Where lies go to die.

sm



Smart phones are integrated into the personal and business lives of millions of people.
With these pocket sized wonders come new risks from digital eavesdropping. This white paper
covers the realm of stealth spyware. The new threats are far more insidious than corporate
advertisers harvesting information for the perfect advertisement. Individuals can be targeted
with spyware apps installed directly to their phone which track and report their every action to a
curious or malicious outsider.

Cellular phones have evolved to take on many of the roles that were once served by
personal digital assistants (PDAs) and beyond. With the release of RIMs first call-capable
BlackBerry in 2002 and the first iPhone in 2007, smart phones have seized a significant portion of
the consumer technology market. Competition has increased with the release of Googles Android
OS in 2008.
In recent years, Microsofts Windows Phone, Palms webOS (now owned by Hewlett-
Packard), and Samsungs bada have all tried to break into the thriving market. The market share
of smart phone platforms in comparison to feature phones has skyrocketed. There are tens of
millions of smart phones currently in use in the United States alone.
Todays platforms such as iOS, Android, BlackBerry, Windows Mobile, Windows Phone,
webOS, and Symbian have web browsers, games, and a variety of apps including word
processors. We now have handheld computers with integrated cellular phones, cameras, always-
on Internet access, GPS transceivers, music players, and more. Not too long ago, the idea of that
kind of incredible power and versatility in a portable device was the stuff of science fiction.

Unfortunately, with all of that power comes a degree of risk. Anyone with the technical
knowledge can write an app for a smart phone with the developers software development kit
(SDK). Just like any regular computer program, smart phone apps can do things that were not
intended or desired by the user. A malicious app might make calls to pay-per-minute or sign up
for text message services with monthly fees. They might pop ads up and send your personal
information to advertisers.
There have been many cases of malicious smart phone apps posing on markets as free,
useful apps. Perhaps of most concern are apps that can be installed to spy on you, not by a
faceless unscrupulous company, but by someone with a targeted and vested interest in
eavesdropping on your private affairs.

Lately, there has been much press about the explosive News of the World phone hacking
scandal. For all of the drama and media attention, however, the scandal revolved primarily
around the unauthorized access of private voicemail messages. These methods involved spoofing
caller IDs and exploiting weak voicemail passwords to access the stored messages. Indeed, the
actual phones were not involved in the hacking. While this was a serious and indefensible breach
of privacy on the part of the tabloids, the News of the World phone hacking scandal only breached
the tip of the iceberg in terms of what is possible in the world of mobile phone spying.
Smart phones have the potential to be the central hub of a persons life. With phone calls,
e-mail, text messages, contacts, calendars, maps, social networking, and Internet access all
combined into one device, that device suddenly becomes much more important than an old
fashioned dumb cell phone. This stretches to both an individuals private and professional
affairs, particularly with devices such as the BlackBerry being so popular in business
environments.
Imagine how a heavily used smart phone, loaded with sensitive personal or company
information, could be exploited in the hands of the wrong person. Now imagine if the phone only
needed to be in the wrong hands for more than a few minutes for your privacy to remain
compromised indefinitely, with your private communications and other sensitive information
reporting back to an eavesdropper. Not long ago, that could have been the plot of a science fiction
movie. Today, it can become a chilling reality.

There is an abundance of specialized spy software available for smart phones. Anyone
with physical access to the device can install these stealthy applications. Many make high claims
of being totally undetectable tools for eavesdropping on a spouse, child, or business partner. In
many jurisdictions, particularly in the United States, use of these apps can constitute illegal
wiretapping. Most of the companies that provide spyware will provide a small, out of the way
disclaimer to this effect. These apps are available on many of the most popular smart platforms
including iPhone, Android, BlackBerry, Symbian, and Windows Mobile.
The eavesdropper must have physical access to the device in order to install the spyware.
They are generally installed via the web browser, rather than the usual apps markets. Once
installed, the spyware can track private information such as text messages and calls, reporting
this information back periodically through the devices always-on Internet connection. Some can
notify the eavesdropper about active calls and patch the snoop in quietly. Worse yet, some can
even turn on the devices microphone and listen in while the phone is totally idle.



The methods of concealment vary by the product and operating system. Smart phone
security often prevents these apps from actually hiding themselves completely, despite high
claims of complete stealth. Most will pass themselves off as harmless background system
components. They are produced without visible icons or user screens that would betray their
presence. The average user would have no idea where to look, even if they suspected something.
In some cases, where the apps have unrestricted access, it is possible for them to hide themselves
even more insidiously. These can approach the level of traditional computer malware, hiding
deep within the file system by exploiting full system access.
In forensic science there is an idiom, every contact leaves a trace. This means that
simply by acting in a crime, evidence of the act is left behind. While originally applied to the
physical forensic disciplines, it holds true here as well. As part of Kessler Internationals research,
a sample was taken of popular spy apps on BlackBerry, iPhone, and Android. While they all do a
fairly good job of masking their presence from the lay user, signs of their installation were found
in every case. The act of downloading, installing, and running the spyware leave traces which,
while subtle, render them detectable.

Kessler Internationals computer forensics professionals utilize specialized software,
equipment, and techniques to document and recover information from cellular devices. These
services include the retrieval of cell phone data, multimedia files, and even deleted data.
After a mobile device is received by Kessler, it is immediately logged into evidence to
establish a court-ready chain of custody. It is prevented from talking to cellular networks during
its entire time in our laboratory, preventing new data from contaminating or even destroying the
evidence. Kesslers forensic engineers can then analyze the device to determine whether spyware
has been installed.

Kessler International
World Headquarters
45 Rockefeller Plaza - 20th Floor
New York, NY 10111-2000
Phone: (212) 286-9100 Fax: (212) 730-2433
Toll-Free Phone: (800) 932-2221 Toll-Free Fax: (800) 451-4546