This application requires Javascript for optimal performance.

Spy/MobileSpy!WinCE - Released Feb 04, 2008 - Last Updated Apr 21, 2008

Alias/es

SPYW_MOBSPY.A, Spyware:WinCE/BopSmiley.A, Spyware.17C61154, Spyware:WinCE/BopSmiley.B

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following files are created:
    • %Program Files%\SmartPhone\Smartphone.exe
    • %Program Files%\SmartPhone\OpenNETCF.Net.dll
    • %Program Files%\SmartPhone\OpenNETCF.dll
    • %Program Files%\SmartPhone\hsmsutil.dll

    Detailed Analysis

    This is a "commercial" Spyware tool, allowing for remote monitoring of a mobile device.

    It must be noted that proper installation practically requires physical access to the targeted device. Indeed, when run the first time, the user is prompted with the login / password pair generated when buying the tool online (Fig. 1).

    Upon successful completion of the login step, the user can click Capture  to start the monitoring process, then select Hide  to put the Spyware tool in "stealth" mode, making it effectively disappear in the background (Fig 2).

    Subsequently, all SMS messages, phone calls information, and visited URLs are recorded and the resulting logs uploaded to the following server:

    • http://www.{removed}spy.com
    With the proper credentials, a remote user can then access the gathered information over the internet.




    Figure 1: Initial Login
    Figure 2: Control Interface


    Technical details
  • The spyware installation package is a CAB file.

  • In order to run upon every system restart, the Spyware creates the file Primary output from Smartphone (Active).lnk  under \Windows\StartUp folder.

  • The following registry entries are created to hold login data:
    • key: HKEY_CURRENT_USER\Software\RetinaxStudios
    • value: ReportTime ={time value}
    • value: Username ={user name}
    • value: Password ={password}
    • value: AutoLogin ={0 or 1}
    • value: RememberUser ={0 or 1}
  • The following items are appended to the phone number box:
    • VN-GPRS
    • SKT-WAP
    • SFONE-WAP
    • EVN-WAP
    • DACT-GPRS
  • VN-GPRS is set as "active access".

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 426272