Etisalat, the carrier responsible for bringing the BlackBerry solution to the United Arab Emirates, released a very suspect official update. A member on the official support forums did some detective work, and found some suspicious code in the update. According to the user:
“Blackberry subscribers for Etisalat (one of the official service providers in the UAE) received a WAP Push to download a JAR named “registration”
The description of the “update” was as follows:
“Etisalat network upgrade for Blackberry service. Please download to ensure continuous service quality.”
I called the operator’s hotline inquiring about the update, and they confirmed it’s an “official” update that’s meant to enhance network stability which users experienced last few weeks, causing email and BBM delays. But anyone with two functional braincells would imagine such an update/fix would be done at the network side, rather than with an obscure piece of code pushed to client handsets as a WAP Push, rather than a service book.
Out of curiosity, I downloaded, unpacked and decoded the file, and can’t help but feel something is fishy here.
Following is a list of the class files within registration.jar:
/Interceptor.class
/Registration.cod
/Registration.csl
/Registration.cso
/META-INF/MANIFEST.MF
/com/ss8/interceptor/app/Commands.class
/com/ss8/interceptor/app/Transmit.class
/com/ss8/interceptor/app/MsgOut.class
/com/ss8/interceptor/app/Log.class
/com/ss8/interceptor/app/Main$1.class
/com/ss8/interceptor/app/StatusChange.class
/com/ss8/interceptor/app/Send.class
/com/ss8/interceptor/app/Main.class
/com/ss8/interceptor/app/Recv.class
/com/ss8/interceptor/app/Constants.class
/com/ss8/interceptor/tcp/smtp/SMTPHeader.class
/com/ss8/interceptor/tcp/smtp/SMTP.class
com/ss8/interceptor/tcp/HTTPDeliver.class
com/ss8/interceptor/tcp/SocketBase.class
I put up the original JAD/JAR/COD File along with the unpacked classes and decoded ones in one zip file at http://iihs.net/registration.zip and attached it here for those interested in having a look.
There are interesting references in the software to alternate APN, as well as some BB PINs to relay certain messages through. The whole thing seems VERY fishy.
Any JAVA Developers out there willing to take a look as well and help me make sense out of this?”
