Cell Phone Spy Program Raises Concerns

At least one security company has labeled an application designed as a cell phone monitoring tool as a potential security threat. Others say that enterprises will need to take a look and decide for themselves.

A program designed to help people spy on their loved ones mobile phone usage is raising concerns among some security experts who say that enterprises need to be on the lookout for the product, which is marketed under the brand name FlexiSpy.

Researchers at security applications maker F-Secure issued an alert to customers informing them of the product and warning that if it is loaded on their employees mobile devices, the tool could pose a significant threat to businesses.

Sold by a Bangkok-based vendor known as Vervata for $49.95, FlexiSpy promises the ability for its users to load the spy program onto a handheld and then receive e-mail reports that provide detailed information on how the device has been used.

The product is specifically marketed as a way for people to keep an eye on their domestic partners or for parents to monitor their childrens mobile phone habits.

FlexiSpy promises to divulge a range of private information about devices it is loaded on, including what phone numbers a handheld has been used to dial, how long individual conversations lasted, and even what geographical direction the devices owner is heading in.

In addition, the program promises to provide complete transcripts of any SMS text messages sent or received on a device, along with related mailbox information.

The product currently works only on Nokia Series 60 phones running Symbians operating system software, but Vervata is promising to offer support for handhelds running on Microsofts Pocket PC platform and Research In Motions BlackBerry devices by the end of April 2006.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Each license of the product allows for it to be loaded onto only one device, but the firm also sells a license for tracking multiple handhelds.

A person must have physical access to a device in order to load FlexiSpy onto the handheld, although it does carry the ability to be loaded wirelessly in close proximity to a device. However, once loaded, FlexiSpy requires that it is also launched manually on a handheld.

The product works by secretly passing data from a handset carrying the software directly to Vervatas servers, which then generate "alert reports" that are issued to people who have installed the program.

Company officials didnt immediately return calls seeking comment on the F-Secure report. However, on its Web site, Vervata specifically addresses the notion that FlexiSpy could be viewed by some people as a malicious program, or even a so-called Trojan attack.

"FlexiSpy requires [that it is] consciously installed and configured by someone, unlike a virus or Trojan which spreads automatically without any action," reads the disclaimer, which at no time addresses the potential illegality of secretly monitoring other peoples calls. In the United States, federal laws prohibit the unauthorized tapping of phones.

According to F-Secures report, FlexiSpy is able to hide itself in the Symbian OS to the extent that it is very hard to find, and the program also requires use of Vervatas application management tools to be completely removed from a handset. Its handset-borne user interface can only be accessed via a special code created by whoever installs the program.

"What makes this interesting is that FlexiSpy is a Trojan spy written by a company for commercial reasons," Jarno Niemelä, an F-Secure researcher wrote on the companys blog site.

"The company even claims that FlexiSpy is not a Trojan; however, the application could easily be used by malware installing it as part of its payload, or a hacker could simply send it to a victim over Bluetooth and trust that there are enough curious people to install it."

F-Secure added FlexiSpy to its list of malicious programs and said it will distribute a security patch that blocks the product to its customers.

Other security researchers observed that FlexiSpy straddles the line between what the industry specifically labels as malware, and products that can be used in a malicious way by users.

Beyond regional laws that govern the legality of gathering the types of data FlexiSpy offers to provide, ultimately the true nature of such programs is determined more by the manner in which people use them, said Graham Cluley, a consultant with U.K.-based security software and appliance maker Sophos.

"You imagine that it would be used by jealous boyfriends, but it may also be used inside business," said Cluley. "However, businesses themselves already employ a number of tools to monitor end user behavior on the desktop, so it could also be something that companies potentially use themselves."

Much like programs such as WeatherBug, which some experts view as adware and others see as useful applications, companies will have to decide for themselves if FlexiSpy is something they want to prohibit, he said.

/zimages/2/28571.gifTo read more about do-it-yourself malware kits, click here.

"This really gets into the grey area of what some people view as acceptable, and others see as a clear risk for malicious abuse," said Cluley.

"Enterprises potentially need to put FlexiSpy on the list of things they look out for, but in the end people like us will need to allow customers to decide for themselves."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.