Spy/MobileSpy!WinCE

Alias/es

SPYW_MOBSPY.A, Spyware:WinCE/BopSmiley.A, Spyware.17C61154, Spyware:WinCE/BopSmiley.B

Release Date

Feb 04, 2008

Detection Availability

Current Antivirus Definition Database Version: 12.309

Description

Visible Symptoms

The following files are created:

%Program Files%\SmartPhone\Smartphone.exe
%Program Files%\SmartPhone\OpenNETCF.Net.dll
%Program Files%\SmartPhone\OpenNETCF.dll
%Program Files%\SmartPhone\hsmsutil.dll

Detailed Analysis

This is a "commercial" Spyware tool, allowing for remote monitoring of a mobile device.

It must be noted that proper installation practically requires physical access to the targeted device. Indeed, when run the first time, the user is prompted with the login / password pair generated when buying the tool online (Fig. 1).

Upon successful completion of the login step, the user can click Capture to start the monitoring process, then select Hide to put the Spyware tool in "stealth" mode, making it effectively disappear in the background (Fig 2).

Subsequently, all SMS messages, phone calls information, and visited URLs are recorded and the resulting logs uploaded to the following server:

http://www.{removed}spy.com

With the proper credentials, a remote user can then access the gathered information over the internet.

Figure 1: Initial Login

Figure 2: Control Interface

Technical details

The spyware installation package is a CAB file.

In order to run upon every system restart, the Spyware creates the file Primary output from Smartphone (Active).lnk under \Windows\StartUp folder.

The following registry entries are created to hold login data:

key: HKEY_CURRENT_USER\Software\RetinaxStudios
value: ReportTime ={time value}
value: Username ={user name}
value: Password ={password}
value: AutoLogin ={0 or 1}
value: RememberUser ={0 or 1}

The following items are appended to the phone number box:

VN-GPRS
SKT-WAP
SFONE-WAP
EVN-WAP
DACT-GPRS

VN-GPRS is set as "active access".

Description Last Updated Date: Apr 21, 2008
Reference: ID - 426272