Spy Software Co. Says Product Isn’t a Trojan

The company selling a mobile-phone spy application that has been labeled malware by F-Secure says the software isn’t malicious or illegal.

F-Secure software recently began blocking a commercial application called FlexiSpy that bills itself as the world’s first spy software built for mobile phones.

When FlexiSpy software is loaded onto a Symbian mobile phone, it sends all text messages that are sent and received, as well as call details, to FlexiSpy servers. Users can log on to the servers via the Internet to read the messages and view the call records. The problem, says F-Secure, is that the phone owner may not know the program has been installed and can’t uninstall it.

“We’re convinced that this could be used for malicious and illegal purposes in so many ways that we made the decision to flag it as malware,” said Mikko Hypponen, F-Secure’s chief research officer.

Vervata, the Bangkok, Thailand, company that created FlexiSpy, argues that the product isn’t a virus, a Trojan horse or malware.

“Like any other monitoring software there may be a possibility for misuse, but there is nothing inherent in FlexiSpy that makes it illegal or malicious,” a Vervata spokesman wrote in an e-mail exchange. He said the software must be consciously installed by a person, does not self-replicate and doesn’t pretend to be something it’s not.

He said that an uninstall option is provided so the user can uninstall the program at any time, but F-Secure found that the application uninstaller doesn’t work.

Hypponen also worried that a user could “beam” the program via Bluetooth to other nearby users. “If one in 100 people who received it wonders what it is and clicks on it, it would install without telling the user what the program does,” he said. Going forward, the person who sent the program could read that person’s text messages online. “If that’s not malicious, I don’t know what is,” Hypponen said.

Some changes to the program could make it more palatable, he said. For instance, if the installation process clearly shows that a spy program is being installed, it could be useful for parents who might want to monitor a child’s text messages, he said.

But using this type of program to spy on another person is illegal in most parts of the world, he noted. In addition, he also said that users might be concerned that the text messages and calling information are being stored on Vervata servers.

F-Secure has contacted Vervata to discuss the program but hasn’t received a response, Hypponen said.

Each page of the FlexiSpy website warns visitors that logging other people’s text messages and other phone activity or installing FlexiSpy on another person’s phone without their knowledge could be illegal. It also says that Vervata assumes no liability and isn’t responsible for misuse or damage caused by FlexiSpy.

-Nancy Gohring, IDG News Service

(Robert McMillan, also of the IDG News Service, contributed to this report.)

Keep checking in at our CSO Security Feed page for updated news coverage.