This application requires Javascript for optimal performance.

iPhoneOS/Trapsms.A!tr.spy - Released Jun 24, 2009 - Last Updated Jul 06, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The spyware connects to the Internet. Depending on your phone's subscription, this may lead to abnormally high phone bills
  • An application named STD is installed in Cydia (typical third party installation tool for jailbroken iPhones)

    • Detailed Analysis

    This spyware is the iPhone version of SymbOS/Trapsms.A!tr.spy. It spies on SMS messages received by or sent from the mobile phone it is installed on. As for SymbOS/Trapsms.A!tr.spy, the typical attack scenario is:
    • the attacker registers on the spyware's website
    • the attacker installs the spyware on the victim's iphone
    • the victim uses his/her iphone. All SMS messages received or sent are forwarded to the attacker's web account
    • the attacker spies the victim

    Technical details
    This spyware is installed on the victim's phone by the attacker.
    It requires the victim's phone to be jailbroken. Then, the attacker must download the spyware from SmsTrap's repository, and install it (for example using Cydia).


    Figure 1. Installation of the spyware using Cydia

    Figure 2. Spyware is installed on the iPhone

    The attacker can configure the spyware not to show on the springboard (and he/she probably will !).


    Figure 3. The spyware is invisible

    The spyware consists of :
    • a visible or invisible user interface (named SMSTrapUI): this interface is used by the attacker to configure the spyware. In particular, this is where he/she enters his/her web credentials so that SMS received or sent by this phone are forwarded to the correct web account.
    • a daemon (named std) which is actually in charge of spying SMS messages

    Recommended Action

    On the iPhone, open an application named Cydia. Then select "Manage" and click on "Packages" to list installed third party applications. Then, remove the application named STD.


    Figure 4. Remove the STD application

    It also safe to remove the spyware's repository URL: in Cydia, select "Manage" and click on "Sources" to list all configured repositories. Remove a repository named ST.


    Figure 5. Remove the repository

    Reference: ID - 906713