Veracode’s TXSBBspy Spyware Proof-of-Concept for BlackBerry

View Comments

TXSBBSpy Demo from Veracode on Vimeo.

Tyler Shields, senior researcher at Veracode Research Lab developed a proof-of-concept spyware package that demonstrates how simple it is to retrieve private data from a BlackBerry.

The above video demonstrates the spyware package, which he calls TXSBBspy, and uses it to take some very confidential information. In the demonstration, he uses some basic, publicly available functions to remotely dump all email and SMS messages, send the contents via e-mail, and conduct real-time monitoring of phone messages. He also remotely listens to a room using the BlackBerry’s mic, and follows the a user unknowingly by listening to their GPS updates.

This is a hot topic right now for BlackBerry as more users are downloading applications and accepting permissions without fully understanding what they’re allowing the app access to. Personally, I think RIM needs to give very specific instructions to the user about what they’re allowing an app to access. The permissions screen is far too vague.

  • squished18
    @DurDurDur: Any reply?
  • squished18
    @DurDUrDur - With the small amount of BB development that I've done, I have not encountered any APIs that could accomplish what the VeraCode's program did without obtaining trusted access. Perhaps you would care to share what APIs you would use to accomplish this without obtaining trusted access?

    Obtaining a $20 developer key requires a valid mailing address. That's a pretty good start when someone wants to track you down for creating malware. So getting away with it once or twice might be feasible, but doing it repeatedly would be a pretty significant challenge for most people, myself included.
  • DurDurDur
    Polaris, the OS gives apps access to plenty of information by default without requiring trusted access. Read the slide deck before spouting nonsense. Squished, there are plenty of ways to obtain a $20 developer key without exposing yoru identity.
  • squished18
    @DurDUrDur - With the small amount of BB development that I've done, I have not encountered any APIs that could accomplish what the VeraCode's program did without obtaining trusted access. Perhaps you would care to share what APIs you would use to accomplish this without obtaining trusted access?

    Obtaining a $20 developer key requires a valid mailing address. That's a pretty good start when someone wants to track you down for creating malware. So getting away with it once or twice might be feasible, but doing it repeatedly would be a pretty significant challenge for most people, myself included.
  • squished18
    @DurDurDur: Any reply?
  • DurDurDur
    Polaris, the OS gives apps access to plenty of information by default without requiring trusted access. Read the slide deck before spouting nonsense. Squished, there are plenty of ways to obtain a $20 developer key without exposing yoru identity.
  • squished18
    RIM also requires developers sign their code with a electronic key. In order to obtain a key, you need to register with RIM. So if someone develops malicious code, they are traceable. This certainly can't be said for your average Windows spyware.

    So including the barriers that previous posters have mentioned, the security model is actually very good and quite tight.
  • squished18
    RIM also requires developers sign their code with a electronic key. In order to obtain a key, you need to register with RIM. So if someone develops malicious code, they are traceable. This certainly can't be said for your average Windows spyware.

    So including the barriers that previous posters have mentioned, the security model is actually very good and quite tight.
  • Polaris125
    "Most consumers aren't aware of the range of information that can be accessed by BlackBerry applications, particularly those granted **trusted application** status by the user".

    See now...there's the catch right? The user has to be dumb enough to install the app AND grant it trusted application status. If the user is on a BES, their administrator can easily block the users ability to even do this.

    Don't waste our time.
  • Polaris125
    "Most consumers aren't aware of the range of information that can be accessed by BlackBerry applications, particularly those granted **trusted application** status by the user".

    See now...there's the catch right? The user has to be dumb enough to install the app AND grant it trusted application status. If the user is on a BES, their administrator can easily block the users ability to even do this.

    Don't waste our time.
  • Bob
    You still have to intentionally install this "spyware" on your BlackBerry, so I'm not really worried about this 'vulnerability'.
  • Bob
    You still have to intentionally install this "spyware" on your BlackBerry, so I'm not really worried about this 'vulnerability'.
blog comments powered by Disqus



Bad Behavior has blocked 33425 access attempts in the last 7 days.