December 18, 2009, 12:10 AM — A security researcher in Asia has braved Internet worms and poisoned applets to rid BlackBerry smartphones of spyware with Kisses, a free software application.
Kisses detects spyware and hidden programs on BlackBerry devices to show users exactly what's going on inside their mobile phone. Why use it? Because spyware can be purchased by anyone from vendors such as FlexiSPY and Retina-X Studios.
For US$50, just about anyone can travel with you and your mobile phone and listen to your conversations, read your texts and even track your location via GPS (global positioning system). The tricky part is installation. Someone, your boss, spouse, business rival or thief, needs physical contact with your handset to plant spyware from these vendors, one reason password protection is so important. It hurts that spyware vendors offer tricks-of-the-trade advice, including the simple act of giving you a new smartphone, with their spyware inside, as a gift. Makes you wonder if Santa was generous with the new iPhone this year or just really wants to know if you've been naughty or nice.
This is where Sheran Gunasekera comes to the rescue with Kisses. The software detects and removes FlexiSPY and Mobile Spy software on BlackBerry devices. It may not necessarily be able to remove all available spyware (there's a lot) but it will at least show you any hidden applications so you can seek help.
Since the release a month ago, Kisses has been downloaded over 5,000 times, said Gunasekera, director of security at Hermis Consultancy in Jakarta, Indonesia. He currently makes software only for the BlackBerry, but is starting to dabble with the iPhone. He couldn't say when Kisses might be ready for Apple users.
It's a wonder Gunasekera is working on an iPhone version of Kisses because the BlackBerry one has already embroiled him in controversy.
Prior to releasing Kisses, he released a piece of spyware called PhoneSnoop, software he'd developed as a proof-of-concept to show people how easily smartphones could be used for spying. The pair of apps caused an uproar among users and at least one U.S. government office, apparently with fears of a Mission Impossible II-style plot.
"On a fundamental level, I am not sure I would trust a spyware detector created and distributed by the same guy that created spyware, even if that spyware was a 'proof of concept.' It's like Lilly's or Pfizer creating nasty bugs in the lab as 'proof of concept' to sell more nasty bug fighting drugs," said one user on BlackBerryForums.com.
The U.S. Computer Emergency Readiness Team (US-CERT), under the Department of Homeland Security, also weighed in, warning users "to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices."
It's a fair warning for security purposes. The BlackBerry is the favorite of President Barack Obama, and is widely used in business. Considering that Iraqi insurgents were savvy enough to hack into U.S. spy drones to see what they see using $26 off-the-shelf software, according to The Wall Street Journal, there's reason to be wary since BlackBerry spyware is so easy to buy, too.
The agency also helpfully pointed out the fact that spyware can easily be downloaded in error by users, whether opening an e-mail attachment or downloading innocent looking software, or even a photo slideshow that includes spyware.
But the negative publicity fails to take into account the fact that spyware for smartphones is so easy to find, for anyone. Besides, Gunasekera revealed PhoneSnoop and Kisses in a speech at the Hack In The Boxsecurity conference in Malaysia in October, hardly a stealthy approach to world domination via BlackBerry spyware. He also holds a good reputation.
"We know him fairly well and he is quite known in security," said Dhillon Kannabhiran, founder and CEO of Hack In The Box, adding that, "if he had slapped a US$1,000 licensing fee on Kisses, nobody would have raised an eyebrow. Since it's free, people suspect ulterior motives."
