A BlackBerry software upgrade in the Middle East that turned out to be an e-mail interception program was likely a buggy beta version of a U.S.-made surveillance product, according to an analyst who dissected the malicious code.
Sheran Gunasekera, who works as a security consultant in Asia, released a white paper examining the spyware. (.pdf) Gunasekera said the software had no protective measures to obfuscate it, making it easy to decompile and examine -- an unusual flaw for a program designed for surreptitious interception.
What's more, command messages sent to the BlackBerry to initiate and halt interception can be transmitted to the device through e-mail or BlackBerry's proprietary PIN messaging system. But the PIN messages are visible on the handheld's screen for a fraction of a second when they arrive and a copy of commands sent via e-mail appear in the user's inbox, which would conceivably alert an observant user to suspicious activity. Gunasekera says the e-mail command function is turned off by default, apparently because of this glitch.
The spyware came to light when Etisalat, a phone and internet service provider in the United Arab Emirates, pushed out a message to its more than 100,000 UAE BlackBerry subscribers on July 8, notifying them that they needed to install a "performance-enhancement patch" to their devices. Users complained that after installing the patch, the performance of their device degraded and the battery drained.
Another researcher named Nigel Gourlay was the first to examine the code and report that it was spyware, designed to intercept a user's e-mail messages. The program appeared to be written by a U.S.-based company named SS8, which markets surveillance tools to law-enforcement and intelligence agencies. The company hasn't responded to repeated inquiries from Threat Level.
Etisalat has not responded directly to criticism that it abused the trust of customers by lying to them about the nature of the program. Lawful interception in the United States is generally done at the ISP level, not at the client level, although the FBI is allowed to install spyware on an individual suspect's computing device after obtaining a warrant.
Research-in-Motion, which makes the BlackBerry, issued a statement saying that it did not authorize the upgrade and "was not involved in any way in the testing, promotion or distribution of this software application."
The company has issued a free tool to help BlackBerry users remove the spyware from their phones.
Gunasekera said the SS8 spyware is designed to check whether it's visible in the BlackBerry application folder every time the handheld is rebooted. If it is, it hides itself.
The spyware has limited functionality in its present form, because it intercepts only outgoing e-mail messages sent by the user, not incoming ones. It also doesn't intercept instant messages, BlackBerry PIN messages, phone calls, SMS messages or Bluetooth, wireless or GPS data. Nor does it have the ability to be silently updated with a newer version of the program.
The performance degradation and battery drain were caused in part because the program regularly checked every message folder for new messages, draining the processing power.
Gunasekera says now that the source code has been released, it can be easily modified by anyone and used to intercept messages from unsuspecting BlackBerry users who are tricked into installing the program.
"[T]here may be possibilities that other, less ethical groups, use this software to aid them in rapidly developing and deploying improved versions of the spyware," he writes on his blog.
Gunasekera has provided a tool on his site to help users search their phones for this or other spyware. He has included source code for the tool, but Threat Level recommends consumers use the official tool provided by Research-in-Motion.
Photo: VancityAllie/Flickr
See also:
