The Latest BlackBerry Spyware Scare: Don't Worry, Yet

It is no more a hack than a user being asked to perform five steps to install spyware software on their PC

Here we go again. Another BlackBerry security scare, in which some "noble" researcher explains to all of us blissfully-unaware BlackBerry users that our precious devices aren't nearly as safe as we think they are.

Lions, tigers, mobile spyware. Oh my.

This time it's security-software-maker Veracode decrying the BlackBerry's weaknesses. More specifically, Tyler Shields, a senior researcher with Veracode Research Lab, has put together and publicly released some proof-of-concept spyware code, dubbed TSXBBSpy, that can reportedly wipe a BlackBerry clean, distribute on-board data via e-mail and monitor voice-mail messages in real-time.

Why would Shields release the source code for such an app? Well, to show the world "how easy it is to write" of course.

Sounds frightening, right? Well, yes and no. First of all, such malicious software really isn't new. We've seen similar "spyware" emerge over the past couple of years with the growing popularity of the BlackBerry platform among RIM's traditional enterprise customer-base and in the massive consumer ranks.

The most recent example that comes to mind is PhoneSnoop, which could "turn your BlackBerry into a remote listening device." This app could indeed record your phone calls and send them to a third-party, but you not only had to install the suspicious app, but also grant it permission to your phone activity. As my friend, colleague and security-pro Ariel Silverstone put it in his blog post on the subject:

"It took over ten years for such a 'hack' as the listening software to be available. And it is not even a hack. It is no more a hack than a user being asked, in bold letters, to perform five steps to install spyware software on their pc...If someone does all of [this] they should be reminded how to buckle their belts on every airliner they board, and they indeed do not deserve a berry."

Ariel's point: Sure, software exists that can "hack" into your BlackBerry and potentially perform all sort of nefarious deeds. But the security safeguards built into RIM's BlackBerry OS make it extremely difficult for miscreants to do so without the approval, and often assistance, of the BlackBerry user.

Like much online malware, the BlackBerry spyware apps rely on human error, and protecting yourself and your users calls for education: education about the potential threats, and how you should never install questionable apps or software from suspicious sources; education on how the BlackBerry OS and its associated security-protections work, i.e., when to grant changes to permissions and when to be cautious; and education about how to get the most from your BlackBerry smartphone in general without subjecting yourself and your organizations to undue risk, a.k.a., always use a password and don't let your device out of your sight where someone could install spyware without your knowledge.

So while such BlackBerry spyware surely sounds scary, it's still not really a major threat. No one has bundled any suspect code into reputable apps and/or nobody has figured out a way to effectively trick piles and piles of BlackBerry users into installing the sketchy code in other ways yet.

I don't mean to downplay the potential security threat to RIM's BlackBerry OS; the threat exists, and it's likely only a matter of time before the previously described fears and resulting paranoia become founded.

But until a "black hat" hacker, or a hacker with truly bad-intentions, shows us that the Bad Guys have finally deemed the BlackBerry a worthy target, I wouldn't worry much about Mr. Shields' BlackBerry spyware.

Shields claims his purpose in releasing this new BlackBerry spyware was to inspire a "call to action to encourage development of BlackBerry applications to make it clear what these apps do before releasing them," according to NetworkWorld.

However, this makes little sense to me, since hackers or other villains would presumably want to hide the true purposes of their malware or they'd sneak some suspect code into someone else' app. And they'd presumably do whatever they could to hide the harmful code.

I think Shields is just stirring up the pot, in an attempt to ready CIOs and smartphone admins to pull out those corporate checkbooks for more BlackBerry security software. That's just lil' old me, and my conspiracy theories. But additional security awareness certainly doesn't hurt.

Organizations worried about such threats can already purchase or license BlackBerry-device-auditing software from companies like Zenprise, so they can see which apps are running on users' device, as well as eliminate any unidentified or potentially-troublesome apps.

To sum that up, yes, BlackBerry spyware is real. But as long as you're vigilant about the activities you perform with your BlackBerry device--don't just download any and all apps you come across, take some responsibility, do your research, and so on--the current crop of known BlackBerry spyware shouldn't pose much of threat to you, your BlackBerry or your organization's infrastructure.

So enjoy it while it lasts. Shields is right about one thing, I think: The future won't likely be nearly as kind to the BlackBerry OS, its users or admins.

Join the CSO newsletter!

Error: Please check your email address.

Tags Blackberryspyware

More about ArielBlackBerryResearch In MotionSilverstone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Al Sacco

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts