Video Screencast Help

Even Symbian 9 Spyware Can Get Signed

Created: 16 Jul 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:47:57 GMT
Ollie  Whitehouse's picture
+1 1 Vote
Login to vote

With the advent of Symbian 9 came a new capabilities model that could be seen as akin to mandatory access control, or MAC, which I’ve touched on briefly in the past . If you’re interested more in the Symbian 9 capabilities model, I recommend you go read the Embeddec.com article or purchase a copy of Symbian Platform Security Development Architecture from Symbian Press.

FlexiSpy is spyware program that runs on either the Symbian OS or BlackBerry mobile devices. Recently, we saw the release of a version of FlexiSpy for Symbian 9. However, in order for this threat to run and do its nefarious operations it needed to be signed with certain capabilities. When our analysts had a look at it sure enough it was enabled with the following capabilities:

ReadDeviceData
WriteDeviceData
NetworkServices
ReadUserData
WriteUserData

The descriptions of these capabilities are available at the links provided. Suffice to say that with those capabilities, Symbian users may not have many secrets left on their device. When we look at who has it signed we can see the company that sells FlexiSpy went through the appropriate channels in order to get it signed by Symbian.



Certificate chain:

Certificate 1:

Signer:

'Vervata Co Ltd'

'TH'

'Bangkok'

'Bangkok'

'Vervata Co Ltd'

Issuer:

'Symbian'

'GB'

'Symbian Limited'



Certificate 2:

Signer:

'Symbian'

'GB'

'Symbian Limited'

Issuer:

'VeriSign Testing-Based ACS Root for Symbian OS'

'GB'

'Symbian Limited'


The fact that code that has malicious intentions can get through the signing process highlights the need for people to take certain precautions. For example, FlexiSpy can’t be installed remotely yet. So, if users set PINs on their device, both at startup and on the keypad lock, they can prevent its installation. It is imperative that you don’t only set the SIM PIN but also the device PIN. The reason for this is that if you rely on the SIM PIN they attacker can simply remove it, restart the device, install and then replace your SIM. Anyway be safe…