Careless downloading makes BlackBerry users spy targets

A security researcher said downloading foreign applications to a BlackBerry leaves you vulnerable to spies

IPhone lovers and other smartphone users should take heed: A security researcher showed ways to spy on a BlackBerry user during a presentation Wednesday, including listening to phone conversations, stealing contact lists, reading text messages, taking and viewing photos and figuring out the handset's location via GPS.

And ironically, Sheran Gunasekera, head of research and development at ZenConsult, said the BlackBerry is one of the most secure smartphones available, in some ways better than the iPhone.

"There is no technical way of hacking a BlackBerry, it's impossible," said Gunasekera, during a presentation at the Hack In The Box security conference in Kuala Lumpur. "It's just too secure for that. So we have to rely on social engineering."

For hackers, social engineering is the art of tricking someone into loading spyware onto a device or finding some other way to install it, such as borrowing the device and downloading malware from the Internet or a MicroSD card, for example.

One way to entice a BlackBerry user to download spyware onto their smartphone is by offering a free application that appears to be a game or some other harmless software, but in fact carries a dangerous payload. Enticing slideshows are even easier to get users to accept, Gunasekera said.

"I will have the slideshow running on top and the spyware doing its nastiness on the bottom," he said.

What kind of nastiness?

A small piece of software able to conceal itself by not appearing on the BlackBerry's application menu, nor taking up much memory space nor using much processing power, can allow a hacker to do all kinds of things.

"People tend to put a lot of personal data on a BlackBerry," he said, but it's not just the data on the phone that's at risk.

Spyware on a BlackBerry could intercept a phone call and let the hacker listen in, or even let the hacker listen to a meeting the victim is sitting in on. By silently answering the victim's phone, then turning on the speakerphone, the spyware could allow the hacker to overhear the meeting. It could also forward incoming and outgoing text messages to the hacker, and even enable the hacker to write messages from the victim's BlackBerry, or run up the victim's phone bill by making international calls.

The hacker could also program the spyware to have the handset's camera take pictures every 10 seconds, for example, to see find out the victim's location.

One recent example shows a massive installation of spyware on BlackBerry phones in the United Arab Emirates.

Regional mobile phone service provider Etisalat last June told its 145,000 BlackBerry subscribers to download a software upgrade that turned out to be spyware. Once users downloaded the "upgrade," it forwarded the phone's e-mails to a central server, Gunasekera said. The ploy was discovered because the software drained BlackBerry batteries at an excessive rate, in as fast as 30 minutes after a full recharge.

Etisalat maintains the software was an upgrade.

BlackBerry manufacturer Research In Motion (RIM), however, took matters into its own hands and provided a fix to affected users.

"Independent sources have concluded that Etisalat's "Registration" software application is not actually designed to improve performance of a BlackBerry Handheld, but rather to send received messages back to a central server," RIM said on its Web site.

Gunasekera offered a range of advice to help people keep their BlackBerries secure, advice useful to most smartphone users.

"Don't install random pieces of software," he said, "and be sure of what you're installing, and limit the amount of software on your BlackBerry."

It's also not a good idea to let anyone else use your smartphone, he said, but if you do hand over your phone, keep an eye on it. He also implored people to learn and set Default Application Permissions on their BlackBerries, a feature that increases safety. And always enable a device password. "This is the least you can do in case your device is lost or stolen," he said.

He also suggested that RIM start regulating Apps made for BlackBerries.

"People complain about Apple and their application process for the App Store, but it's good for security because you have people actually looking at the code," he said. RIM needs to put third-party apps aimed at BlackBerries under the same scrutiny, he said.

A RIM security researcher sent to the Hack In The Box conference to view the presentation declined to comment, but said the company planned to issue a statement later in the day.

Join the PC World newsletter!

Error: Please check your email address.

Tags Blackberrysecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Dan Nystedt

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?