The United States Computer Emergency Readiness Team (US-CERT) has warned BlackBerry users that a new application has the ability to turn their smartphone into a surveillance tool.
"This software allows an attacker to call a user's BlackBerry and listen to personal conversations," says US-CERT's public warning. "In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop."
But there's a catch: if you want to try the application, you have to e-mail the IT security consultant who wrote it.
Sheran Gunasekera, a Sri Lankan programmer who heads the security division for Hermis Consulting and blogs at Chirashi Security under the handle Chopstick, is looking for beta testers to try out the application so he can write a paper on it.
In the blog post announcing the application, Gunasekera explains how the surveillance application works.
You install and run PhoneSnoop on a victims’ BlackBerry. PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number. Once it detects a call from that specific number, it automatically answers the victims’ phone and puts the phone into SpeakerPhone mode. This way, the attacker that called can now hear whats going on at the victims end.
But because Gunasekera isn't interested in snooping on anyone, the application is less than stealthy, reports The Washington Post.
There are some very real limitations of this spying app: For starters, an attacker would need to have physical access to the victim's phone in order to install the app. PhoneSnoop also can't listen in on the victim's phone calls, and it leaves a conspicuous new program icon in the victim's app list.
The application also leaves a conspicuous icon on the phone's interface and a victim could also discover the application when the attacker called to activate the speakerphone.
Nevertheless, Gunasekera is trying to prove a point, which is why he called his application a proof-of-concept. "BlackBerry is one of the most secure platforms out there, so what I wanted to do was highlight that even though you have a secure platform, in the end the user is probably going to be the weakest link," Gunasekera told the Post.
What he's saying is don't leave your phone laying around. And for those who are given their phone, say from their boss or their spouse, it's probably not a bad idea to see what software's installed on it.
If you think something malicious might be lurking on their phone, Gunasekera has also written and released "Kisses," a free application that detects hidden programs on various BlackBerry smartphones.