Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BruCON] The Monkey Steals the Berries

The Monkey Steals the Berries (Tyler Shields)

Why would an attacker target a phone

PC’s are becoming smaller and smaller as more data is moved to the mobile platform. Mobile devices are also commonly less protected than desktop systems (like going back in time in some cases). It also allows for very targeted attacks.

The mobile arena is currently growing more than any other operating system. This makes it the target of the future. Once the various mobile platforms settle and the 2 or 3 major players are defined, things will become more targeted (as it was with Windows).

Mobile applications are another constant growth area giving another great chance to attack users.

Flexispy (http://www.flexispy.com)

  • Features everything needed for attackers.
    • Yearly costs involved
    • Closed source
    • Exfiltrates data to the software provider where you can view it through a web interface.
  • This makes it a hard sell for attackers.

Mobile Spy (www.mobile-spy.com)

  • Less features, but covers a wider range of platforms.
    • Yearly costs involved (cheaper than flexispy)
    • Closed source
    • Exfiltrates data to the software provider where you can view it through a web interface.
  • Same issues as flexispy, including closed source and no direct control of the exfiltrated data.

Etisalat (SS8)

  • As rolled out in the UAE to Blackberry systems.
  • Used Blackberry PIN messaging as the C&C channel. Captured outbound SMS and Emails with complete control given to the provider.
  • Was discovered due to issues users reported with battery life


  • Creator of games like iMobster and Vampires Live for the iPhone
  • Gathered phone numbers of users. Company claimed it was coded in error

Symbian Sexy Space

  • Exfiltrates data to a website of the hackers choice.
  • Binary was signed as safe by Symbian!

Symbian MergoSMS

  • Came in the form of games and themes
  • Binary signed as safe!


  • Created banking applications for the Android platform
  • Did nothing more than pass calls through to the bank
  • No malicious code found… Could easily have happened however!

3D Anti-Terrorist, …

  • Dialed premium rate numbers (8 per month)
  • Waited 3 days before starting to avoid easy detection
  • Slow win instead of a fast big pay-off
  • Repackaged legitimate game to be malicious

Mobile Security Mechanisms

Only 23% of smartphone owners use the security software installed on a device

13% of organisations currently protect from mobile devices

A balancing act between usability and security.

Corporate Level security Policies

  • Applied at the corporate IT Level
  • Can’t be modified by the end-users

End-User Level security Policies

  • Could be assigned from a provider
  • Can be overridden by end-user
  • Not as common as Corporate protections
  • Not as strict as Corporate protections

Mobile Anti-Virus

  • Implemented at the handset itself
  • Fails due to the same reason PC antivirus is failing today

Checks code

  • How are people like Apple checking apps in the app store?
  • Not all checked code is secure!

Code Signing

  • Subset of Blackberry API considered “controlled”
  • Use of controlled package, class, … needs signature
  • Can be yours for only $20
  • Hash of code sent to RIM (Not full code)
  • No barrier to entry
  • Signature can’t be revoked for existing apps (only to stop future apps)

Blackberry IT Policies

  • Blackberry Enterprise Server (BES)
  • Supersedes lower level security controls
  • Complex and very in-depth
  • Lots of fine-grained controls
  • So many that mod are set to “Default Allow All” as a result

Blackberry Application Policies

  • Can be controlled at the BES
  • Also mostly Allow
    • Gives an app many permissions by default
  • If you say “don’t trust” app still gets access to email, contact data by default!
    • Can be tweaked on a per-app basis (yeah right!)

Blackberry Spyware (TXSBBSpy)

Many ways to install on systems

Extensive logging and data exfiltration features (including SMS, EMail, HTTP, TCP/UDP sockets, DNS requests)

Technical Methods

  • Data Dumpers
  • Listeners
  • Exfiltration Methods
  • Command & Control


  • AV fails to detect due to the same issues we see on the desktop
  • Resource usage and whitelisting
  • Sandboxed based execution
  • Code Analysis (possible, but tricky/expensive)

Best solution is to use a Defense in Depth strategy and implement any and all protections possible.


A lot of trust lies with vendor application checks –> This is unwarrented

The only real solution is analysis of code


Comments are closed.

%d bloggers like this: