Spy/WaveSecure!SymbOS

Release DateDec 08, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.309
Description

Visible Symptoms

The following symptoms may indicate the presence of the malware:
  • A WaveSecure application is installed on the phone
  • A process named wsmsgsrv_0x200254A8.exe is running
  • A directory named c:\data\wscache3 is present on the phone
  • The phone locks, plays a strong alarm or regularly uploads data onto a remote server

Detailed Analysis

This application corresponds to a legitimate commercial phone securing tool, whose goal is to assist and secure the owner's phone in case of device loss, theft or accidental data reset. When this tool is intentionally installed on a phone with the owner's full consent, there is no security problem. The owner should however be aware that 1/ the application sends data over Internet (thus implying additional cost depending on operator's subscription) and 2/ data is centralized on a remote web server.
However, this application results in a strong privacy threat if it is installed without owner's consent. In that case, the tool turns into an efficient spying tool, for retrieving contacts, SMS, geographic location etc.
Moreover, in that case, an attacker can remotely lock the user's device.
Consequently, end-users or system administrators may wish to detect the application.



Technical Details


This is the Symbian version of the malware, other versions exist for other operating systems and show the same behaviour.
This application provides the following functionalities:
  • phone locking locally, remotely by SMS from a trusted phone, or remotely from the application's web server control panel.
  • data backup: SMS, contacts, calendar, call logs etc are uploaded to the application's web server.
  • track SIM removal/change (and notify) or track phone's geographic location.
  • wipe phone, locally or remotely.
Upon installation, the application asks the user:
  1. the phone's phone number and a secret six digits PIN: those are used as credentials to log on the application's web server.
  2. the phone number of a trusted buddy. This buddy will be allowed to send special commands to the phone (provided he/she knows the secret PIN) so as to, for instance, remotely lock the phone. For example, if the phone is lost, the buddy may send a special SMS "secure lock PIN message" to remotely lock the phone. See Figure 2. The buddy receives a confirmation SMS if the device was successfully locked.
    In case the phone is lost, the buddy may also remotely track the phone, by sending an SMS "secure locate PIN".
    Obviously, those remote SMS commands are endanger privacy if an attacker guesses your PIN.
  3. a valid email to reset the PIN in case you forget it.

The application installs several files on the device (note the application cannot install on a memory card).
In c:\sys\bin:
  • WaveSecure_0x200254AB.exe: main application. Started after reboot.
  • CrashReporter_0x200254CC.exe: automatically restarted after reboot.
  • MsgSrvClient_0x200254A9.dll
  • SmsDatagramService_0x200254AA.dll: library meant to handle SMS messaging
  • SyExpat_0x20025499.dll: library meant to handle XML format import/export
  • WipeEngine_0x200254AC.dll
  • WsApp_0x200254AD.exe: the executable that handles the application's menu and settings/
  • WsAppCommon_0x200254AE.dll
  • WsCommon_0x200254AF.dll: a library of common functions used by the application. In particular, handles HTTP connection to Internet.
  • wsdbsrvClient_0x200254B0.dll and wsdbsrvServer_0x200254B1.exe
  • WsLkApp_0x200254B2.exe
  • wsmsgsrv_0x200254A8.exe: sends SMS when appropriate, by calling functions of SmsDatagramService.
  • WsUninstallApp_0x200254B4.exe
  • wswatchdog_0x200254B5.exe
Several other files are installed on the phone, including a license manager.
The c:\data\wscache3 is particularly noticeable. It contains the application's settings (c:\data\wscache3\config.txt) and caches data to send to the remote web server.
In the private directory, we can also notice several resources are installed, including c:\private\200254B2\Alarm.wav, a strong and hideous sound played when remotely activated and used to locate the phone more easily or scare a potential thief away.

Figure 1. Main application menu Figure 2. Phone locked by trusted buddy. Enter PIN to unlock. Figure 3. Trusted buddy sending commands via SMS

Figure 4. Web server control panel. Locating the phone.

Description Last Updated Date: Dec 09, 2009
Reference: ID - 1166895