Thursday, March 15 2007
since I first heard about RexSpy in late February (I know it was
announced in October 2006) I wanted to know how real it is and how it works.
RexSpy is supposed to be the ultimate mobile phone trojan that allows one to monitor (listen to) all calls of the
infected device. Also the Wilfrid Hafner (the author) claims that it works on every single mobile phone.
The German Focus (a mainstream non technical
magazine) interviewed Hafner and did a trial using a SymbianOS and WinCE based phone. They claim that he could listen to
calls made with both phones. Other websites like Techworld.com quote him saying that this attack also works against a Siemens C45 (which is a very simple phone with out a fancy smart phone OS).
I myself connected Hafner to find out if he is willing to release real technical information to the public about his findings,
but he refused saying that he sold the RexSpy Technology and therefore no longer could publish any material. This is very bad
especially because Hafner's company is selling a protection kit against mobile phone tapping. This makes you wonder if this
is just a marketing thing.
Since I'm not a student anymore I don't have too much spare time on my hands so I only did some basic research. The basic
operation of RexSpy as claimed by Hafner is: the trojan is install via a SMS (a Service-SMS to be precise). The trojan
itself creates a kind of back channel by calling home as soon as the infected phone has an incoming or outgoing call, thereby
the attacker can listen to the call. But how does this work? First idea was: a bug/feature in the GSM module or SIM card
(or SIM Toolkit). A bug is kind of unlikely to be present on all platforms. A monitoring feature would be documented
by someone, so this is also unlikely.
I searched a little more and found the recording of Hafner's talk at Systems, in his
talk he kind of gives it away (if you know what you have too look for). He says he only implemented it for Windows Mobile
(WinCE / PocketPC). That is very interesting since he first claims the RexSpy is universal across all platforms. The thing
that keep me thinking is the Service-SMS which others (including myself) call binary-SMS, since I used
binary-SMS for my MMS attack. Here you basically tell the device where to download a MMS message. But
as far as I remember there are other binary-SMS messages (or actually WAPPush messages that are send via binary-SMS) that
tell a mobile phone to go and download a WAP/WEB page. The URL could of course also point to a application binary, which
could be downloaded and executed without user interaction.
So maybe Hafner just found a small back door in the WAPPush handler that allows silent application installation, and
writing a phone monitor tool for Windows Mobile and SymbianOS shouldn't be hard at all. For monitoring one could
use the simple feature like a conference call, this way the trojan application would be very simplistic and small.
I'm still not 100% sure how it works (especially because he claims that it works with a old Siemens C45)
but analyzing the Windows Mobile RexSpy Killer provided by SecurStar
should bring me a step further (I haven't done this yet). I'll keep working on this and keep you updated.
I would really love to hear some comments on this.
Techworld (Hafner's talk at Systems in German language)