I've been focused on conducting research into the mobile spyware arena these last few months and the results have been very interesting. As I'm sure you are aware, I released a fully functional piece of Blackberry Spyware called txsBBSpy at the Shmoocon security conference in February 2010 and have done a number of interviews and podcasts on the topic. While my research is interesting, other high profile attacks just this week could really make this type of spyware/trojan a lot more dangerous.

At CanSecWest security conference this week, iPhone, Firefox, Safari, and other mobile operating systems and browsers were proven vulnerable to zero day exploitation. (The Register Article). Many people have expressed to me that txsBBSpy doesn't actually have an infection vector and that mobile devices are secure from attack. I think the results of Pwn2Own clearly demonstrate otherwise. Mobile devices are just as insecure, if not more so than the standard desktop system. What makes it even more dangerous is that researchers who sell their exploits can get between 10K$ and 115K$ depending on the specifics of the flaw. That's no longer chump change! Why would any researcher have any incentive at all to disclose the flaw responsibly given the big dollars that can be made by selling to a broker.

The only thing really limiting researchers from selling their flaws on the open market is the threat of incarceration. Jeremy Jethro was sentenced this week to three years probation and 10K$ in fines for selling exploit code to hacker Albert Gonzalez who in turn used the code in hacking companies and stealing 90 million credit card and debit card numbers. Gonzalez paid Jethro 60$K for the exploit while Jethro had no indication that Gonzalez intended to use the exploit code in any illegitimate way. Had this gone to court, the precedent that could have been set here is astonishing. Luckily this case was a plea bargain, otherwise the selling of exploit code would essentially be criminalized and we wouldn't be sure to what degree this really impacts the researcher. If a researcher were to sell his exploit code to ZDI and then ZDI somehow accidentally leaks the code that is then used in an attack, who is to blame and who pays the fines/jail time? If a researcher sells his code to an independent broker who then resells the code to a criminal, who is left holding the legal bag? We do know this much.. it's dangerous and potentially illegal to sell exploit code that is then used in a crime regardless of your knowledge of the crime. Everything else is still shades of grey.

What does this mean for mobile based Spyware? It means that those vulnerable phone operating systems and browsers are likely to get exploited with previously unknown vulnerabilities and spyware like mine is likely to be the resulting payload. Welcome to the era of malicious mobile attacks.

Veracode Security Solutions
Veracode Security Threat Guides

About Tyler Shields

Tyler Shields is a Senior Researcher for the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings. He also keeps track of new developments from other computer science and information security researchers to ensure that Veracode technologies are always kept in line with the most recent security advancements.

Comments (2)

OscarZ | June 17, 2010 11:01 am

"Gonzalez paid Jethro 60$K for the exploit while Jethro had no indication that Gonzalez intended to use the exploit code in any illegitimate way."

Are you sure about that? Is that what you really think about this case?

I think for security researchers what concerns them is we can be hard to understand, outside the norms of society, and so on. When we see cases go through without what looks like adequate evidence, this can increase paranoia that guys in suits are out to get us... and can make cases where there is no evidence at all.

But, he is a smart guy. He probably had a smart lawyer. Why, then, did he agree to a plea bargain, really?

And you are not a lawyer - nor am I - yet it is easy to see here that this would have been - apparently - a very difficult to prove case that would kick up a big media storm.

Even the investigation kicked up a huge media storm.

Have you looked at the recent edition of Rolling Stone? Jethro is in it, big glossy pictures, partying his head off.

Mobile phones are being exploited and will be exploited, just like cloud based services. (Which, essentially, in a sense, is what the goatse issue really revolves around.)

The value is there. It is advantageous for a gigantic range of potential criminal. Extremely so. Walking gps unit. Personal bugging system. Phone calls tapped at the same time. Email contacts. Conversations. Documents.

It is more interesting then someone's pc. Far more so in most cases.

Is this something just comp sec researchers understand? Any criminal with half a brain is likely to understand it. There are plenty of smart criminals. And even if they did not, just takes someone they know to bring up the idea.

Steve Brown | June 7, 2013 9:10 am

you are right OscarZ. I agree your pont of view.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.