This application requires Javascript for optimal performance.

Spy/Maverick!SymbOS - Released Jul 07, 2010 - Last Updated Jul 13, 2010

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

In most cases, the end-user won't detect this application is installed on his/her mobile. In some cases, he/she may spot the following symptoms:
  • The phone is locked and displays a lost/stolen screen such as Figure 1.
  • The phone starts sending many SMS messages.
  • It is impossible to perform a soft reset (*#7370#) of the phone.

Figure 1. The application locks the phone.

Detailed Analysis

This application, named Maverick Secure Mobile, aims at securing one's mobile phone against loss or stealing. To do so, for instance, it plays a loud alarm sound if the SIM card is replaced by an unauthorized one.
Although fighting for this noble cause is absolutely not reprehensible, this application may be used against the phone's legitimate owner by attackers in some other scenarios.
In particular, there are several potential dangerous scenarios if the application is installed on a victim's phone without his full consent (or tricked by some social engineering to install it) and configured with a 'reporting device' owned by the attacker.
In such cases, the attack may eavesdrop all conversations on the victim's phone, retrieve the victim's phonebook, geographically track the victim or disable the phone remotely.
This is particularly difficult to spot for the victim, because the application is hidden on the device.



Technical Details


The application installs without any problem on Symbian mobile phones (see Figure 2).

Figure 2. Installing the application on a phone.
Once installed, the application is nowhere to be seen (no application icon, not listed as installed). To configure it, one must press the keys: *123* then followed by a password (default is ajt) (see Figures 3 and 4).
Figure 3. Main screen of the application Figure 4. Settings screen
The following files are installed on Symbian OS 7 or 8:
  • c:\system\data\sys\keyserver.app: the main executable. Typically handles keys pressed *123*
  • c:\system\data\databackup.jar: mobile backup feature.
  • c:\system\data\databackup.jad
  • c:\system\data\++.mp3: alarm sound
  • c:\system\help\howtooperate.hlp: help file displayed after installation
  • c:\system\help\msmhel.hlp: help file for configuration
  • c:\system\recogs\reboot.mdl: automatically restarts the keyserver.app after the phone is rebooted
  • c:\system\libs\mobinfo.dll
  • c:\system\apps\uninsta.exe: handles application uninstallation
  • c:\system\apps\hfcopy.exe: backups the application on a memory card in a directory named e:\system\data\8030
  • c:\system\apps\msm\msmregistration.aif
  • c:\system\apps\msm\msmregistration_caption.rsc
  • c:\system\apps\msm\msmregistration.rsc
  • c:\system\apps\msm\msmregistration.app: handles commercial registration of the application. Registration information is sent over HTTP.
  • c:\system\apps\msm\msmfile.aif
  • c:\system\apps\msm\msmfile_caption.rsc
  • c:\system\apps\msm\msmfile.rsc
  • c:\system\apps\msm\msmfile.app: creates and handles queries in the MSM configuration database
  • c:\system\apps\msm\msmcontact.aif
  • c:\system\apps\msm\msmcontact_caption.rsc
  • c:\system\apps\msm\msmcontact.rsc
  • c:\system\apps\msm\msmcontact.app: retrieving phonebook feature
  • c:\system\apps\msm\smsencrdecr.aif
  • c:\system\apps\msm\smsencrdecr_caption.rsc
  • c:\system\apps\msm\smsencrdecr.rsc
  • c:\system\apps\msm\smsencrdecr.app
  • c:\system\apps\msm\msmnew.mbm
  • c:\system\apps\msm\msmnew.aif
  • c:\system\apps\msm\msmnew_caption.rsc
  • c:\system\apps\msm\msmnew.rsc
  • c:\system\apps\msm\msmnew.app
  • c:\system\apps\msm\telpad.aif
  • c:\system\apps\msm\telpad_caption.rsc
  • c:\system\apps\msm\telpad.rsc
  • c:\system\apps\msm\telpad.app
  • c:\system\data\sys\keyserver.aif
  • c:\system\data\sys\keyserver_caption.rsc
  • c:\system\data\sys\keyserver.rsc
In addition, the application may create the following files:
  • c:\ctoe.txt
  • c:\etoc.txt
  • c:\ContactE.txt
  • c:\ContactD.txt
  • c:\ContactDel.txt
  • c:\system\sysApp.txt
  • c:\system\sysApp1.txt
  • c:\nokia\others\MSM.txt
  • c:\wDriveSearchSys.txt
  • c:\FLog.txt
  • c:\FileE.txt
  • c:\FileD.txt
  • c:\UILog.txt
  • c:\sample.wav
  • c:\rece.txt
  • c:\SMSE.txt
  • c:\SMSD.txt
  • c:\SMSDel.txt
  • c:\SLog.txt
  • c:\TLog.txt
  • c:\Log.txt
On Symbian OS 9 (or greater) phones, installed files names and locations are slightly different, but a similar architecture is used. The main executable is named MSM.exe and installed in c:\sys\bin.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1923293