, The Register 2009-07-16
An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life.
Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to take a closer look at, only to discover an application intended to intercept both email and text messages, sending a copy to an Etisalat server without the user being aware of anything beyond a slightly excessive battery drain.
It was, it seems, the battery issue that alerted users to something being wrong. Closer examination (as reported by itp.net) seems to indicate that all instances of the application were expected to register with a central server, which couldn't cope with the traffic — thus forcing all the instances to repeatedly attempt to connect while draining the battery. A more phased reporting system might have escaped detection completely.
The update is labelled: "Etisalat network upgrade for BlackBerry service. Please download to ensure continuous service quality." The signed JAR file, when opened, reveals an application housed in a directory named
/com/ss8/interceptor/app, which conforms to the Java standard for application trees to be named the reverse of the author's URL. ("Interceptor" isn't the subtlest name for spyware, though.)
SS8, however, does author applications of exactly this type, and further reverse-engineering of the Java app shows code capable of intercepting messages and copying them to remote servers — a process that starts once a trigger message (containing the word "start" and originating from a specific number) has been received.
No one from Etisalat, RIM, or SS8 is saying anything about the issue, despite the fact that the application appears remarkably difficult to remove. Enterprising hackers, though, have discovered it can be done, with one providing a useful utility (seventh message down) to automate the process.
While text messages and phone calls are usually more easily intercepted at the network operator, the BlackBerry architecture doesn't lend itself to that kind of legally-authorised interception, which has caused problems in several other countries. It seems probable that this application was an attempt by the authorities to circumvent that architecture, and it will be interesting to see if a similar application appears on competing UEA operators.
That's assuming anyone notices - the application could have been missed entirely. Once it was installed and registered with the server it would have lain dormant until the operator decided to activate it, presumably only on a few phones owned by people of particular interest to the authorities.
Hopefully punters will be a little more careful when considering a downloaded update, although it's possible the operators may in turn get a little better at hiding it.
If you have tips or insights on this topic, please contact SecurityFocus.