It’s hip2b2

I just read this interesting post in MobileCrunch about a new piece of software called FlexiSpy. The product description from the FlexiSpy website is as follows:

FlexiSPY is a ‘activity logger’ for mobile phones. All activity such as sending & receiving SMS messages, call history, (incoming / outgoing), call duration, GPRS activity, & contact names in their address book that is associated to each SMS and call. What truly makes FlexiSPY so unique, is that not only one of the world’s first spy applications designed and built exclusively for the mobile phone, but it’s virtually undetectable by the user! You can install FlexiSPY within minutes and receive your first phone acitivy report within hours!

As noted in the MobileCrunch article, this service can potentially violate not just one but two (2) laws! First, there are some strict anti-wiretapping laws in most countries. Second, since each transaction has to be sent over-the-wire to the FlexiSpy server, the charges of these transactions are made out to the target of spying (Victim pays!). So, he is being charged for something he does not know about.

I would like to add a third potential issue. Aside from the user violating the privacy rights of the target. FlexiSpy is also storing the information in their servers (to allow users web access to the data)! This means FlexiSpy is also violating the privacy rights of the target but holding information about them without their permission. I wonder which country in the world allows this kind of double privacy rights violations? Fortunately, F-Secure has already tagged this project as malware in their security suite.

But enough of that, now for the technology. This product runs on Symbian series 60 (S60) phones. This is because not all J2ME phones support access to the messaging API (unless you phone has the proper JSRs). Therefore, S60 is the most logical platform to develop such a product. Technically speaking, it is not very difficult to write an application like this at all. Maybe just grab a Python interpreter for S60. Then write a small Python script to access the Inbox and Outbox after a polling interval (or triggers using the automatic mailbox monitoring features of the handset). After grabbing messages, these are wrapped up and sent to the Spying Server using a webservice (REST) over GPRS. Lastly, write a nice web interface for accessing the data over the web. The solution is entirely off net and can be done using freely available components.

Now the dangerous thing would be to integrate such a feature with some existing spreading mechanism such as Bluetooth. Then we have another potential mobile worm.

This entry was posted on Tuesday, April 4th, 2006 at 12:16 am and is filed under Mobile. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.