The creator of PhoneSnoop, a proof-of-concept application that turns a BlackBerry into a listening device for a hacker on the other end, said he is trying to raise awareness of potential BlackBerry threats out there.
Sheran Gunasekera, an Indonesia-based security consultant, created the free tool as an alternative to expensive applications on the market that accomplish similar things as PhoneSnoop.
Basically, the application allows a BlackBerry to be called by a hacker. The device automatically answers the call and puts it in speaker phone mode in order to listen on the user’s immediate surroundings without him or her even knowing a call came in.
“With PhoneSnoop, a user gets to hold it in his hands and has the ability to see exactly how an attack of this sort can be conducted,” wrote Gunasekera in an e-mail to ComputerWorld Canada.
On his blog, Gunasekera lets visitors download the application along with an install guide.
Gunasekera said his creation has received quite a lot of interest, mainly from people asking how they can protect themselves.
He wrote in his blog post: “PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner. While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware.”
Given that the BlackBerry is the popular device for business users, hackers could use this sort of application to potentially listen in on sensitive business discussions, said Eric Chien, technical director with the security technology and response group with Cupertino, Calif.-based security vendor Symantec Corp.
“So if you’re in a confidential meeting, and the hacker knew that, he might call your phone at that time,” said Chien, who made a posting on the topic on Symantec’s Security Blogs site.
Chien said PhoneSnoop can be installed on the unsuspecting victim’s BlackBerry in one of two ways. The hacker can install the app if he or she knows the user’s device login. Or, the user can be tricked into installing the app if the malicious code is combined with a game of some kind.
“And then you would potentially install it, run the game and know that PhoneSnoop is running secretly in the background,” said Chien.
But Chien said that as a proof-of-concept, the likelihood of anyone actually using the application is “zero or little.”
Moreover, the BlackBerry’s default permission settings won’t let the application run, said Chien.
The problem is there are some legitimate applications that require similar permissions as PhoneSnoop, so IT administrators must double check the configurations, said Chien.
The U.S. Computer Emergency Readiness Team (US-CERT) on Tuesday posted on its Web site that it is aware the application exists along with a cautionary note to BlackBerry users: “US-CERT encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.”
On BlackBerry Forums, one user, who has tried the application, writes of possible non-malicious uses for PhoneSnoop. “This is a nice application. Even, if I don’t intend to spy on someone, it has some practical use,” wrote Nobody7290.
Chien said that while PhoneSnoop is proof-of-concept, it certainly demonstrates what is possible for hackers.