Remote Listening for the BB
I first blogged about PhoneSnoop, a component of Bugs, a few days ago. PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner. It cannot listen into phone conversations or conduct phone taps on BlackBerry handhelds at the moment. It is, however, possible to add a feature that makes phone taps work. I have written more on how to tap phone calls here. FlexiSpy is offering this service in its new version. Incidentally, I took apart FlexiSpy and wrote a brief post on it. While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware. I tweaked the application since my first post now allowing anyone to download, install and try it. PhoneSnoop now has the ability for a user to customize the ‘trigger number’; rather than me having to give out customized versions.
Download PhoneSnoop and take a look at the User Guide
52 Responses to “Remote Listening for the BB”
Trackbacks/Pingbacks
- Praetorian Prefect | Where is your BES Policy? - [...] for the Blackberry which can turn the handheld into a remote bugging device. The software is called PhoneSnoop and ...
- PhoneSnoop – Turn a BlackBerry into a portable bug « Chirashi Security - [...] « BlackBerry QRCodes – A look ...
- Team BlackBerryForums! Fu*k Yeah! « Chirashi Security - [...] the program called Kisses. It would appear, however, that the fact that I had designed both PhoneSnoop and Kisses ...
- Commercial spying app for Android devices released | Zero Day | ZDNet.com - [...] in releasing such applications, last month US-CERT warned on the public release of the first free BlackBerry spying application ...
- Kisses - A free spyware detector - BlackBerryForums.com : Your Number One BlackBerry Community - [...] Sheran Gunasekera was also interviewed by Dark Reading as well as by PCWorld. He explains in his blog how ...
Hey Question for you.
Did you modify the Spyware that SS8 created for Etisalat to make phonesnoop?
No, PhoneSnoop was written from scratch. The SS8 interceptor only collected outgoing email. PhoneSnoop turns the BlackBerry into a remote listening device by answering calls from a certain 'trigger' number. I'd suggest you read the whitepaper I wrote at http://chirashi.zensay.com/whitepapers for more information on the SS8 interceptor.
Hi,
is there a way tgo bypass the Blackberry Security Policies for BES Users? If not so no real problem.
For example Application Policies or User Policies on BES 4.1.6 MR7 or BES 5.0 MR3
Hi there,
As of now, NOTHING can beat the mighty BES and its IT Security Policies
. Thus, if you're on BES and your admin has turned off third party apps, then you're safe. Similarly if your admin has disabled Key Injection or limits you from changing Application Permissions, your safe.
This cannot be bypassed. If you're on BIS, however, its a different story. The BlackBerry is quickly moving into a consumer space and gaining more popularity among regular users. They all use BIS. This mostly affects them.
I guess I'm not all that impressed with this tool. FlexiSpy has been able to remotely turn on the microphone in order to listen to ambient room conversation for some time. The difference…this one is free…and not discrete, like FlexiSpy is.
I appreciate your input. I wonder, though, if you actually read my post. I mention that it is Proof of Concept code that shows how potential spyware works to eavesdrop. In this regard, I purposely made it visible so that people cannot abuse it.
Hope you managed to sell your pool table.
I did read it, and I don't mean to be flippant or standoff-ish. I have read several reports about this tool, as it's kind of my responsibility to do so, and was quite disappointed, not with your tool, but with the reporting surrounding the tool. There were several reputable tech news outlets that parroted the fact that it could allow an attacker to “eavesdrop on phone conversations”. Hearing that was immediately of concern, considering no one has been able to do that with BB's yet..that we know of. I completely understand the point you are trying to make with this tool, as we are currently doing the same type of work with P.O.C code. I'm glad that someone is looking at BB's, as they have been dismissed until recently, as a true security threat, especially in the Enterprise. And yes, I did manage to sell it. ; )
Like I said, I value constructive criticism because it lets me know what people out there are thinking. The BlackBerry is a very secure platform; provided a healthy mix of awareness and paranoia exists amongst its users. I want to bring out the fact that wetware is more often the cause for the failure in its security. Have you also checked out the hidden program and process detector Kisses? Its here: http://kisses.zensay.com
Glad you sold it; if I'm ever Stateside, I'll look you up. Maybe play a game or three.
No, I have not looked at that tool yet, but will. We have a similar tool here as well. I completely agree that awareness is the key, as it is with all things infosec related. Users are the weak link. Are you specifically dedicated to BlackBerry? I've moved on, personally from BB to Android.
Yep, got it sold this weekend and installed. 1 1/4″ slate is heavy. Easily 300+ lbs a piece. My back still hurts from carrying them up the stairs. I'd love to play, if you ever make it out here. Bring your money…and your game. haha
Yeah, I'm focusing only on the BB. Didn't touch the iPhone or Android yet.
Pfff, surely, sir, I would never bring my game without my money!
Quick question for you. Since you are in this space as well, and I did make the comment that your tool was not actually intercepting and allowing attackers to listen to calls, have you seen any tools out there that are capable of doing that with BB? We know that FlexiSpy does intercept calls, via conference call capabilities, but they do not offer a version that supports BlackBerry's.
Also, as an FYI, I'm doing a writeup about your tool and the goal it attempts to achieve (as well as the mis-reporting by some news outlets of the capabilities). I'll share the link when it's published if you're interested…
Dude, do you work for FlexiSpy or something? LOL, just kidding. I'm not fully aware of what it does from an interception point, but from what you mention, if a user has conference calling enabled as a service from his provider, then it shouldn't be difficult to have the BB initiate a call and patch it in as a conference call. The only problem with that would be the fact that the call is outgoing and the victim will see it on his phone bill. Alternatively, if the app detects when the victim is on the phone and notifies a server to call in, this can be avoided. The problem then is that the victim can hear the call waiting tone.
I'd like to see your article, so yes, please let me know when you're done.
haha, no I definitely don't work for FlexiSpy, just using it as an example, since it's really the leader in public spying applications and makes no attempts at pretending it is anything other than what it is. Just using it as a baseline for what is generally considered possible…at least at this point. As I've said, we are also working on some proof-of-concept stuff as well. In the business I am in, it's always good to share information about what type of malware is out there. We can't always find everything ourselves. Sometimes we need tips from fellow researchers.
here's the link to the article:
http://threatcenter.smobilesystems.com/?categor…
Aha! It all makes sense now! SMobile Systems!! LOL!
Nice article by the way. Very well done.
Glad it's a little clearer now ; )
hey, good job.
I want test this on my own BB 7130 OS V4.1.0 and i have systematic “907 invalid COD”.
Is phonesnoop requierd specific OS version?
Thx.
Yes, you need to have at least version 4.3, although I think I would recommend 4.5+ because these are the platforms I tested on.
I tried unsuccessfully to download the software OTA. Any ideas as to why?
Can you give me an idea of the following information?
Your Operating System/Platform Version: Go to Options->About
Your BlackBerry model number
The link you were following to download the application.
Are you on BIS or BES?
Looks like there is a bug in the app. If the blackberry is locked then when it picks up, it puts the caller on hold instead of picking up the phone and putting it on speaker.
Thanks for the feedback. I'll take a look at it.
any word on the bb lock prpblem that mike posted? it puts caller on hold
Mike, Moe, I have tested this and verified that it is indeed the case. When the handheld is locked with a password, the most you can do programatically is to answer the call and put it in speakerphone mode. There is no way that the Home Screen can be invoked. This is a security feature of the BlackBerry when it is locked.
I read all your post on phonescoop, kisses, tapping phones ,”researching into how to hack phones”and the use of the words “victims”,and “attackers” and that throws up plenty of red flags to avoid such programs of yours the regiure an installation by the owner who may be guilable to a deveoplers “fast talk”< as well as a warning from Homeland security
Where can I download PhoneSnoop.jar / .cod ? They don't seem to be there…
Browse to http://www.zensay.com/PhoneSnoop.jad from your BlackBerry.
Hello,
I've downloaded PhoneSnoop on my Curve 8310 with OS v 4.2 but app. won't work error message:
“Error starting PhoneSnoop: Symbol 'EventInjector $KeyCodeEvent.<init>' not found”
Can anybody give me information please, what's the matter?
Thank you very much in advance
Hi there,
For the moment OS 4.2 is not supported. I am working on adding support for it. Check back soon.
Hi Ch0pstick,
thank you very much for your quick answer, I'll look for it, maybe meanwhile I'll udate to OS 4.5
Hightower
Hello Ch0pstick,
so I'm back again, I've updated my Curve 8310 to OS v. 4.5, the software is working without error message, I've setted the permissions as shown in your guide.
I'm adding a number and activate it, then the correct message appears, but if I try to call the phone it works standard and phone is ringing as usual.
So my question, how do i have to format the phone numbers for GERMANY T-Mobile net.
For example: +49(08586)123456 or maybe 00498586123456 or maybe +498586123456
Can you give me any information about the format of calling numbers?
Thank you very much.
Hi there,
Congratulations on the upgrade
The number matching on PhoneSnoop works as follows: When you enter a trigger number, PhoneSnoop will compare it with the incoming caller ID and match any number -ending- with the trigger number. So if your trigger number is “456″ it will match all incoming calls ending in 456. If you want to match an incoming number exactly, you first have to find out what its format looks like. To do this, just call your phone and see how the number appears. Is it a flat number like +4912345678 or does it have a specific format like +49(123)45678? Whatever it is, you need to make the trigger number look exactly like that. Hope this helps.
I would like to know if the phone snoop would work for corporate configured and adm (to the corporate server outlook) without being detected …BES
If the BES admin has locked down his policy by denying access to permissions like “Phone” and “Input Simulation” then PhoneSnoop will not work. Additionally, if the BES admin applies the policy where no Third Party applications can be installed, then PhoneSnoop will not install on the BlackBerry. Otherwise, PhoneSnoop will function as normal.
I downloaded and installed PhoneSnoop on my 8320 running 4.5, which does go through a BES. I could not get this to work. I enabled all available permissions, including key injection. Yet when I make the call, the phone rings normally, with no indication that PhoneSnoop has done anything at all.
Any ideas?
this happens to me as well! Somethimes it works, and other times it just rings like norma, almost as if it is undependable. Unless I am doing this wrong:
i download phonesnoop onto the persons phone of who i would like toe avsdrop (lol) – at this point we are jsut figuring it for fun but hey!
then i type in my last four digits of my phone number as a trigger on that phone and hit activate
and then i call from my phone and bob is my uncle?
The fact that the ringing is intermittent depends a lot on the current CPU
load of the BlackBerry. Typically, I designed the program to ring. Of
course it also depends on your ring tone. If you have a second or two of
silence in the beginning it won't ring.
The steps you describe to activate PhoneSnoop are correct.
I've not had the opportunity to test the program on BES. It could depend on
the trigger number that you have activated. Can you check that the number
you entered is the same as the one that appears in the caller ID when a call
is received?
It is the same number. I did try another test. I entered only the last four digits of the trigger number instead of ten digits. Now it works, but the phone rings once first, and displays the caller info, then answers on its own, then goes back to the home screen and leaves the call up. That's an improvement, but I'll certainly know whenever the trigger number calls!
I installed Phonesnoop correctly but sometimes phone ring and no longer auto answers though trigger number is still there and need to be reactivated.
And when the BB is restarted trigger number disappears.
Any ideas?
When the phone is restarted, PhoneSnoop is reset and does not listen. This
is by design. Occasionally you will experience that the phone will not pick
up. I have come across this behavior on a few rare occasions. The program
is experimental and may have bugs such as this. I have no immediate plans
to fix it.
Installation Instructions:
Grab your friend’s BlackBerry
Download PhoneSnoop from the URL I mail you
Once installed, go to Options->Advanced Options->Applications->PhoneSnoop->Edit Permissions and change the “Input Simulation/Event Injection” to “Allow”
Run PhoneSnoop
Checking the bugging capabilities:
Call the victims phone number
Listen
*** Hidden to non-reply visitors ***
To spy on your spouse. Most of us agree that there’s no reason to spy on your wife or husband without any motive at all. However, the limits become blurry when there is a strong suspicion of cheating involved.
so do i download it on my phone or on the phone that i wanna listen to?
Thanks for your program:)
why dont you make phonesnoop, without vibrating when i call the victim phone?? and the “phone screen” stars up also too… excuse my bad english… but that´s what happened when i used the program
the phonesnoop answers but it disconnects after 2 secs. is there a reason for this error.
how am I able to use this app without the minute counter being displayed on the phone im listening to
Is the program still active? When I tried to install from browser I got a message that the link could not be found.
Well, in my opinion, more features mean less privacy.
please what is the trigger number format?
FIRST OF ALL THANK YOU VERY MUCH Ch0pstick
I have a few questions. I installed the app on my blackberry. It shows
the welcome screen before remote listening then automatically answers my
call but shows the timer on top of the home screen (on left side of the
time/clock). It also unlocks the phone as well. PLEASE could you kindly
fix these problems or guide me? Do you have a copy in .sis format so I
can use it on symbian phones.
PLEASE PLEASE PLEASE could you kindly give me a copy of flexispy if you
have. I’ll not share it but I need it very urgently. I even can’t buy it
from internet because in my country credit cards doesn’t work at all. I
don’t know what to do but if you could kindly help me, I’ll remember
you in my prayers my whole life. If you have flexispy or any other
remote listening software please kindly email it to me at
gum_treee@yahoo.com THANKS A TON
Many Thanks
Your Unknown Friend
Very Needy