SMobile Systems release complete technical analysis of Etisalat update

blackberry security shield

During the Etisalat controversy, one company that has been really helpful in determining exactly what is going on is SMobile Systems. They have sent me a technical analysis of the “upgrade” which I think the BlackBerry community would be interested in reading.


Affected Operating Systems: BlackBerry

Discovery Date: 07/08/2009

: Spyware

Research Engineers: Troy Vennon, David Stroop, Mayank Aggarwal

Detailed Information: Etisalat.A[MA] is a spyware application that was WAP pushed to BlackBerry subscribers of the Etisalat network in the United Arab Emerites (UAE) as an approved performance patch that was described as a fix to network problems users had experienced the previous few weeks. The true nature of the spyware is to intercept BlackBerry user’s email messages and forward the messages to a monitoring agent inside the Etisalat network. The patch was delivered in both .jar and .cod form. The .jar file contains the following classes:


























The included classes allow the application to hook into folder updates, message store, outbound messages, and radio events:

  • The Recv.class allows the application to monitor for inbound messages by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.event.StoreListener
  • The Send.class allows the application to monitor outbound messages, though it’s only used to forward messags on later, by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.SendListener.
  • The StatusChange.class allows the application to monitor radio events such as a change of network. It removes and re-registers the Recv listener when certain network changes occur.
  • Upon installation, the spyware application attempts to register the device by sending the following information to the registration server from the responseToCentral method found in

    version: 4.91
    Copyright message
    Time and Date
    Pin no.
    Phone No
    Serial No:
    Device Name:
    Device Manufacture
    Platform Version
    Reason: Which can be either “Service change” or “Network Started”
    State: Is device running or stopped.

    These commands are available in which calls the MsgOut constructor and passes the message to A response from the registration server is expected with the following information:

  • version:4.91
  • Time and Date
  • After registration has occurred, the application will remain inactive until a “start” command is received from the controlling agent. This command email will be immediately deleted. There are a possible four commands (version, bCkp, start, stop), which are encrypted.

    Once the application has been activated, it will listen for email messages. When a message is received the Recv class inspects the message to determine if it contains one of the 4 possible embedded commands. If it does not, it UTF-8 encodes the message, GZIP’s it, AES encrypts the message using a static key of “EtisalatIsAProviderForBlackBerry”, then Base64 encodes the whole thing. The message will then be forwarded via an HTTP Post to The following information is included in the message being sent to the controlling agent:

  • Message Subject
  • Body of the Message
  • From Address
  • To Address
  • It is assumed that the receiving HTTP server will then construct an email and forward the received information to the following email addresses:


  • Detection and Removal
    : Detected with SMobile VirusGuard virus definitions from 2009-07-15. Choosing to remove the spyware will force the handset to reboot. Upon reboot, the user will be forced to go through the setup wizard process to reconfigure network settings that were lost when the application was removed. This setup wizard process will not affect any custom applicatons or data.

    5 Responses to “SMobile Systems release complete technical analysis of Etisalat update”

    1. 1 BlackBerryCool (BlackBerry Cool)

      SMobile Systems release complete technical analysis of Etisalat update

    2. 2 jdlacey (jdlacey)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update

    3. 3 iskandar_ahmat (Iskandar Ahmat)

      RT @BlackBerryCool: SMobile Systems release complete technical analysis of Etisalat update

    4. 4 wmchan (William Chan)

      #blackberry SMobile Systems release complete technical analysis of Etisalat update

    1. 1 8820 service books missing...not registering on BIS...please help - : Your Number One BlackBerry Community

    Leave a Reply