Spy/Spyiolan!SymbOS

Release DateOct 12, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

One or more of the following symptoms may indicate the spyware is currently running on the device:
  • an application named Spy! is installed on the phone
  • the phone plays sounds, or sends several emails, SMS, MMS messages
  • there is nearly no more space on the phone or memory card
  • the phone reacts slowly
  • the phone's camera is on and takes pictures regularly

Detailed Analysis

This application uses the phone's camera as a surveillance device, and automatically sends emails, SMS or MMS messages to a configurable phone number if the camera detects movement. Alternatively, it can also play a sound or store multiple screenshots, record sounds close to the phone or phone calls.
Obviously, this application may threaten the end-user's privacy, particularly if it is installed by an attacker with user's consent. This is why it is classified at as a spyware.



Technical Details


The spyware installs without any problem on Symbian OS 7 or 8. Its name is "Spy!". A new application icon appears on the phone. The spy must then configure the spyware: several configuration options are available (see Figures 1 and 2).
Figure 1. Configuring motion detectionFigure 2. Configuring recording

Once the spyware is configured, the spy must activate the tool (menu choice). The spyware will then starts its work. Figure 3 lists images taken when motion is detected. Those images are stored locally on the device and optionally sent by MMS or e-mail. Figure 4 shows a typical screenshot.
Figure 3. Motion is detected: screenshot listing.Figure 4. Typical screenshot sent by MMS

The spyware drops or uses the following files:
  • !:\system\apps\spy\spy.aif
  • !:\system\apps\spy\spy.app: the main application
  • !:\system\apps\spy\spy_caption.rsc
  • !:\system\apps\spy\spy.mbm
  • !:\system\apps\spy\spy.rsc
  • !:\system\apps\spy\Inbox: screenshots are stored in this directory
  • sisboom.txt
  • about.txt
  • C:\System\Data\Spy.ini: the spyware's configuration file
  • C:\system\shareddata\101f8421.ini
  • C:\documents

Description Last Updated Date: Oct 23, 2009
Reference: ID - 1070320