NEWS FROM THE LAB - Friday, May 11, 2007

Just because it's Signed doesn't mean it isn't spying on you Posted by Jarno @ 13:00 GMT

While it has been rather peaceful on the mobile malware front, mobile spyware and spying tools have been active lately. This week, we have received samples of two new mobile spying tools – running on new platforms. There is now spyware for both Windows Mobile and Symbian S60 3rd Edition devices.

We thought it likely that spyware rather than malware would be seen first on these platforms. Hobbyists of varying skill levels write all of the mobile malware that we have seen so far, and most mobile malware is rather simple. While on the other hand, spyware is being developed by commercial companies that have a lot more resources, skills, and motivation to get their creations to work.

Both new spying tools are rather similar in their capabilities. After being installed on the device, they hide from the user and report information from the phone to a central server. From there, it can be accessed through a web page interface.

Windows Mobile SpyTool - Account Page

An interesting fact is that the spyware for the Symbian 3rd Edition platform is Symbian signed. Therefore it can be installed without any warnings and is capable of operating without Symbian security alerting the user that something is going on.

The certificate that was given to the software company was for RBackupPRO. That name is different than the name they use to brand their spy tool. The name RBackupPRO would appear to indicate that the software is some kind of network backup tool. Right?

The fact that the spy tool authors could get their software certified indicates a potential issue when using digital signatures and certificates as the only security measure. On one hand the software is technically exactly what it claims to be, an application that backs up user data to a server. One the other hand, when the software is installed onto the device without the primary user's knowledge and permission, it can be used as a spying tool that compromises the said user's personal privacy. Thus if suspect applications cannot break security components, they can then play with the process of certification.

Both new spyware applications are now detected with F-Secure Mobile Anti-Virus. We're not naming either application in this post, as we don't feel like providing them with any direct publicity.