Security Fix: DHS warns about app that bugs BlackBerrys

The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) is warning BlackBerry users about a spyware program that allows attackers to turn a target's handset into a microphone that can be accessed remotely.

PhoneSnoop is a free, remote spying application designed for BlackBerry phones. The app works by intercepting phone calls from a predetermined 'trigger' number. When PhoneSnoop detects an incoming call from that number, it accepts the call and turns on the BlackBerry's speaker phone, effectively allowing the caller to listen in on the target's surroundings.

There are some very real limitations of this spying app: For starters, an attacker would need to have physical access to the victim's phone in order to install the app. PhoneSnoop also can't listen in on the victim's phone calls, and it leaves a conspicuous new program icon in the victim's app list.

Still, the alert serves as a useful reminder on the importance of maintaining proper physical security around the communications devices most of us depend upon. I am often asked about the threat to mobile phones from viruses and the sorts of spyware that typically assails PCs, and my response is always that the physical threat -- particularly the prospect of having your phone lost or stolen (however briefly) -- should be the user's primary concern.

PhoneSnoop was written and released by Sheran Gunasekera, a Sri Lankan programmer who heads the security division for Hermis Consulting, an Indonesian consulting firm that gets paid to conduct physical and network penetration tests for banks and telecommunications providers.

Gunasekera said he built PhoneSnoop as a proof-of-concept app, and as such it is not very stealthy. Still, he said, apps like PhoneSnoop could be silently bundled with other apps that the BlackBerry user wants to download, and could be set to run in the background without obvious notifications. BlackBerry apps also can be set so that they do not include program icons, or so that they simply don't show up in the list of running applications.

"BlackBerry is one of the most secure platforms out there, so what I wanted to do was highlight that even though you have a secure platform, in the end the user is probably going to be the weakest link," Gunasekera said.

PhoneSnoop isn't exactly new or feature-rich, but it is free. Applications like Flexispy and Mobile Spy can be used to intercept and relay a user's text messages, phone call logs and even GPS coordinates. Still, these other apps can cost between $250 to $300.

The BlackBerry does have some built-in defenses, if the user chooses to turn them on. As Symantec notes in its blog post about this app, you can require that a personal identification number (PIN) be provided before any apps can be installed. Also, a BlackBerry Enterprise Server can be configured to prevent applications from installing or running properly, and can remotely wipe a BlackBerry of any data should its owner lose or misplace the device.

Gunasekera added that he expects to soon release other applications to help users better secure their phones against snooping or theft. One free program he already released -- called Kisses -- can detect applications installed on a BlackBerry that have been designed to remain hidden (including programs like Flexispy).