Spy/CallMagic!SymbOS

Release DateOct 08, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • The phone silently answers calls (without the victim having to accept the incoming call)
  • The phone automatically answers a call after a few rings, without the victim accepting the call
  • Or the phone refuses all incoming calls

Detailed Analysis

This malware controls the way your phone answers incoming calls.
Depending on its configuration, this results in two different threats.

  1. The malware may be set to automatically answer incoming calls (silently or after a pre-defined number of calls). In that case, it can be used to listen to the surroundings of the victim's phone. For instance, any conversation close enough to the phone will be heard by the attacker. This is a privacy threat.
  2. The malware may be configured to reject incoming calls. In this case, it consists in a Denial of Service for the victim



Technical Details


The infection scenario works as follows.
An attacker installs the malware on a victim's phone. The malware installs as any other legitimate application on Symbian phones. Once installed, the attacker can notice there is a new icon for the malware on the victim's phone.
The attacker must then configure the malware:
  • enable automatic answer of incoming calls for all incoming numbers after 0 or more rings
  • enable automatic answer of incoming calls for a specific phone number after 0 or more rings
  • reject all incoming calls
Then, the attacker activates the malware (specific menu item). He/she can then hide it so the victim doesn't see its icon among other applications.

Fig.1 Malware's settings menuFig.2 Configuring the number of rings before the malware automatically answers the call

Later, the attacker calls the victim's phone. The phone automatically answers (without user's consent). From that point, the phone call is established, and the attacker can listen to whatever noise or conversation occurs close to the phone (see Figure 3).

Fig.3 An attacker is currently spying

Note that the phone does actually display there is an incoming call, so the victim may spot the problem. However, if the phone is in his/her pocket or handbag, the attack will probably go unnoticed.

The malware installs the following files on the phone:
  • end user license agreement0.txt: license agreement
  • disclaimer0.txt
  • !:\system\apps\callmagic\callmagic.aif: malware's Symbian application information file
  • !:\system\apps\callmagic\callmagic.rsc: malware's resource
  • !:\system\apps\callmagic\callmagic.app: the main application
  • c:\system\recogs\gauravcm.mdl: makes sure the main application is re-launched when the phone reboots

Note the application may install on the phone or on a memory card.
Description Last Updated Date: Oct 23, 2009
Reference: ID - 1065586