Mobile Spy can run on iPhone, Android, Symbian and Blackberry; and it can run in stealth mode, making it little different in operation – if not in intention – to standard malware spyware. Once installed, it will silently upload data to the subscriber’s web account where it can be viewed via anything with web connectivity. One option allows the subscriber to track the device via GPS, and control it remotely – offering an attractive security option for both individuals and companies.
But now the Vulnerability Lab has discovered multiple vulnerabilities and issued an advisory. “The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation.” Two of the vulnerabilities are given a ‘high risk’ rating and a third is given a ‘medium risk’ rating.
One possible outcome is described in the advisory: “If you know for example your mobile is observed you can inject script code to your sms and send it via service. The SMS spy service is logging the issue & the script code is getting executed on the display website of the observer. This possibility allows the observed person to spy back the attacking observer by redirection to log him when processing to watch the sms.”
The irony is that the spied upon becomes the spy. But the danger to business, already very worried about the effect of BYOD on their corporate systems, is that it might turn to this type of security as a quick and simple solution rather than one of the more formal solutions. "We have over 20 years of vulnerability alerts for PCs, but mobile security is still taking its first steps,” says Nigel Hawthorn, director EMEA Marketing at MobileIron, a California based mobile security company. “Vulnerabilities like this one demonstrate that users and their employers need to implement complete mobile device and mobile application control. Solutions are available where administrators can select which mobile applications are required, allowed, or disallowed and then define the consequences of being out of policy, for example warning users or selectively deleting corporate information from the device that may be vulnerable."
Spyware instead of security is probably not the best way to secure BYOD policies – even without these vulnerabilities.