Remote Listening for the BlackBerry

BlackBerry

Remote Listening for the BlackBerry

By ⋅ October 23, 2009 ⋅ Post a comment

Filed Under BlackBerry, Bug, Bugs and Kisses, linkedin, Listening Device, Remote Listening, security, Spyware

I first blogged about PhoneSnoop, a component of Bugs, a few days ago. PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner. It cannot listen into phone conversations or conduct phone taps on BlackBerry handhelds at the moment. It is, however, possible to add a feature that makes phone taps work. I have written more on how to tap phone calls here. FlexiSpy is offering this service in its new version. Incidentally, I took apart FlexiSpy and wrote a brief post on it. While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware. I tweaked the application since my first post now allowing anyone to download, install and try it. PhoneSnoop now has the ability for a user to customize the ‘trigger number’; rather than me having to give out customized versions.

Download PhoneSnoop and take a look at the User Guide

Pingback: Praetorian Prefect | Where is your BES Policy?
guttz

Hey Question for you.
Did you modify the Spyware that SS8 created for Etisalat to make phonesnoop?

Ch0pstick

No, PhoneSnoop was written from scratch. The SS8 interceptor only collected outgoing email. PhoneSnoop turns the BlackBerry into a remote listening device by answering calls from a certain 'trigger' number. I'd suggest you read the whitepaper I wrote at http://chirashi.zensay.com/whitepapers for more information on the SS8 interceptor.

rico2

Hi,

is there a way tgo bypass the Blackberry Security Policies for BES Users? If not so no real problem.

For example Application Policies or User Policies on BES 4.1.6 MR7 or BES 5.0 MR3

Ch0pstick

Hi there,

As of now, NOTHING can beat the mighty BES and its IT Security Policies . Thus, if you're on BES and your admin has turned off third party apps, then you're safe. Similarly if your admin has disabled Key Injection or limits you from changing Application Permissions, your safe.

This cannot be bypassed. If you're on BIS, however, its a different story. The BlackBerry is quickly moving into a consumer space and gaining more popularity among regular users. They all use BIS. This mostly affects them.

orron112

I guess I'm not all that impressed with this tool. FlexiSpy has been able to remotely turn on the microphone in order to listen to ambient room conversation for some time. The difference…this one is free…and not discrete, like FlexiSpy is.

Ch0pstick

I appreciate your input. I wonder, though, if you actually read my post. I mention that it is Proof of Concept code that shows how potential spyware works to eavesdrop. In this regard, I purposely made it visible so that people cannot abuse it.

Hope you managed to sell your pool table.

orron112

I did read it, and I don't mean to be flippant or standoff-ish. I have read several reports about this tool, as it's kind of my responsibility to do so, and was quite disappointed, not with your tool, but with the reporting surrounding the tool. There were several reputable tech news outlets that parroted the fact that it could allow an attacker to “eavesdrop on phone conversations”. Hearing that was immediately of concern, considering no one has been able to do that with BB's yet..that we know of. I completely understand the point you are trying to make with this tool, as we are currently doing the same type of work with P.O.C code. I'm glad that someone is looking at BB's, as they have been dismissed until recently, as a true security threat, especially in the Enterprise. And yes, I did manage to sell it. ; )

Ch0pstick

Like I said, I value constructive criticism because it lets me know what people out there are thinking. The BlackBerry is a very secure platform; provided a healthy mix of awareness and paranoia exists amongst its users. I want to bring out the fact that wetware is more often the cause for the failure in its security. Have you also checked out the hidden program and process detector Kisses? Its here: http://kisses.zensay.com

Glad you sold it; if I'm ever Stateside, I'll look you up. Maybe play a game or three.

orron112

No, I have not looked at that tool yet, but will. We have a similar tool here as well. I completely agree that awareness is the key, as it is with all things infosec related. Users are the weak link. Are you specifically dedicated to BlackBerry? I've moved on, personally from BB to Android.

Yep, got it sold this weekend and installed. 1 1/4″ slate is heavy. Easily 300+ lbs a piece. My back still hurts from carrying them up the stairs. I'd love to play, if you ever make it out here. Bring your money…and your game. haha
Ch0pstick

Yeah, I'm focusing only on the BB. Didn't touch the iPhone or Android yet.

Pfff, surely, sir, I would never bring my game without my money!
orron112

Quick question for you. Since you are in this space as well, and I did make the comment that your tool was not actually intercepting and allowing attackers to listen to calls, have you seen any tools out there that are capable of doing that with BB? We know that FlexiSpy does intercept calls, via conference call capabilities, but they do not offer a version that supports BlackBerry's.

Also, as an FYI, I'm doing a writeup about your tool and the goal it attempts to achieve (as well as the mis-reporting by some news outlets of the capabilities). I'll share the link when it's published if you're interested…
Ch0pstick

Dude, do you work for FlexiSpy or something? LOL, just kidding. I'm not fully aware of what it does from an interception point, but from what you mention, if a user has conference calling enabled as a service from his provider, then it shouldn't be difficult to have the BB initiate a call and patch it in as a conference call. The only problem with that would be the fact that the call is outgoing and the victim will see it on his phone bill. Alternatively, if the app detects when the victim is on the phone and notifies a server to call in, this can be avoided. The problem then is that the victim can hear the call waiting tone.

I'd like to see your article, so yes, please let me know when you're done.
orron112

haha, no I definitely don't work for FlexiSpy, just using it as an example, since it's really the leader in public spying applications and makes no attempts at pretending it is anything other than what it is. Just using it as a baseline for what is generally considered possible…at least at this point. As I've said, we are also working on some proof-of-concept stuff as well. In the business I am in, it's always good to share information about what type of malware is out there. We can't always find everything ourselves. Sometimes we need tips from fellow researchers.
orron112

here's the link to the article:

http://threatcenter.smobilesystems.com/?categor…
Ch0pstick

Aha! It all makes sense now! SMobile Systems!! LOL!

Nice article by the way. Very well done.
orron112

Glad it's a little clearer now ; )

kinsk

hey, good job.
I want test this on my own BB 7130 OS V4.1.0 and i have systematic “907 invalid COD”.
Is phonesnoop requierd specific OS version?
Thx.

Ch0pstick

Yes, you need to have at least version 4.3, although I think I would recommend 4.5+ because these are the platforms I tested on.

profbad

I tried unsuccessfully to download the software OTA. Any ideas as to why?

Ch0pstick

Can you give me an idea of the following information?

Your Operating System/Platform Version: Go to Options->About
Your BlackBerry model number
The link you were following to download the application.
Are you on BIS or BES?

Pingback: PhoneSnoop – Turn a BlackBerry into a portable bug « Chirashi Security
Mike

Looks like there is a bug in the app. If the blackberry is locked then when it picks up, it puts the caller on hold instead of picking up the phone and putting it on speaker.

Ch0pstick

Thanks for the feedback. I'll take a look at it.

moe

any word on the bb lock prpblem that mike posted? it puts caller on hold

Ch0pstick

Mike, Moe, I have tested this and verified that it is indeed the case. When the handheld is locked with a password, the most you can do programatically is to answer the call and put it in speakerphone mode. There is no way that the Home Screen can be invoked. This is a security feature of the BlackBerry when it is locked.

nope

I read all your post on phonescoop, kisses, tapping phones ,”researching into how to hack phones”and the use of the words “victims”,and “attackers” and that throws up plenty of red flags to avoid such programs of yours the regiure an installation by the owner who may be guilable to a deveoplers “fast talk”< as well as a warning from Homeland security
Pingback: Team BlackBerryForums! Fu*k Yeah! « Chirashi Security
sneeker

Where can I download PhoneSnoop.jar / .cod ? They don't seem to be there…

Ch0pstick

Browse to http://www.zensay.com/PhoneSnoop.jad from your BlackBerry.

Pingback: Commercial spying app for Android devices released | Zero Day | ZDNet.com
Hightower

Hello,
I've downloaded PhoneSnoop on my Curve 8310 with OS v 4.2 but app. won't work error message:
“Error starting PhoneSnoop: Symbol 'EventInjector $KeyCodeEvent.<init>' not found”

Can anybody give me information please, what's the matter?
Thank you very much in advance

Ch0pstick

Hi there,

For the moment OS 4.2 is not supported. I am working on adding support for it. Check back soon.

Hightower

Hi Ch0pstick,

thank you very much for your quick answer, I'll look for it, maybe meanwhile I'll udate to OS 4.5

Hightower

Hightower

Hello Ch0pstick,

so I'm back again, I've updated my Curve 8310 to OS v. 4.5, the software is working without error message, I've setted the permissions as shown in your guide.

I'm adding a number and activate it, then the correct message appears, but if I try to call the phone it works standard and phone is ringing as usual.

So my question, how do i have to format the phone numbers for GERMANY T-Mobile net.

For example: +49(08586)123456 or maybe 00498586123456 or maybe +498586123456

Can you give me any information about the format of calling numbers?

Thank you very much.

Ch0pstick

Hi there,

Congratulations on the upgrade The number matching on PhoneSnoop works as follows: When you enter a trigger number, PhoneSnoop will compare it with the incoming caller ID and match any number -ending- with the trigger number. So if your trigger number is “456″ it will match all incoming calls ending in 456. If you want to match an incoming number exactly, you first have to find out what its format looks like. To do this, just call your phone and see how the number appears. Is it a flat number like +4912345678 or does it have a specific format like +49(123)45678? Whatever it is, you need to make the trigger number look exactly like that. Hope this helps.

Pingback: Kisses - A free spyware detector - BlackBerryForums.com : Your Number One BlackBerry Community
concerned wife

I would like to know if the phone snoop would work for corporate configured and adm (to the corporate server outlook) without being detected …BES

Ch0pstick

If the BES admin has locked down his policy by denying access to permissions like “Phone” and “Input Simulation” then PhoneSnoop will not work. Additionally, if the BES admin applies the policy where no Third Party applications can be installed, then PhoneSnoop will not install on the BlackBerry. Otherwise, PhoneSnoop will function as normal.

stucker1

I downloaded and installed PhoneSnoop on my 8320 running 4.5, which does go through a BES. I could not get this to work. I enabled all available permissions, including key injection. Yet when I make the call, the phone rings normally, with no indication that PhoneSnoop has done anything at all.

Any ideas?

Jamie

this happens to me as well! Somethimes it works, and other times it just rings like norma, almost as if it is undependable. Unless I am doing this wrong:

i download phonesnoop onto the persons phone of who i would like toe avsdrop (lol) – at this point we are jsut figuring it for fun but hey!

then i type in my last four digits of my phone number as a trigger on that phone and hit activate

and then i call from my phone and bob is my uncle?

Ch0pstick

The fact that the ringing is intermittent depends a lot on the current CPU
load of the BlackBerry. Typically, I designed the program to ring. Of
course it also depends on your ring tone. If you have a second or two of
silence in the beginning it won't ring.

The steps you describe to activate PhoneSnoop are correct.

Ch0pstick

I've not had the opportunity to test the program on BES. It could depend on
the trigger number that you have activated. Can you check that the number
you entered is the same as the one that appears in the caller ID when a call
is received?

stucker1

It is the same number. I did try another test. I entered only the last four digits of the trigger number instead of ten digits. Now it works, but the phone rings once first, and displays the caller info, then answers on its own, then goes back to the home screen and leaves the call up. That's an improvement, but I'll certainly know whenever the trigger number calls!

moebl

I installed Phonesnoop correctly but sometimes phone ring and no longer auto answers though trigger number is still there and need to be reactivated.
And when the BB is restarted trigger number disappears.
Any ideas?

Ch0pstick

When the phone is restarted, PhoneSnoop is reset and does not listen. This
is by design. Occasionally you will experience that the phone will not pick
up. I have come across this behavior on a few rare occasions. The program
is experimental and may have bugs such as this. I have no immediate plans
to fix it.

http://www.pooltabledimensions.net/ pool table dimensions

Installation Instructions:

Grab your friend’s BlackBerry
Download PhoneSnoop from the URL I mail you
Once installed, go to Options->Advanced Options->Applications->PhoneSnoop->Edit Permissions and change the “Input Simulation/Event Injection” to “Allow”
Run PhoneSnoop
Checking the bugging capabilities:

Call the victims phone number
Listen

*** Hidden to non-reply visitors ***
http://www.spyphoneguy.com/2009/01/12/flexispy-blackberry-spy-phone-review-how-to-be-a-blackberry-spy/ BlackBerry Spy Software

To spy on your spouse. Most of us agree that there’s no reason to spy on your wife or husband without any motive at all. However, the limits become blurry when there is a strong suspicion of cheating involved.
samy

so do i download it on my phone or on the phone that i wanna listen to?
http://www.security-wire.com/ Remove Spyware

Thanks for your program:)
Jojhansegovia

why dont you make phonesnoop, without vibrating when i call the victim phone?? and the “phone screen” stars up also too… excuse my bad english… but that´s what happened when i used the program
PHS

the phonesnoop answers but it disconnects after 2 secs. is there a reason for this error.
app crazy

how am I able to use this app without the minute counter being displayed on the phone im listening to
Rfrustrated

Is the program still active? When I tried to install from browser I got a message that the link could not be found.
http://www.juegos.gs Juegos

Well, in my opinion, more features mean less privacy.
Parausodelosclientes

please what is the trigger number format?
Gum_treee

FIRST OF ALL THANK YOU VERY MUCH Ch0pstick

I have a few questions. I installed the app on my blackberry. It shows
the welcome screen before remote listening then automatically answers my
call but shows the timer on top of the home screen (on left side of the
time/clock). It also unlocks the phone as well. PLEASE could you kindly
fix these problems or guide me? Do you have a copy in .sis format so I
can use it on symbian phones.

PLEASE PLEASE PLEASE could you kindly give me a copy of flexispy if you
have. I’ll not share it but I need it very urgently. I even can’t buy it
from internet because in my country credit cards doesn’t work at all. I
don’t know what to do but if you could kindly help me, I’ll remember
you in my prayers my whole life. If you have flexispy or any other
remote listening software please kindly email it to me at
gum_treee@yahoo.com THANKS A TON

Many Thanks

Your Unknown Friend

Very Needy

Search

BlackBerry

Remote Listening for the BlackBerry

Categories