Smartphone Spying Tools Mylonas Alexios Student Number: 100588864 Supervisor: Keith Martin Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from the published or unpublished works of other people. I declare that I have also read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences and in accordance with it I submit this project report as my own work. Signature: Alexios Mylonas Date: 5-9-2008
Abstract In this thesis we examine spying tools running on smartphones, mobile phones where the user can extend their functionality by installing third-party applications. We identify the data which are collected and the methods that the spyware uses to leak the data back to an attacker. We emphasize the security risks that emerge (a) from the use of an identifiable operating system in smartphones and (b) by the execution of unsigned applications, which utilize functionality provided by libraries available for smartphone application development. As proof-of-concept attacks on smartphones, we implement two spying tools running on the Windows Mobile 6 operating system. Furthermore, we implement two different spyware infection vectors for the Windows Mobile device: a) a Trojan horse which uses spoofing system frames and download and execute capability and b) a proof-of-concept code injection attack on a Windows Mobile application. Finally, we propose anti-spyware solutions mitigating smartphone spyware, either before or after the device infection and we provide an implementation of a Windows Mobile spyware removal utility. ii
Chapter 8 Conclusion As mentioned beforehand, smartphones are devices containing various types of personal information. As the popularity of these devices increases, so does the interest of the attackers to find and exploit vulnerabilities in these devices and acquire this data. Their potential attacks are aided by the functionality provided by the operating system running in the smartphone, through APIs and by the fact that in some cases the operating system allows execution of unsigned applications. In this project we demonstrated the types of data that spyware authors are collecting from infected devices. As proof-of-concept attacks, we implemented spyware running on Windows Mobile 6 devices, devices where the execution of unsigned applications is permitted. The implementations use functionality, provided to the developers from the API of the CNF. Additionally, for the infection of the devices we implemented a Trojan horse with download and execute capability and demonstrated a proof-ofconcept MSIL injection attack in an unsigned utility application written for Windows Mobile 6. At the end of the thesis, we propose anti-spyware solutions combating the spyware, either before or after the device infection. Furthermore, we implemented a spyware removal utility demo, which breaks the operation of spyware that are intercepting SMS messages without the user knowing. Experience in desktop computer malware has shown that the motivation of malware writers is changing. The malware writers who exploit vulnerabilities for fun or out of curiosity are becoming rare, since attackers nowadays are trying to make money out of their attacks. Since smartphones have a built-in billing system, they are an attractive target for organized crime, since profit can be made, even if the target does not have a bank account or a credit card number. As a result we believe smartphone malware will have a serious security issue in the near future, so the security experts should be able to supply users with technological and non- technological solutions. iii
References [AP08] Apple, iphone Developer Program, 2008 http://developer.apple.com/iphone/program/ [CA08] Canalys, Worldwide smart mobile device market, Canalys Q4 2007, 2008 http://www.canalys.com/pr/2008/r2008021.htm [EC06] Ecma International, Standard ECMA-335 Common Language Infrastructure (CLI) 4 th Edition, June 2006, http://www.ecma-international.org/publications/standards/ecma-335.htm [EL08] ELMS, MSDNAA Online Software System, 2008 http://msdn61.e-academy.com/rh_ul [EM08] Erez Metula,.NET reverse engineering, 2008, http://download.microsoft.com/download/7/7/b/77b7a327-8b92-4356- bb18- bc01e09abef3/m5p.pdf [ES08] Erica Sadun, The Unofficial Apple Weblog - iphone Hacking 101: Jailbreaking, 2008 http://www.tuaw.com/2007/08/08/iphone-hacking-101-jailbreaking/ [FL08] [FS06] [FS07] FlexiSPY, How FlexiSPY costs compare to NEOCOSTS SMS Forwarding, 2008, http://www.flexispy.com/neocostdetail.htm. F-Secure Corporation, F-Secure Malware Information Pages: Cabir, January 2006, http://www.f-secure.com/v-descs/cabir.shtml F-Secure Corporation, F-Secure Malware Information Pages: Commwarrior, March 07, http://www.f-secure.com/v-descs/commwarrior.shtml [FS08] F-Secure Corporation, F-Secure Malware Code Glossary, 2008 http://www.f-secure.com/glossary/eng/malware-code-glossary.shtml [GJ07] GetJar, Super Bluetooth Hack / free download, 2008 http://www.getjar.com/products/13076/superbluetoothhack [HA08] Open Handset Alliance, Android - An Open Handset Alliance Project, 2008 http://code.google.com/android/what-is-android.html [HP08] Hewlett-Packard Development Company, Glossary, 2008, http://docs.hp.com/en/32650-90871/go01.html [JN04] [JN08] Jarno Niemela F-Secure Corporation, F-Secure Virus Descriptions: Mquito, August 2004, http://www.f-secure.com/v-descs/mquito.shtml Jarno Niemelä Senior Anti-Virus Researcher F-Secure, Detecting Mobile Phone Spy Tool, Black Hat Europe 2008 Media Archives, iv
http://www.blackhat.com/presentations/bh-europe- 08/Niemela/Presentation/bh-eu-08-niemela.pdf. [JP94] J.Postel, Domain Name System Structure and Delegation, March 1994, http://www.ietf.org/rfc/rfc1591.txt [JZ08] J Zhang, Location Management in Cellular Networks, 2004, http://www.cse.fau.edu/~jie/teaching/ fall_2004_files/locationmanagement.pdf [KM08] [MH07] K. Mayes K. Markantonakis, Smart Cards, Tokens, Security and Applications, Springer Science and Business Media, 2008. Mikko Hypponen Chief Research Officer, F-Secure, Status of Cell Phone Malware in 2007 - Black Hat USA 2007 Media Archives, 2007 http://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html [M1] Microsoft, Windows Mobile 6, March 2008, http://msdn.microsoft.com/en-us/library/bb847935.aspx [M2] Microsoft, Windows Embedded CE, March 2008, http://msdn.microsoft.com/en-us/library/bb847932.aspx [M3] Microsoft, For Visual Studio Developers, 2008, http://msdn.microsoft.com/en-us/windowsmobile/bb250545.aspx [M4] Microsoft, Visual C#, 2008, http://msdn.microsoft.com/en-us/library/kx37x362(vs.80).aspx [M5] Microsoft, Visual Basic.NET Language Specification, 2008, http://msdn.microsoft.com/en-us/library/aa712050(vs.71).aspx [M6] Microsoft, Visual C++, 2008, http://msdn.microsoft.com/en-us/library/60k1461a(vs.80).aspx [M7] Microsoft, Visual Studio 2008, March 2008 http://msdn.microsoft.com/en-us/library/aa187917.aspx [M8] Microsoft, Getting Started in Developing Applications for Windows Mobile 6, March 2008, http://msdn.microsoft.com/en-us/library/bb158522.aspx [M9] Microsoft, What's New in Naming Conventions for Windows Mobile 6, March 2008, http://msdn.microsoft.com/en-us/library/bb158525.aspx [M10] Microsoft, Windows Mobile Features (Native), March 2008 http://msdn.microsoft.com/en-us/library/bb158483.aspx [M11] Microsoft,.NET Compact Framework, November 2007 http://msdn.microsoft.com/en-us/library/f44bbwa1.aspx v
[M12] Microsoft, Differences Between the.net Compact Framework and the. NET Framework, November 2007, http://msdn.microsoft.com/en-us/ library/2weec7k5.aspx [M13] Microsoft, What's New in the.net Compact Framework Version 3.5, November 2007, http://msdn.microsoft.com/en-us/library/bb397835.aspx [M14] Microsoft,.NET Compact Framework Downloads, 2008 http://msdn.microsoft.com/en-us/netframework/aa497280.aspx [M15] Microsoft,.NET Compact Framework Architecture, November 2007, http://msdn.microsoft.com/en-us/library/9s7k7ce5.aspx [M16] Microsoft, Using COM Interop in.net Compact Framework 2.0, November 2005, http://msdn.microsoft.com/en-us/library/aa446497.aspx [M17] Microsoft, Platform Invoke Support, November 2007 http://msdn.microsoft.com/en-us/library/h50dxzwx.aspx [M18] Microsoft, Windows Mobile Features (Managed), March 2008 http://msdn.microsoft.com/en-us/library/bb158491.aspx [M19] Microsoft, Messaging API (CE MAPI) Reference, March 2008 http://msdn.microsoft.com/en-us/library/bb415647.aspx [M20] Microsoft, System.IO Namespace, November 2007 http://msdn.microsoft.com/en-us/library/system.io.aspx [M21] Microsoft, System.Net Namespace, November 2007 http://msdn.microsoft.com/en-us/library/system.net.aspx [M22] Microsoft, Windows Mobile Powered Device Security Model, March 2008 http://msdn.microsoft.com/en-us/library/bb416353.aspx [M23] Microsoft, How Device Security Affects Application Execution, November 2007,http://msdn.microsoft.com/en-us/library/bb788289.aspx [M24] Microsoft, Mobile2Market Program, March 2008, http://msdn.microsoft.com/en-us/library/bb416438.aspx [M25] Microsoft, Privileged APIs, March 2008, http://msdn.microsoft.com/enus/library/aa919335.aspx [M26] Microsoft, Cab Provisioning Format (CPF) File, 2008, http://msdn.microsoft.com/en-us/library/ms889557.aspx [M27] Microsoft, Pushing XML OTA Using an OMA Client Provisioning Server, March 2008, http://msdn.microsoft.com/en-us/library/bb737211.aspx vi
[M28] Microsoft, Delivering Applications, March 2008, http://msdn.microsoft.com/en-us/library/bb158729.aspx [M29] Microsoft, Cabinet (.cab) File Overview, March 2008 http://msdn.microsoft.com/en-us/library/aa924314.aspx [M30] Microsoft, CAB Wizard, March 2008 http://msdn.microsoft.com/en-us/library/aa924359.aspx [M31] [M32] Microsoft, CAB Files for Delivering Windows Mobile Applications, March 2008, http://msdn.microsoft.com/en-us/library/bb158712.aspx Microsoft, Automatically Run an Application from a Storage Card, March 2008, http://msdn.microsoft.com/en-us/library/bb159776.aspx [M33] Microsoft, The Application Manager, March 2008, http://msdn.microsoft.com/en-us/library/bb158696.aspx [M34] [M35] Microsoft, Creating an Installer for Windows Mobile Applications, March 2008, http://msdn.microsoft.com/en-us/library/bb158529.aspx Microsoft, Description of Windows Mobile Device Center, February 2007, http://support.microsoft.com/kb/931937 [M36] Microsoft, About the Device Emulator, November 2007 http://msdn.microsoft.com/en-us/library/aa188148.aspx [M37] Microsoft, Device Emulator for Windows Mobile, March 2008 http://msdn.microsoft.com/en-us/library/bb158519.aspx [M38] Microsoft, ARM Technology Guide, 2008, http://msdn.microsoft.com/en-us/library/aa448587.aspx [M39] Microsoft, Saved-State Files, November 2007 http://msdn.microsoft.com/en-us/library/aa188171.aspx [M40] How to: Cradle and Uncradle the Device Emulator, November 2007 http://msdn.microsoft.com/en-us/library/aa188173.aspx [M41] Microsoft, Device Emulator Manager, November 2007 http://msdn.microsoft.com/en-us/library/aa188185.aspx [M42] Microsoft, Cellular Emulator, March 2008 http://msdn.microsoft.com/en-us/library/bb158495.aspx [M43] Microsoft, Cellular Emulator User Interface, March 2008 http://msdn.microsoft.com/en-us/library/bb158487.aspx vii
[M44] Microsoft, Device Security Manager User Interface, November 2007 http://msdn.microsoft.com/en-us/library/bb384038.aspx [M45] Microsoft, Using the FakeGPS Utility, March 2008 http://msdn.microsoft.com/en-us/library/bb158722.aspx [M46] Microsoft, Data Synchronization With ActiveSync, March 2008 http://msdn.microsoft.com/en-us/library/aa913369.aspx [M47] Microsoft, Installing Developer Tools for Windows Mobile, March 2008 Installing Developer Tools for Windows Mobile [M48] Microsoft, Solution (.sln) File, November 2007, http://msdn.microsoft.com/en-us/library/bb165951.aspx [M49] Microsoft, Device Emulator Configuration Files, November 2007, http://msdn.microsoft.com/en-us/library/bb531162.aspx [M50] [M51] Microsoft, Device Emulator Configuration XML Schema Reference, November 2007, http://msdn.microsoft.com/en-us/library/bb531167.aspx Microsoft, XPath Reference, 2008, http://msdn.microsoft.com/enus/library/ms256115.aspx [M52] Microsoft, Windows Mobile 6.1 Emulator Images, 2008, http://www.microsoft.com/downloads/details.aspx?familyid=3d6f581e- C093-4B15-AB0C-A2CE5BFFDB47&displaylang=en [M53] Microsoft, SystemProperty Enumeration, March 2008, http://msdn.microsoft.com/en-us/library/microsoft.windowsmobile..status.systemproperty.aspx [M54] Microsoft, GPS Intermediate Driver Architecture, March 2008, http://msdn.microsoft.com/en-us/library/bb201942.aspx [M55] Microsoft, Creating Applications that Utilize GPS, March 2008, http://msdn.microsoft.com/en-us/library/bb158727.aspx [M56] Microsoft, Accessing Parsed GPS Data, March 2008, http://msdn.microsoft.com/en-us/library/bb202033.aspx [M57] Microsoft, extended GPS Intermediate Driver, March 2008, http://msdn.microsoft.com/en-us/library/bb202063.aspx [M58] Microsoft, Using the GPS Intermediate Driver from Managed Code, March 2008, http://msdn.microsoft.com/en-us/library/bb158708.aspx [M59] Microsoft, A description of Svchost.exe in Windows XP Professional Edition, December 2007, http://support.microsoft.com/kb/314056 viii
[M60] Microsoft, Microsoft.WindowsMobile.PocketOutlook.MessageInterception Namespace, March 2008, http://msdn.microsoft.com/en-us/ library/ microsoft.windowsmobile.pocketoutlook.messageinterception.aspx [M61] Microsoft, MessageCondition Class, March 2008, http://msdn.microsoft.com/en-us/library/microsoft.windowsmobile. pocketoutlook.messageinterception.messagecondition.aspx [M62] Microsoft, Microsoft.WindowsMobile.Telephony Namespace, March 2008, http://msdn.microsoft.com/en-us/library/microsoft.windowsmobile...telephony.aspx [M63] Microsoft, How to Intercept Incoming Short Message System (SMS) Messages, June 2008, http://msdn.microsoft.com/enus/library/bb932385.aspx [M64] Microsoft, Compiling to MSIL, November 2007, http://msdn.microsoft.com/en-us/library/c5tkafs1.aspx [M65] Microsoft, Compiling MSIL to Native Code, November 2007, http://msdn.microsoft.com/en-us/library/ht8ecch6.aspx [M66] Microsoft, Common Language Runtime Overview, November 2007, http://msdn.microsoft.com/en-us/library/ddk909ch.aspx [M67] Microsoft, Debug Build Versus Release Build, 2008, http://msdn.microsoft.com/en-us/library/aa242695(vs.60).aspx [RG08] Red Gate Software,.NET Reflector, 2008, http://www.red-gate.com/products/reflector/ [SF08] SourceForge, Reflexil, May 2008, http://sourceforge.net/projects/reflexil/ [SM07] Sun Microsystems, Java Security Architecture, December 2007, http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/securityspec.doc1.html [SY08] Symbian, Symbian Developer Network, 2008 http://developer.symbian.com/main/tools_and_sdks/developer_tools/ [WL04] Seow Wei Lim(Louis),.NET Obfuscators, 2004 http://cse.unl.edu/~jricha/re/documents/obfuscation.doc. ix