Hi everyone,

I'd like to announce the release of Kisses - A BlackBerry hidden programs, hidden processes and spyware detector. Its a free tool that I develop to help users have protection from commercially available and unknown variants of spyware. How would the spyware have gotten onto your BlackBerry? You could have had it installed by someone you know who had physical access to your phone, or you could have had it piggy-back on another piece of software. A brief list of Kisses' features:

Show all running processes on the BlackBerry - including system processes
Show processes running on the BlackBerry that are not visible - excluding system processes
Detect programs that are installed on the BlackBerry and are invisible in the Applications page
Detect and remove FlexiSpy and MobileSpy commercial spyware

For more information, please visit "kisses.zensay.com" on your browser. (Link in my signature)

New versions will be added constantly and feature requests will be welcome.

Thanks,
Sheran

Hi,

Aren't you also the developer of PhoneSnoop, the program that's written up here?

Security Fix - DHS: PhoneSnoop app bugs BlackBerrys (http://voices.washingtonpost.com/securityfix/2009/10/dhs_warns_of_blackberry_snoopi.html?hpid=sec-tech)

US-CERT Current Activity (http://www.uscert.gov/current/index.html#blackberry_phonesnoop_application_used_to)

Does Kisses also detect your own spyware PhoneSnoop? I find it interesting that you developed both a spyware app and an anti-spyware app. Personally I would be reluctant to install an anti-spyware app developed by the same person who develops spyware.

Yes, he is the one and same.

In this earlier thread here he takes credit for the development of the Phonesnoop spyware app.
http://www.blackberryforums.com/bes-admin-corner/208552-phonesnoop-app-permissions.html

Hello daphne,

Yes, I am the developer of PhoneSnoop.

I think given the recent media coverage of PhoneSnoop, I'd have far more creative and discreet ways of infecting people with spyware than posting a spyware removal tool in a forum or two ;-)

I thought Kisses did not need to detect the presence of PhoneSnoop because:

1. PhoneSnoop was a proof of concept
2. It is visible in your homescreen (distinct icon) and applications list
3. It can be easily removed because its not hidden
4. The incoming phonecall is not muted and you will hear it

But given your concern, I think I will add this as a feature in my next release. Users can expect a release in about 10 to 12 hours.

I presented the topic of BlackBerry spyware at the Hack In The Box security conference "hxxp://conference.hackinthebox.org" where I discussed many ways in which spyware can get on your phone. I released my toolkit Bugs and Kisses there as well. My intention was to raise awareness about the topic and provide users with a mechanism for protecting themselves.

I value your concern for both yourself and your forum users. It is a very valid point.

I am not pressuring anyone to install Kisses, I am merely announcing that a free solution is available - whether you choose to install it or not.

Kind regards,
Sheran

So, Sheran, let me understand:

You developed Phonesnoop only as a "kindler and gentler" spyware app, in order to prove the possibility and viability of such spyware on BlackBerrys?

JSanders,

I developed PhoneSnoop to raise awareness that there are companies out there like FlexiSpy and MobileSpy.

They sell their software to the public. Thus, a motivated individual can purchase this software and proceed to spy on people he knows. How would a user know he's infected? He wouldn't unless he used a commercial or free spyware detection/removal tool. How would a user know how this spyware worked? Again he wouldn't unless he spent money on purchasing the spyware himself.

IMHO, there is no point in releasing a spyware removal tool, unless you tell users how the spyware works and what it can do. Lots of the spyware removal products do not detail enough about how a piece of spyware works and what it does. I am hoping to change that by providing PoC tools. I feel that a demo has (and in this case it clearly had) a greater impact than reading a brochure or bullet point list of features.

Kind regards,
Sheran

I developed PhoneSnoop to raise awareness that there are companies out there like FlexiSpy and MobileSpy.
<snip>
Kind regards,
Sheran

So if you developed it as proof of concept and to raise awareness, how long are you going to continue to make it available since you've proved your point already?

So if you developed it as proof of concept and to raise awareness, how long are you going to continue to make it available since you've proved your point already?

Err.. I'm sorry, but do I understand from your response that I should remove PhoneSnoop from my blog to make it more justifiable that I release Kisses?

To remove any doubt, I will continue to host PhoneSnoop and release other PoC software as and when I develop them. My disclosure will be responsible, like I have done with PhoneSnoop. I will continue development on Kisses in parallel.

I am not telling you what you should do. You said you developed it as a proof of concept and to raise awareness. Do you think you've accomplished those goals? Do you have other purposes for the app also? Do you plan to charge for it at some point?

Sheran, I can only think that if Norton or McAfee developed viruses (even "nice" ones) to raise awareness of the need for antivirus applications, you would be screaming.

I know I would.

Unless you come up with a better gameplan, I call this the fox guarding the hen house, and that just doesn't fly.

I am not telling you what you should do. You said you developed it as a proof of concept and to raise awareness. Do you think you've accomplished those goals? Do you have other purposes for the app also? Do you plan to charge for it at some point?

I am quite certain that I have raised awareness, but I am not sure if its enough. Thus, I will continue to do my research and disclose my findings. I do not plan to charge for any of these applications now or in the future.

I definitely agree with Daphne and JSanders on this one...

On a fundamental level, I am not sure I would trust a spyware detector created and distributed by the same guy that created spyware, even if that spyware was a "proof of concept". It's like Lilly's or Pfizer creating nasty bugs in the lab as "proof of concept" to sell more nasty bug fighting drugs.

Sheran, I can only think that if Norton or McAfee developed viruses (even "nice" ones) to raise awareness of the need for antivirus applications, you would be screaming.

I know I would.

Unless you come up with a better gameplan, I call this the fox guarding the hen house, and that just doesn't fly.

Unlike McAffee or Norton, I'm not out to make money. I did my research on the topic, I provided the findings, I tried to raise awareness. As far as I'm concerned, I can do no more. I wouldn't be objective if I didn't look at and disclose both sides of the topic.

I don't think PhoneSnoop can be compared to a virus, thus there is no point in drawing parallels to McAffee or Norton releasing their own virus. I'm not selling my spyware removal app. I will not charge for my app now or in the future. As I replied to @<hidden>, I will be updating my Kisses app to detect PhoneSnoop as well. This is so that users who aren't fully aware of what's happening on their phones can benefit as well.

I definitely agree with Daphne and JSanders on this one...

On a fundamental level, I am not sure I would trust a spyware detector created and distributed by the same guy that created spyware, even if that spyware was a "proof of concept". It's like Lilly's or Pfizer creating nasty bugs in the lab as "proof of concept" to sell more nasty bug fighting drugs.

Thanks @<hidden> for your feedback. So is the real issue that I released the spyware (if you can call it that) and spyware detector as the same person that's the concern? Would it have been better for everyone if I released them as "good guy identity" and "bad guy identity"? (fairly simple to do with the Internet these days)

Or is it the fact that its taboo for the same person to develop opposing types of applications?

Is it that you don't trust me because I have less than 10 posts?

Is it the fact that I don't release the source?

How about the fact that I don't have a government agency certifying that my spyware detector is not malicious?

I am honestly happy that yourself, @<hidden> and @<hidden> are asking these questions. Because in the end, they go to highlight a fundamental point: How much can we trust something and on what do we base that level of trust? This sort of discussion is as valuable to me as it is to release a app or whitepaper.

Thank you.

The bottom line with BlackBerry devices is that they are easy to keep secure. BlackBerry Enterprise admins can lock down the devices so users can't install random apps, including spyware apps. Users can protect their own devices by locking them protection with a strong password, short time security time out, and limiting the password attempts. And by not installing unknown applications. The media is creating a fair amount of hype about BlackBerry spy software but I suspect the risk is pretty low in reality.

Also as far as I know, Flex-Spy and Mobile Spy do not work on pure CDMA devices. What about PhoneSnoop? Would it work on my old 8330?

The bottom line with BlackBerry devices is that they are easy to keep secure. BlackBerry Enterprise admins can lock down the devices so users can't install random apps, including spyware apps. Users can protect their own devices by locking them protection with a strong password, short time security time out, and limiting the password attempts. And by not installing unknown applications. The media is creating a fair amount of hype about BlackBerry spy software but I suspect the risk is pretty low in reality.


Accepted. But do we talk about that among ourselves or do we go out there and tell everyone about it? Not everyone is going to put a password on their phone. Not everyone will have a short lockout time; they probably detest how it gets in the way of the use of their phone. The average user sees these things as more of a hinderance than security. Security gets in the way of their routine. We can't assume that everyone will know about it. All I have seen so far on forums and comments to blogs is the same: "The risk is low because the user can put in a password, etc" No one is telling them how to do it. I plan to. I'll be releasing a series of short papers that will address this. Judging by some of the new BlackBerry models being released, I'm certain more consumers will be adopting. Consumers who will need awareness and education.


Also as far as I know, Flex-Spy and Mobile Spy do not work on pure CDMA devices. What about PhoneSnoop? Would it work on my old 8330?

PhoneSnoop works by matching the incoming phone call's number with a "trigger" number. If there's a match, the call is picked up. It works with voice calls only, so I'm guessing it should work with your 8330. I tested it on the 8330 simulator and it works.

This is the reply I made on CrackBerry this morning, but they deleted this Kisses fool's thread. I just copy and pasted my reply as I believe it's valuable info. Sorry, I can not post links (so copy and paste obviously replacing the "xx" with "tt") as I'm new,:cry: but may post here more often as I now have an account here. This Kisses app just makes me mad as hell and I have to get my 2¢ in. I wish CrackBerry wouldn't have deleted this PhoneSnoopers thread as it's a valuable warning for some searching for info on these apps!

-------------------
Something fishy when the developer of this PhoneSnoop hxxp://chirashi.zensay.com/2009/10/phonesnoop-turn-a-blackberry-into-a-portable-bug/ who in their own words describes this app with words like "victim" and "attacker". I could care less if PhoneSnoop was devolved to raise awareness; terrorist acts are committed to raise awareness!

If you still want to install this "spyware detector" be forewarned...Kisses will not detect the developers own spyware PhoneSnoop. Here's an article I found by the Washington Post on PhoneSnoop: DHS: PhoneSnoop app bugs BlackBerrys. hxxp://voices.washingtonpost.com/securityfix/2009/10/dhs_warns_of_blackberry_snoopi.html?hpid=sec-tech

The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) is warning about PhoneSnoop...

BlackBerry PhoneSnoop Application Used to Spy on Users
added October 27, 2009 at 11:59 am

US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user's BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop.

US-CERT encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.

To the developer of PhoneSnoop and Kisses, IMHO what you are doing is offering protection from people like you. Keep your grubby, snooping hands off my BlackBerry!


Kisses of Death,
Chris

I am quite certain that I have raised awareness, but I am not sure if its enough. Thus, I will continue to do my research and disclose my findings. I do not plan to charge for any of these applications now or in the future.

You will just charge to have them removed. People such as you crack me up, come near my BlackBerry and I'll send you back to Sri Lanka in box.


Best of luck, "Super Spy",
Chris

Regarding this:
No one is telling them how to do it.

Users get told that all the time on this forum. Imo, it doesn't take writing a spyware app to teach people about securing their BlackBerry.

If the authors of Zbot, the trojan that steals banking passwords, said they were trying to raise people's awareness about securing their computers, would that make it ok for them to infect your PC, steal your passwords, and drain your back account?

sheran-g,

Question for you. On your page here ZenConsult Technology Consulting | Kisses - the spyware detector (http://kisses.zensay.com/) you are asking for donations to purchase Flexispy and MobileSpy.

Important: I'm trying to build a list of signatures of spyware out there. This will then enable me to add these signatures into Kisses to be able to detect if specific spyware has been installed on your phone. If you have access to any of the following programs: FlexiSpy, MobileSpy, then please contact bbspyware@<hidden>. Alternatively, if you are able to do so, a donation would allow me to purchase either of these tools and then examine them further myself. Donations can be tracked and donators will be listed on the donations page. Kisses will always be free; you shouldn't have to pay for protection.

However, in your changelog, you say that Kisses already detects Flexispy and MobileSpy.
ChangeLog
Kisses
Features

Kisses 1.0.3
Added spyware detection & removal for PhoneSnoop
Kisses 1.0.2
Added spyware detection feature for two versions of FlexiSpy
Added spyware detection feature for two versions of MobileSpy
Added spyware removal feature for detected spyware
Kisses 1.0.1
Fixed a navigational issue that causes the menu to appear on button clicks
Kisses 1.0
Detects invisible processes
Detects invisible installed applications
Can reveal invisible applications
Shows all running processes on the handheld

So does that mean Kisses does not detect all versions of Flexispy or MobileSpy? You claim it detects invisible installed applications, does that mean some but not all? Or what does it really mean? Something seems wrong with this picture. Also it seems rather presumptuous to me that you are asking for donations to buy spyware apps. I have worked in the anti-spyware and anti-virus industry and I've yet to see a company ask for money to purchase commercial keyloggers, for example, so they can be added to detections. Even companies that offer free apps don't do that.

Good questions daphne you should be an investigative reporter.:idea:

I also have one last bone to pick with the "Spy Master"...

I am quite certain that I have raised awareness, but I am not sure if its enough.

So, does this mean your ready to do more? I ask this because, Hizballah has certainly raised awairnes; yet Israel just intercepted a peaceful ship carrying peaceful rockets to peaceful Hizballah. Peaceful like your PhoneSnoop? Are you going to attack more BlackBerry's? Of course in your peaceful teach us a lesson raise awareness, kinda way.

sheran-g you should put a link to this thread on your blog and that kisses.zensay page. Also, I like the Kim Jong-il looking avatar you have on Twitter and CrackBerry, makes you look real trustworthy!


Best of luck with kisses,
Chris

Wow.. just freaking wow.

As the smartphone market increases, sadly enough, we will see more of these kind of threats evolve.. at least half of the battle is staying informed.
No, users don't want to be bothered with these "inconveniences" but hiding our heads in the sand won't stop them either.
Sheran has shared the results of his efforts/work, it's information people.. data.
It can be used for either good or evil depending on who is using it and your definition of the two. By it's self it is simply data, openly shared for your consumption or not.

If you don't "get it" you will probably soon have "it" is my theory.


~cat~

Huh?

In short, you have mistaken a sheepdog for a wolf.
chirashi.zensay.com/2009/11/team-blackberryforums-fuk-yeah/#disqus_thread

~cat~

In short, you have mistaken a sheepdog for a wolf.
chirashi.zensay.com/2009/11/team-blackberryforums-fuk-yeah/#disqus_thread

~cat~

Sure, just a big bad wolf! Are you on drugs? I read through the rant and honestly, what's your point? Besides, you clowns are no “super-spy”, “spy-master” learn how to hide your tracks...Firefox 3.5 running on MacOSX with a resolution of 1280x1024. I wouldn't go looking under anymore rocks if I were you. I will not show you anymore of my cards!

“If it walks like a duck, quacks like a duck, looks like a duck, it must be a duck”.


Stay away from my BlackBerry,
Chris

Ok, someone did a little extra home work and just a few minutes ago made this post (http://forums.crackberry.com/f35/kisses-phone-spyware-scanner-364355/#post4107054) (also quoted bellow)on CrackBerry...

After a little research I found not only Brian Krebs at the Washington Post's (http://news.google.com/news/url?sa=t&ct2=us%2F0_0_s_0_0_t&usg=AFQjCNFzpFS7jvoqVuznLuE598CfEHIiag&cid=1460456706&ei=TCUCS7DmLNWPlAekjeD4Ag&rt=MORE_COVERAGE&vm=STANDARD&url=http%3A%2F%2Fvoices.washingtonpost.com%2Fsecurityfix%2F2009%2F10%2Fdhs_warns_of_blackberry_snoopi.html%3Fhpid%3Dsec-tech) even handed discussion of the author and his tools, Sheran Gunasekera was also interviewed by Dark Reading (http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221200012&queryText=Blackberry) as well as by PCWorld (http://www.pcworld.com/article/173265/blackberry_other_smartphone_users_easy_spy_targets.html).
He explains in his blog (http://chirashi.zensay.com/2009/10/remote-listening-for-the-blackberry/) how PhoneSnoop came about after his presentation of Bugs at the Hack In The Box (HITB) (http://conference.hackinthebox.org/hitbsecconf2009kl/) security conference as a promise to other security researchers.
I even went so far as to contact Brian Krebs, who I've had the pleasure of dealing with on several occasions in the past, who shared his surprise at the reception Sheran received from some of the BB forums.
My findings in short, Sheran Gunasekera is a valid & known security researcher who has been kind enough to develop and share a legitimate Blackberry security application with the community.

Here is a copy of my response to that gentleman...

I'm still not installing Kisses; however, you have explained this in a way that Sheran could not. Even after reading his rant (http://chirashi.zensay.com/2009/11/team-blackberryforums-fuk-yeah/#disqus_thread) and most everything that I researched prior gave me every reason not to trust him. Even after multiple Google searches, Bryan's write-up (http://voices.washingtonpost.com/securityfix/2009/10/dhs_warns_of_blackberry_snoopi.html?hpid=sec-tech) and the US-CERT warning (http://www.us-cert.gov/current/archive/2009/11/10/archive.html#blackberry_phonesnoop_application_used_to) it was all grounds to raise the red flag.

It's you actually contacting Brian Krebs that has me thinking that I may be wrong about Sheran. Still not interested in any Kisses, but nevertheless, I may have held the wrong opinion.

I am still a lottle confused as to why he's asking for donations to purchase Flexispy and MobileSpy; when he says Kisses already detects them?


Nice homework,
Chris

P.S. Sheran, if I do in fact have it all wrong about you and/or your intentions, I do apologize. And no one called you a terrorist besides myself. And from what I gather everyone was just asking questions that you couldn't answer. All the more reason for my suspicions and I don't trust code from anywhere and am always very skeptical of Kim Jong Il avatars. :shock:

In addition perhaps you weren't deliberately spying on me, but it looked as if you were trying to gather lintel on me from your work PC.

I will be keeping an eye on Kisses and PhoneSnoop, but from a distance. And would still like to know why your asking for donations to purchase Flexispy and MobileSpy; when you mention Kisses already detects them? You must already have the software to have added them in the first place. I don't know maybe they frequently update the code and charge for new builds?

And yes, I consider PhoneSnoop an act of terror (cyber terror not not KSM (kaleid sheikh mohammed) type stuff); compromising someones BlackBerry device like that is deliberate sabotage. Just because, you are not the one personaly attacking devices doesn't make it cool. You are still providing the means to meet the ends.


Good luck,
Chris

Sure, just a big bad wolf! Are you on drugs? I read through the rant and honestly, what's your point? Besides, you clowns are no “super-spy”, “spy-master” learn how to hide your tracks...Firefox 3.5 running on MacOSX with a resolution of 1280x1024. I wouldn't go looking under anymore rocks if I were you. I will not show you anymore of my cards!

“If it walks like a duck, quacks like a duck, looks like a duck, it must be a duck”.


Stay away from my BlackBerry,
Chris

What are you going on about this time? Learn to hide my tracks?
LOL! FYI, I am the ~cat~

/So many carpet pi$$ing puppies, so little time.
;-)

Wirelessly posted

Sure, just a big bad wolf! Are you on drugs? I read through the rant and honestly, what's your point? Besides, you clowns are no “super-spy”, “spy-master” learn how to hide your tracks...Firefox 3.5 running on MacOSX with a resolution of 1280x1024. I wouldn't go looking under anymore rocks if I were you. I will not show you anymore of my cards!

“If it walks like a duck, quacks like a duck, looks like a duck, it must be a duck”.


Stay away from my BlackBerry,
Chris

What are you going on about this time? Learn to hide my tracks?
LOL! FYI, I am the ~cat~

/So many carpet pi$$ing puppies, so little time.
;-)

I figured that cat and look if I was wrong about you I offer my apologies. I'm not going on about anything, but I will be following your project with interest in being proved wrong. Moreover, you do use Firefox 3.5 and you do run a Mac OS and you were poking around.


All is well,
Chris

Wirelessly posted



I figured that cat and look if I was wrong about you I offer my apologies. I'm not going on about anything, but I will be following your project with interest in being proved wrong. Moreover, you do use Firefox 3.5 and you do run a Mac OS and you were poking around.


All is well,
Chris

First.. it's not my project, it's Sheran's. I am in no way affiliated with his company or project.
Second.. I haven't "poked around" anything you own, if I did you can bet your she-male pron collection you'd never know it. ;-)

Oh wow.

A bit off the topic. Let's keep this to Kisses and not anything personal... everyone.

JSanders ,
I was attempting to inject humor, I apologize it it came off otherwise.

Yep, cool, I laughed too.

But this thread does have the gun powder to be explosive... so.

Wow.

Oh wow.

A bit off the topic. Let's keep this to Kisses and not anything personal... everyone.

My head got pretty boggled on the flip flopping.

Sheran seemed a tad defensive to me, not sure if I trust all of it.

Sheran, I can only think that if Norton or McAfee developed viruses (even "nice" ones) to raise awareness of the need for antivirus applications, you would be screaming.

I know I would.

Unless you come up with a better gameplan, I call this the fox guarding the hen house, and that just doesn't fly.

Who do you think develop the majority of viruses? The companies who sell the anti virus products...

Hello All,

In the interest of trying to bring some closure to this thread before it escalates into some sort of flame war, I'd like to state the following:

Please post valid questions here. They will be answered if I see that you have thoroughly researched the topic and aren't asking questions just because you're lazy. It is up to you whether you want to accept my explanation or not. If you don't accept it, say so in a few short lines. I will then either respond to it to clarify or tell you otherwise

You can also visit my site and read the FAQ there, FWIW: Kisses - the spyware detector | FAQ (http://kisses.zensay.com/faq.html)

Here are a few comments to get you started if you wish:

1. I wrote PhoneSnoop. It is considered by many who don't understand it as spyware. The rest of the informed crowd know its a proof-of-concept tool and is not insidious.
2. I wrote Kisses (http://kisses.zensay.com). It has been considered by many as useful and I have emails to prove that. Kisses is a free, spyware and hidden program detector. It removes FlexiSpy, MobileSpy and PhoneSnoop. It is not spyware.
3. I asked for donations or copies of FlexiSpy and MobileSpy initially. A kind member of the community donated both FlexiSpy and MobileSpy. I have since removed the donations request. I still have a donations request on my FAQ page. This is to help with the upkeep of the server. It is not strictly required yet because I am able to pay for the server upkeep myself.

Thank you for your attention.

This is starting to sound like a conspiracy theory thread, but a believable conspiracy theory.

To think about those that want to protect us are the same ones that make the software that could hurt us?

If someone has a history of making spyware, I don't want to go anywhere near anything else they make, no matter what an article says. Is it normal for people to download apps and such from unkown sources? As a new BB user, I cannot see myself doing that.

Edit: I do have a question Sheran. How can you expect to be taken seriouslly as a developer of antispyware when you've made it yourself? What sort of validity can you give us that Kisses would be spyware free itself?

Who do you think develop the majority of viruses? The companies who sell the anti virus products...

Do you have any proof of that? It is so NOT true. :?

If someone has a history of making spyware, I don't want to go anywhere near anything else they make, no matter what an article says. Is it normal for people to download apps and such from unkown sources? As a new BB user, I cannot see myself doing that.


Congratulations, you're one of the few BB users that are cautious about downloading software from unknown sources.


Edit: I do have a question Sheran. How can you expect to be taken seriouslly as a developer of antispyware when you've made it yourself? What sort of validity can you give us that Kisses would be spyware free itself?


I would expect to be taken more seriously because I am providing people with an idea of what a typical spyware program might look like. Were you aware that programs like FlexiSpy and MobileSpy existed for years before I released PhoneSnoop? And were you aware that they have way more features than PhoneSnoop does? And were you also aware that they have stealth capabilities, so if someone you knew decided to install it on your BB (without your knowledge) then you will not know that all your emails, sms messeges, call logs, gps co-ordinates and ambient noise around your phone are being spied on? These tools are available for anyone willing to part with $300-$400. They are marketed as tools to "help catch cheating spouses".

I am providing people with a look at what one of the features of these programs look like. My approach to the issue is that if you know what it looks like then you have a better understanding of how to deal with or recognize something similar if you ever encounter it.

I am not going into a business of making spyware or antispyware. I am just sharing my findings.

Do you have any proof of that? It is so NOT true. :?

If I may play devil's advocate here for a second. How do we know its NOT true? Here's a thread full of people accusing me because I wrote both supposed spyware and antispyware. My actions are transparent. What assurance do we have that AV vendors don't write viruses? We can't really see it can we? Do we trust them because they're large corporations with lots of money? Do we trust them for their brand name and the fact that they've been in business for so long? You guys sit here and ask ME for proof. Has anyone bothered to ask them?

Okay, now for my real opinion: I am fairly certain that AV companies do not write viruses just to sell their products.

First.. it's not my project, it's Sheran's. I am in no way affiliated with his company or project.
Second.. I haven't "poked around" anything you own, if I did you can bet your she-male pron collection you'd never know it. ;-)

That first message was to Sheran, he was poking around. Your obviously confused and when you replied I was under the impression you were Sheran. I didn't much care so I ran with it. Now I'm confused and what does this have to do with anything? If 202.47.68.166 isn't your IP address move along. As I said before I'm offensive because, I'm skeptical of anyone with Kim Jong Il avatars he's (Sheran's) a damn spy! The wagons are always circled and when need be I send "Scouts Out!"

PhoneSnoop is bad if anyone want's to run Kisses remember he's also the damn PhoneSnoop! That's something you can't argue weather Brian Krebs can't believe anyone would be hard on you or theirs an article on PC World that mentions Sheran. The Department of Homeland Security called you/Sheran out!

This is getting to be a combative thread so I'm going to step aside and go for a long run. And cat I don't care if anything I say makes sense to you, yes, I_am_nuts! I sleep with a tomahawk, just enjoy your evening.


What a thread,
Chris

Wow, this is a pretty explosive thread! But so much fun to read! :) There seems to be a lot of chest huffing in here with responses that aren't that different from "My security unit is bigger and badder then yours!", which is always fun to watch from the outside in a thread.

Now on the thread topic, first of all I'd like to say that sheran-g has done a very good job of handling the skeptical (to say the least in some instances) responses he's gotten and facing them heads on, kudos on that.

I'd be willing to bet that most of the people that feel you've got conflicting interests with the software you've developed is because they do get the impact and mess that spyware and viruses create for the security industry. They're the ones that probably end up dealing with the fallout from such breaches in either the workplace or home, and because of that they're sensitive to the amount of content out there that does just that.

Once bitten (or watched someone else get bit), you really are twice shy. So the people around here are more likely to be involved in security with the BB being a reasonably secure platform, and they're just a little trigger happy when someone developing the product and the anti-product comes onto their turf.

Personally I wouldn't install either of the products because I have no need or interest in them, and for that exact reason I'm personally not weighing where the author's interests lie. I have more interest in the content he's presenting, so I asked myself a question... Is there another application on the BB that will let you view active / running processes or connections made to various networks? Nope... And in my book that's actually a fairly serious problem. You've got tools in the development environment to test system activity, but on the deployed platform it's not so trivial.

The release of Kisses is actually welcome in my book for troubleshooting as well if it was expanded to be more of a system level monitor and would still allow someone to watch for spyware activity. Would be great to see an app for this on the BB..

The Kisses and PhoneScoop applications appear to be fairly trivial from a programming standpoint as to what they do. The only real trick with it is to remove it from all of the systems UI screens, and otherwise you just have to deal with the core of the program, no hours lost on UI tweaking. Because of the complexity, I think it's very believable that they were truly developed as proof of concept apps at the very start, and fleshed out to clearly get his point across.

Thanks again for the info and I'll hang around this thread for a bit just to watch the fireworks..

Hello HaTaX,

Thanks for your level-headed response. Quite a refreshing change :)


I'd be willing to bet that most of the people that feel you've got conflicting interests with the software you've developed is because they do get the impact and mess that spyware and viruses create for the security industry. They're the ones that probably end up dealing with the fallout from such breaches in either the workplace or home, and because of that they're sensitive to the amount of content out there that does just that.


You know, I did consider this at one point, I can totally empathize with them if this is truly the case. For me, personally, I got a different vibe from the responses though.


Once bitten (or watched someone else get bit), you really are twice shy. So the people around here are more likely to be involved in security with the BB being a reasonably secure platform, and they're just a little trigger happy when someone developing the product and the anti-product comes onto their turf.


Again, it is quite plausible, but then some of the harshest reactions came from people who didn't seem to know a whole lot about how the BlackBerry device operated. To me, it seemed like opinions were already formed based on a bulletin by either US-CERT or DHS. And typically, if a bulletin comes out of there, then you might as well wear the scarlet letter and be branded a terrorist. From where I'm standing, this seems more likely to me, but you do raise a valid point.


The release of Kisses is actually welcome in my book for troubleshooting as well if it was expanded to be more of a system level monitor and would still allow someone to watch for spyware activity. Would be great to see an app for this on the BB..


This is my intention and the direction I will most likely take. I wanted to empower end users to be able to look into areas of their handhled and recognize anomalies. This would mostly suit power users who are very much aware of how their phones work. Thus, they could spot something out of place in an instant.

One of the features I'm working on is the ability to take a look at what is stored on the Runtime and Persistent stores of the BlackBerry. If the contents aren't protected, then its trivial to list the data stored at various locations. Thus, with this feature, you can see exactly what other programs store on your persistent store or runtimestore. One concern for this area is that if passwords or credentials are stored in the clear, then its up for grabs by any third party program. The only problem with this is performance. I have a working version, but I'm trying to find a more efficient way of going about it.

Another feature is to implement a check whenever an application is installed or removed. This can be done with the newer OS 5.0.0 API and I'm working on adding that to Kisses as well.

There's still no way to determine which programs have installed listeners. IMHO, this would be perfect to identify which of your apps on your handheld have implemented a PhoneListener or MessageListener for example.


Thanks again for the info and I'll hang around this thread for a bit just to watch the fireworks..

I look forward to more positive contributions and ideas if you've got them. Thanks for taking the time to write in.

I think you guys really take this too seriously. I don't think PhoneSnoop can be treated as a virus or spyware. It is just a feature that blackberry can do.

Ok, if you think PhoneSnoop as a spayware, then wat about the application which is used to help people find and locate their lost blackberry. One of those applications feature is calling their own lost blackberry and hear the surroundings.
What if I install this kind locate lost blackberry app on other ppl's blackberry? I can still use this feature to spy.
Now wat, are you going to say that app is also a spyware?

This is just like people who invent bomb. You use bomb to kill people, at the same time, you can use it to help people, e.g. destroy old buildings..
In a word, it all depends on how people use it.

This is just like people who invent bomb. You use bomb to kill people, at the same time, you can use it to help people, e.g. destroy old buildings..
In a word, it all depends on how people use it.

Not to stray off topic, but their is a difference between a bomb and demolition
equipment. They don't bomb old buildings.
Bombs kill people, so I don't see how helpful that is to humanity.

Anyways, yeah you could consider that spyware, yes you maybe using it for the 'right' purposes, but who's to say EVERYONE is going to use it like that. That's why you must be careful and take somethings serious, their's a sliver lining to everything.

Not to stray off topic, but their is a difference between a bomb and demolition
equipment. They don't bomb old buildings.
Bombs kill people, so I don't see how helpful that is to humanity.

Anyways, yeah you could consider that spyware, yes you maybe using it for the 'right' purposes, but who's to say EVERYONE is going to use it like that. That's why you must be careful and take somethings serious, their's a sliver lining to everything.Well now :? In that case I suppose medicine can be considered poison (in the wrong hands) and so on...

Personally, I'd have a much better feeling about "Kisses" and it's developer - regardless of skill - if he hadn't developed and made phonesnoop available outside a controlled security research community.

Several security researchers have faced civil and criminal sanction for their part in so called awareness building!

Personally, I'd have a much better feeling about "Kisses" and it's developer - regardless of skill - if he hadn't developed and made phonesnoop available outside a controlled security research community.


I'd like to know what constitutes a "controlled security research community" in your opinion.

I'd like to know what constitutes a "controlled security research community" in your opinion.For anyone who thinks that using a "tool" like phonesnoop etc. is just a "feature of the Blackberry, they should feel fortunate that they don't work for me... What's the difference between using this software without the consent of the "snooped" and an illegal wiretap. Why shouldn't these people be prosecuted as such?

But I digress. It's not so much what I think it is, but what it is in fact. In any scientific method there is a defined population, theory, hypothesis etc... Putting this sw out in the "wild" without limit under the color of research and building awareness is a sham. If you had started with Kisses as a means to identify the other already extant sw that could be identified that would be one thing, but you didn't.

We could go round and round with this for a good long time, but let's not... :)

I am very much aware of the perils of 'arguing on the internet (http://www.google.com/search?q=arguing+on+the+internet)' and I have said so in my blog post as well.

For anyone who thinks that using a "tool" like phonesnoop etc. is just a "feature of the Blackberry, they should feel fortunate that they don't work for me... What's the difference between using this software without the consent of the "snooped" and an illegal wiretap. Why shouldn't these people be prosecuted as such?


The thing is you cannot use PhoneSnoop and expect a user to not know of its existence because:

The phone: RINGS when a call comes in
The homescreen: DISPLAYS an icon of the program
The applications folder: DISPLAYS an installed program in it

If prosecution comes into play, then I think it should similarly (if not more so) be applicable to the developers of FlexiSpy and Mobile-spy. Their products are far more insidious than PhoneSnoop.


But I digress. It's not so much what I think it is, but what it is in fact. In any scientific method there is a defined population, theory, hypothesis etc... Putting this sw out in the "wild" without limit under the color of research and building awareness is a sham. If you had started with Kisses as a means to identify the other already extant sw that could be identified that would be one thing, but you didn't.


It becomes a sham only if I stand to profit from either of the tools. I do not gain financially from these tools (which is a shame because if I charged $5 for PhoneSnoop and $10 for Kisses, I would have made $10000 based on 30% of my current downloads in 12 days). But I am not going to charge for the tools and I never will. With regard to the attention: I could certainly do without all the supposed 'notoriety' that these tools have brought me because of the percentage of users who are still not well versed in topics like proof-of-concept, stealth and security.

I think its futile for me to sit here and constantly "defend" my position. Especially considering I have nothing to gain from it. If there are legitimate questions on technical or security aspects of PhoneSnoop or Kisses, I will be happy to address them in this thread. As for accusations of being a "sham" or pushing these tools for personal gain, I'm done talking about that.

I am very much aware of the perils of arguing on the internet and I have said so in my blog post as well.
<...>
It becomes a sham only if I stand to profit from either of the tools... The issue of profit is really moot for me in this discussion... I've seen many cases where a "researcher" broke laws in the name of raising awareness and then paid a price for it by losing a job, going to jail, or facing whatever sanction... Monetary profit is irrelevant. If one goes around trying doors in a community - enters the house and leaves a note saying they were there, they've still committed a crime. The alarm company that provides a means for the owner to monitor access is however seen as valuable. That's the point I was making in your development of both products. I see no value in the open distribution of a program like Phonesnoop, and it's unfortunate that your work on Kisses, may suffer by association.

BTW, you might want to re-think your choice of analogy by using an image that is demeaning to the developmentally disabled. I'm sure some might think it funny - I do not.

Happy Thanksgiving! :)

BTW, you might want to re-think your choice of analogy by using an image that is demeaning to the developmentally disabled. I'm sure some might think it funny - I do not.
Happy Thanksgiving! :)

Happy Thanksgiving to you and all on the forum. I gave you a link to a Google search for the phrase 'arguing on the internet' which is what is transpiring on this thread. As for the results and interpretation, YMMV.

I will say what it appears to me :

the guy sheran did a spying tool - not too bright one though...

Then he see that flexispy and mobispy are himalayas compared to his tiny app.

so he wrote an app that detects these spy apps but not his....

so that he can claim that his spy app is an undetectable spyware...

then he was caught red handed then he created another id to support himself, and lol even that was caught !

and the prostitute is still preaching chastity !


I may be wrong... but those who feel the same way what I feel... pls express.

Just my two cents :

A big Thank you to Sheran-g to have made kisses , first tool to show some hidden process/software in a blackberry.

And knowing that he has also made the PhoneSnoop software give me a better confidence on Kisses software. For my point of view the PhoneSnoop is a typical POC with all the safeguard embedded, only media journalists can think of it as a real threat.

I would like also to second HaTax post about some extensions of kisses to monitor process running and to show all the connection running on the blackberry. This will be very cool , we need this sort of tools badly before the blackberry specific malware arrive.

Just my two cents :

...PhoneSnoop is a typical POC with all the safeguard embedded, only media journalists can think of it as a real threat.

Apparently so does The Department of Homeland Security; did you miss the US-CERT warning (http://www.us-cert.gov/current/archive/2009/11/10/archive.html#blackberry_phonesnoop_application_used_to)?

For what it may be worth I installed Kisses on my Blackberry as part of my duties to evaluate, and provide advice on Blackberry security matters.

Comming from an open source background, what Sheran has done is standard practice: theorize a vulnerability, research the vulnerability, develop proof of concept tools to ground truth the vulerability, develop a fix or profilactic, finnally publish everything.

Kisses doesn't tell me anything I need to know, and my advice up my chain was/is that the protective measures we employ, some of which have been discussed here, provide superior protection from and detecthion of malware than tools like Kisses. Having said that though, consumer level users don't have large professional IT departments to defend them. Some IT departments don't have support at high enough levels to enforce the kind of protection that many of you here would consider rudimentary.

I don't know if Sheran is a black hat or a white hat, but if you constrast what he has done with the authors of FlexiSpy, or SS8 and Etisalat I'm inclined to give him the benifit of the doubt.

"US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user's BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop."

CERT does not speak of a threat , only of an application that CAN listen to conversation.

AND you need physical access to the target blackberry ,

AND as already explain by Sheran-g

The phone: RINGS when a call comes in
The homescreen: DISPLAYS an icon of the program
The applications folder: DISPLAYS an installed program in it

SO I confirm : only media journalists can think of it as a real threat.