Smartphone Spying Tools

Mylonas Alexios

Student Number: 100588864

Supervisor: Keith Martin

Submitted as part of the requirements for the award of the MSc in Information
Security at Royal Holloway, University of London.

I declare that this assignment is all my own work and that I have acknowledged all
quotations from the published or unpublished works of other people. I declare that I
have also read the statements on plagiarism in Section 1 of the Regulations Governing
Examination and Assessment Offences and in accordance with it I submit this project
report as my own work.

Signature: Alexios Mylonas Date: 5-9-2008

Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

Abstract
In this thesis we examine spying tools running on smartphones, mobile phones where
the user can extend their functionality by installing third-party applications. We
identify the data which are collected and the methods that the spyware uses to leak the
data back to an attacker. We emphasize the security risks that emerge (a) from the use
of an identifiable operating system in smartphones and (b) by the execution of
unsigned applications, which utilize functionality provided by libraries available for
smartphone application development. As proof-of-concept attacks on smartphones,
we implement two spying tools running on the Windows Mobile 6 operating system.
Furthermore, we implement two different spyware infection vectors for the Windows
Mobile device: a) a Trojan horse which uses spoofing system frames and download
and execute capability and b) a proof-of-concept code injection attack on a Windows
Mobile application. Finally, we propose anti-spyware solutions mitigating smartphone
spyware, either before or after the device infection and we provide an implementation
of a Windows Mobile spyware removal utility.

ii
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

Chapter 8

Conclusion

As mentioned beforehand, smartphones are devices containing various types of

personal information. As the popularity of these devices increases, so does the interest
of the attackers to find and exploit vulnerabilities in these devices and acquire this
data. Their potential attacks are aided by the functionality provided by the operating
system running in the smartphone, through APIs and by the fact that in some cases the
operating system allows execution of unsigned applications.

In this project we demonstrated the types of data that spyware authors are collecting
from infected devices. As proof-of-concept attacks, we implemented spyware running
on Windows Mobile 6 devices, devices where the execution of unsigned applications
is permitted. The implementations use functionality, provided to the developers from
the API of the CNF. Additionally, for the infection of the devices we implemented a
Trojan horse with download and execute capability and demonstrated a proof-of-
concept MSIL injection attack in an unsigned utility application written for Windows
Mobile 6. At the end of the thesis, we propose anti-spyware solutions combating the
spyware, either before or after the device infection. Furthermore, we implemented a
spyware removal utility demo, which breaks the operation of spyware that are
intercepting SMS messages without the user knowing.

Experience in desktop computer malware has shown that the motivation of malware
writers is changing. The malware writers who exploit vulnerabilities for fun or out of
curiosity are becoming rare, since attackers nowadays are trying to make money out
of their attacks. Since smartphones have a built-in billing system, they are an
attractive target for organized crime, since profit can be made, even if the target does
not have a bank account or a credit card number. As a result we believe smartphone
malware will have a serious security issue in the near future, so the security experts
should be able to supply users with technological and non- technological solutions.

iii
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

References
[AP08] Apple, iPhone Developer Program, 2008
[Link]

[CA08] Canalys, Worldwide smart mobile device market, Canalys Q4 2007, 2008
[Link]

[EC06] Ecma International, Standard ECMA-335 Common Language Infrastructure

(CLI) 4th Edition, June 2006,
[Link]

[EL08] ELMS, MSDNAA Online Software System, 2008

[Link]

[EM08] Erez Metula, .NET reverse engineering, 2008,

[Link]
bb18- bc01e09abef3/[Link]

[ES08] Erica Sadun, The Unofficial Apple Weblog - iPhone Hacking 101:
Jailbreaking, 2008
[Link]

[FL08] FlexiSPY, How FlexiSPY costs compare to NEOCOSTS SMS

Forwarding, 2008, [Link]

[FS06] F-Secure Corporation, F-Secure Malware Information Pages: Cabir,

January 2006, [Link]

[FS07] F-Secure Corporation, F-Secure Malware Information Pages:

Commwarrior, March 07,
[Link]

[FS08] F-Secure Corporation, F-Secure Malware Code Glossary, 2008

[Link]

[GJ07] GetJar, Super Bluetooth Hack / free download, 2008

[Link]

[HA08] Open Handset Alliance, Android - An Open Handset Alliance Project, 2008
[Link]

[HP08] Hewlett-Packard Development Company, Glossary, 2008,

[Link]

[JN04] Jarno Niemela F-Secure Corporation, F-Secure Virus Descriptions: Mquito,

August 2004, [Link]

[JN08] Jarno Niemelä Senior Anti-Virus Researcher F-Secure, Detecting Mobile

Phone Spy Tool, Black Hat Europe 2008 Media Archives,

iv
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

[Link]
08/Niemela/Presentation/[Link].

[JP94] [Link], Domain Name System Structure and

Delegation, March 1994, [Link]

[JZ08] J Zhang, Location Management in Cellular Networks, 2004,

[Link]
fall_2004_files/[Link]

[KM08] K. Mayes K. Markantonakis, Smart Cards, Tokens, Security and

Applications, Springer Science and Business Media, 2008.

[MH07] Mikko Hypponen Chief Research Officer, F-Secure, Status of Cell

Phone Malware in 2007 - Black Hat USA 2007 Media Archives, 2007
[Link]

[M1] Microsoft, Windows Mobile 6, March 2008,

[Link]

[M2] Microsoft, Windows Embedded CE, March 2008,

[Link]

[M3] Microsoft, For Visual Studio Developers, 2008,

[Link]

[M4] Microsoft, Visual C#, 2008,

[Link]

[M5] Microsoft, Visual Basic .NET Language Specification, 2008,

[Link]

[M6] Microsoft, Visual C++, 2008,

[Link]

[M7] Microsoft, Visual Studio 2008, March 2008

[Link]

[M8] Microsoft, Getting Started in Developing Applications for Windows Mobile

6, March 2008, [Link]

[M9] Microsoft, What's New in Naming Conventions for Windows Mobile 6,

March 2008, [Link]

[M10] Microsoft, Windows Mobile Features (Native), March 2008

[Link]

[M11] Microsoft, .NET Compact Framework, November 2007

[Link]

v
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

[M12] Microsoft, Differences Between the .NET Compact Framework and the .
NET Framework, November 2007, [Link]
library/[Link]

[M13] Microsoft, What's New in the .NET Compact Framework Version 3.5,
November 2007, [Link]

[M14] Microsoft, .NET Compact Framework Downloads, 2008

[Link]

[M15] Microsoft, .NET Compact Framework Architecture, November 2007,

[Link]

[M16] Microsoft, Using COM Interop in .NET Compact Framework 2.0, November
2005, [Link]

[M17] Microsoft, Platform Invoke Support, November 2007

[Link]

[M18] Microsoft, Windows Mobile Features (Managed), March 2008

[Link]

[M19] Microsoft, Messaging API (CE MAPI) Reference, March 2008

[Link]

[M20] Microsoft, [Link] Namespace, November 2007

[Link]

[M21] Microsoft, [Link] Namespace, November 2007

[Link]

[M22] Microsoft, Windows Mobile Powered Device Security Model, March 2008
[Link]

[M23] Microsoft, How Device Security Affects Application Execution, November

2007,[Link]

[M24] Microsoft, Mobile2Market Program, March 2008,

[Link]

[M25] Microsoft, Privileged APIs, March 2008, [Link]

us/library/[Link]

[M26] Microsoft, Cab Provisioning Format (CPF) File, 2008,

[Link]

[M27] Microsoft, Pushing XML OTA Using an OMA Client Provisioning Server,
March 2008, [Link]

vi
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

[M28] Microsoft, Delivering Applications, March 2008,

[Link]

[M29] Microsoft, Cabinet (.cab) File Overview, March 2008

[Link]

[M30] Microsoft, CAB Wizard, March 2008

[Link]

[M31] Microsoft, CAB Files for Delivering Windows Mobile Applications, March
2008, [Link]

[M32] Microsoft, Automatically Run an Application from a Storage Card, March

2008, [Link]

[M33] Microsoft, The Application Manager, March 2008,

[Link]

[M34] Microsoft, Creating an Installer for Windows Mobile Applications, March

2008, [Link]

[M35] Microsoft, Description of Windows Mobile Device Center,

February 2007, [Link]

[M36] Microsoft, About the Device Emulator, November 2007

[Link]

[M37] Microsoft, Device Emulator for Windows Mobile, March 2008

[Link]

[M38] Microsoft, ARM Technology Guide, 2008,

[Link]

[M39] Microsoft, Saved-State Files, November 2007

[Link]

[M40] How to: Cradle and Uncradle the Device Emulator, November 2007
[Link]

[M41] Microsoft, Device Emulator Manager, November 2007

[Link]

[M42] Microsoft, Cellular Emulator, March 2008

[Link]

[M43] Microsoft, Cellular Emulator User Interface, March 2008

[Link]

vii
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

[M44] Microsoft, Device Security Manager User Interface, November 2007

[Link]

[M45] Microsoft, Using the FakeGPS Utility, March 2008

[Link]

[M46] Microsoft, Data Synchronization With ActiveSync, March 2008

[Link]

[M47] Microsoft, Installing Developer Tools for Windows Mobile, March 2008
Installing Developer Tools for Windows Mobile

[M48] Microsoft, Solution (.sln) File, November 2007,

[Link]

[M49] Microsoft, Device Emulator Configuration Files, November 2007,

[Link]

[M50] Microsoft, Device Emulator Configuration XML Schema Reference,

November 2007, [Link]

[M51] Microsoft, XPath Reference, 2008, [Link]

us/library/[Link]

[M52] Microsoft, Windows Mobile 6.1 Emulator Images, 2008,

[Link]
C093-4B15-AB0C-A2CE5BFFDB47&displaylang=en

[M53] Microsoft, SystemProperty Enumeration, March 2008,

[Link]
.[Link]

[M54] Microsoft, GPS Intermediate Driver Architecture, March 2008,

[Link]

[M55] Microsoft, Creating Applications that Utilize GPS, March 2008,

[Link]

[M56] Microsoft, Accessing Parsed GPS Data, March 2008,

[Link]

[M57] Microsoft, extended GPS Intermediate Driver, March 2008,

[Link]

[M58] Microsoft, Using the GPS Intermediate Driver from Managed Code, March
2008, [Link]

[M59] Microsoft, A description of [Link] in Windows XP Professional Edition,

December 2007, [Link]

viii
Only the abstract and conclusion are available. Video snapshots of the implementations are
available in [Link]/users/amylonas/[Link]

[M60] Microsoft, [Link]

Namespace, March 2008, [Link] library/
[Link]

[M61] Microsoft, MessageCondition Class, March 2008,

[Link]
[Link]

[M62] Microsoft, [Link] Namespace, March 2008,

[Link] .
.[Link]

[M63] Microsoft, How to Intercept Incoming Short Message System (SMS)

Messages, June 2008, [Link]
us/library/[Link]

[M64] Microsoft, Compiling to MSIL, November 2007,

[Link]

[M65] Microsoft, Compiling MSIL to Native Code, November 2007,

[Link]

[M66] Microsoft, Common Language Runtime Overview, November 2007,

[Link]

[M67] Microsoft, Debug Build Versus Release Build, 2008,

[Link]

[RG08] Red Gate Software, .NET Reflector, 2008,

[Link]

[SF08] SourceForge, Reflexil, May 2008,

[Link]

[SM07] Sun Microsystems, Java Security Architecture, December 2007,

[Link]
[Link]

[SY08] Symbian, Symbian Developer Network, 2008

[Link]

[WL04] Seow Wei Lim(Louis), .NET Obfuscators, 2004

[Link]

ix