission.There??s even page by page videos that show you exactly what to do as well.

    • http://ccarticles.com/ Winson Yeung from UAW Article

      First, thanks for the great review about the unique article wizard. I have great success with the UAW as well to generate massive backlinks to my website and getting them ranked on search engine.Some update for Unique Article Wizard, they have upgraded their whole system to a more user-friendly and design-friendly interface which make it even easier to use the uaw submission.There??s even page by page videos that show you exactly what to do as well.

    • jennyjosh

      Its cool to read this post.

    • jennyjosh

      Its cool to read this post.

    • http://www.technical-analysis-course.net technical analysis

      This is such a stylish phone. I love it.

    • http://ArticleDrove.com article writing service

      This is exactly the phone I need to keep up with my article submissions to increase traffic to my website. I usually outsource articles, then submit them to directories. I need to find or buld an app that can keep tabs on this for me.

    • http://www.wordsofvalue.com/articlewriter Nikki May from Article Writer

      I am an enthusiast in the BlackBerry community, and I love my BlackBerry.
      Thanks for sharing the technical analysis of the “upgrade” – interesting read.

      Thanks again – much appreciated!

    • http://www.jandejoya.com The Free Spirited Freelancer

      I’m also an avid Blackberry user and this information helped me a lot in understanding how the systems in my phone work. Thanks for the share.

    • http://www.k9puppy.co.uk Dogs

      Blackberry phones are getting more popular day by day. And its’ applications are getting more available. Good to see this.

    • http://www.swingset.com Playground Equipment

      Blackberry phones are very much user oriented. It’s extensive features made it very popular over the years.

    • http://www.swingset.com Swing Sets

      I love my BlackBerry. Thanks for sharing the technical analysis of the “upgrade” – interesting read.

    • http://www.security-wire.com/08/how-to-remove-security-shield-2010-rogue-anti-spyware.html remove security shield

      Blackberry is spyware???

    • http://www.withthisfavor.com/place-card-holders place card holders

      Is this still the case? Thanks :)

    • http://www.songsforawedding.com wedding songs

      I don’t think it is spyware?? What are you talking about?