Veracode’s TXSBBspy Spyware Proof-of-Concept for BlackBerry

15 Comments

TXSBBSpy Demo from Veracode on Vimeo.

Tyler Shields, senior researcher at Veracode Research Lab developed a proof-of-concept spyware package that demonstrates how simple it is to retrieve private data from a BlackBerry.

The above video demonstrates the spyware package, which he calls TXSBBspy, and uses it to take some very confidential information. In the demonstration, he uses some basic, publicly available functions to remotely dump all email and SMS messages, send the contents via e-mail, and conduct real-time monitoring of phone messages. He also remotely listens to a room using the BlackBerry’s mic, and follows the a user unknowingly by listening to their GPS updates.

This is a hot topic right now for BlackBerry as more users are downloading applications and accepting permissions without fully understanding what they’re allowing the app access to. Personally, I think RIM needs to give very specific instructions to the user about what they’re allowing an app to access. The permissions screen is far too vague.

  • Bob

    You still have to intentionally install this “spyware” on your BlackBerry, so I'm not really worried about this 'vulnerability'.

  • Bob

    You still have to intentionally install this “spyware” on your BlackBerry, so I'm not really worried about this 'vulnerability'.

  • Polaris125

    “Most consumers aren't aware of the range of information that can be accessed by BlackBerry applications, particularly those granted **trusted application** status by the user”.See now…there's the catch right? The user has to be dumb enough to install the app AND grant it trusted application status. If the user is on a BES, their administrator can easily block the users ability to even do this.Don't waste our time.

  • Polaris125

    “Most consumers aren't aware of the range of information that can be accessed by BlackBerry applications, particularly those granted **trusted application** status by the user”.

    See now…there's the catch right? The user has to be dumb enough to install the app AND grant it trusted application status. If the user is on a BES, their administrator can easily block the users ability to even do this.

    Don't waste our time.

  • squished18

    RIM also requires developers sign their code with a electronic key. In order to obtain a key, you need to register with RIM. So if someone develops malicious code, they are traceable. This certainly can't be said for your average Windows spyware.So including the barriers that previous posters have mentioned, the security model is actually very good and quite tight.

  • squished18

    RIM also requires developers sign their code with a electronic key. In order to obtain a key, you need to register with RIM. So if someone develops malicious code, they are traceable. This certainly can't be said for your average Windows spyware.

    So including the barriers that previous posters have mentioned, the security model is actually very good and quite tight.

  • DurDurDur

    Polaris, the OS gives apps access to plenty of information by default without requiring trusted access. Read the slide deck before spouting nonsense. Squished, there are plenty of ways to obtain a $20 developer key without exposing yoru identity.

  • DurDurDur

    Polaris, the OS gives apps access to plenty of information by default without requiring trusted access. Read the slide deck before spouting nonsense. Squished, there are plenty of ways to obtain a $20 developer key without exposing yoru identity.

  • DurDurDur

    Polaris, the OS gives apps access to plenty of information by default without requiring trusted access. Read the slide deck before spouting nonsense. Squished, there are plenty of ways to obtain a $20 developer key without exposing yoru identity.

  • squished18

    @DurDUrDur – With the small amount of BB development that I've done, I have not encountered any APIs that could accomplish what the VeraCode's program did without obtaining trusted access. Perhaps you would care to share what APIs you would use to accomplish this without obtaining trusted access?Obtaining a $20 developer key requires a valid mailing address. That's a pretty good start when someone wants to track you down for creating malware. So getting away with it once or twice might be feasible, but doing it repeatedly would be a pretty significant challenge for most people, myself included.

  • squished18

    @DurDUrDur – With the small amount of BB development that I've done, I have not encountered any APIs that could accomplish what the VeraCode's program did without obtaining trusted access. Perhaps you would care to share what APIs you would use to accomplish this without obtaining trusted access?

    Obtaining a $20 developer key requires a valid mailing address. That's a pretty good start when someone wants to track you down for creating malware. So getting away with it once or twice might be feasible, but doing it repeatedly would be a pretty significant challenge for most people, myself included.

  • squished18

    @DurDurDur: Any reply?

  • squished18

    @DurDurDur: Any reply?

  • squished18

    @DurDurDur: Any reply?

  • alicedebrax

    I had avast antivirus but uninstalled it (had it for approximately 3 – 4 years) because it kept on prompting me to reboot even after just logging on to the internet. Their latest version is 4.8. I got sick of the popup messages so I went looking for another antivirus program which is just as good as avast. I did a search on the internet and I came across Comodo antivirus and it's free. It also has Comodo Internet Security (which is also free) and I also use Comodo Antispam which I would recommend to anybody looking for such a program. I don't have any spyware removal software as yet, so can anybody recommend a good one? I am very security conscious.
    _________________________________
    spyware removers