A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.
The application as seen when installed on a Blackberry
The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.
We’d consider this application just a proof of concept for a variety of reasons, including the author himself designing it as such:
1. As designed, an attacker must have physical access to your phone and know your PIN (if set) in order to install and configure the application.
2. You must not notice the incoming phone call.
3. You can see the application and remove it.
4. While the call is engaged you will see the phone connected as with any normal phone call.
5. The application requires special permissions that must be allowed (Key Injection and Phone Access).
6. A BES server can be configured to prevent this and similar types of applications from installing or executing properly due to lack of permissions—it is likely many are already configured as such.
7. Audio quality is very poor unless the phone is positioned properly in an open environment, in which case one may notice the incoming call (e.g., a Blackberry in someone’s pocket is unlikely to yield high enough audio quality).
The configuration screen
However, overcoming many of these limitations is possible. So, while one shouldn’t be worried about this specific implementation, Symantec has previously documented the possibility of these types of attacks in the whitepaper Attack Surface Analysis of Blackberry Devices. Note that this paper was written and released in 2007, so while many of the concepts are valid, some of the specific details may have changed over time.