In the Part 1 of this two-part series we looked at the Mobile-spy "spouseware" program from a consumer/researchers perspective and examined what the software does and how it works. We learned that it is a fairly simple program with a .NET client side application that collects phone details, text messages, and visited URLs. This information is then posted to the server side application at mobile-spy.com, where the software's owner can log in and review the collected activity.
In this installment we are going to take another look at the Mobile-spy solution, but this time it will be from the perspective of a security researcher. Specifically, we want to test the software to see just how easy it would be to hijack the original intent of the software and turn it into something much more malicious. In addition, we also wanted to test the solution to see if it was secure, and if not, how it could be abused.
Hijacking the Binary
We have discussed the potential for abuse of a program like MobileSpy. However, all the listed abuses still require a form of accountability in that someone has to access the Mobile-spy.com website to view the logs. This allows MobileSpy to not only sell their solution as a subscription-based product, but it also places the program firmly in the consumer camp. Unfortunately, it is relatively easy to alter the binary and hijack the log posting functionality, thus turning the consumer software into malware.
We aren't going to get into the details of how this is done. However, the patching process is fairly simple and only required about 15 minutes of our time to tweak the binary and build a new capturing backend into which the logs were dumped. For this reason, and others, many antivirus firms have labeled this program as a potential threat and are scanning for it in their software.