Spy/WaveSecure!SymbOS - Released Dec 08, 2009 - Last Updated Dec 09, 2009

Detection Availability

	Active Database	Extended Database
FortiGate		low high
FortiClient
FortiMail		N/A

Visible Symptoms

The following symptoms may indicate the presence of the malware:

A WaveSecure application is installed on the phone
A process named wsmsgsrv_0x200254A8.exe is running
A directory named c:\data\wscache3 is present on the phone
The phone locks, plays a strong alarm or regularly uploads data onto a remote server

Detailed Analysis

This application corresponds to a legitimate commercial phone securing tool, whose goal is to assist and secure the owner's phone in case of device loss, theft or accidental data reset. When this tool is intentionally installed on a phone with the owner's full consent, there is no security problem. The owner should however be aware that 1/ the application sends data over Internet (thus implying additional cost depending on operator's subscription) and 2/ data is centralized on a remote web server.
However, this application results in a strong privacy threat if it is installed without owner's consent. In that case, the tool turns into an efficient spying tool, for retrieving contacts, SMS, geographic location etc.
Moreover, in that case, an attacker can remotely lock the user's device.
Consequently, end-users or system administrators may wish to detect the application.

Technical Details

This is the Symbian version of the malware, other versions exist for other operating systems and show the same behaviour.
This application provides the following functionalities:

phone locking locally, remotely by SMS from a trusted phone, or remotely from the application's web server control panel.
data backup: SMS, contacts, calendar, call logs etc are uploaded to the application's web server.
track SIM removal/change (and notify) or track phone's geographic location.
wipe phone, locally or remotely.

Upon installation, the application asks the user:

the phone's phone number and a secret six digits PIN: those are used as credentials to log on the application's web server.
the phone number of a trusted buddy. This buddy will be allowed to send special commands to the phone (provided he/she knows the secret PIN) so as to, for instance, remotely lock the phone. For example, if the phone is lost, the buddy may send a special SMS "secure lock PIN message" to remotely lock the phone. See Figure 2. The buddy receives a confirmation SMS if the device was successfully locked.
In case the phone is lost, the buddy may also remotely track the phone, by sending an SMS "secure locate PIN".
Obviously, those remote SMS commands are endanger privacy if an attacker guesses your PIN.
a valid email to reset the PIN in case you forget it.

The application installs several files on the device (note the application cannot install on a memory card).
In c:\sys\bin:

WaveSecure_0x200254AB.exe: main application. Started after reboot.
CrashReporter_0x200254CC.exe: automatically restarted after reboot.
MsgSrvClient_0x200254A9.dll
SmsDatagramService_0x200254AA.dll: library meant to handle SMS messaging
SyExpat_0x20025499.dll: library meant to handle XML format import/export
WipeEngine_0x200254AC.dll
WsApp_0x200254AD.exe: the executable that handles the application's menu and settings/
WsAppCommon_0x200254AE.dll
WsCommon_0x200254AF.dll: a library of common functions used by the application. In particular, handles HTTP connection to Internet.
wsdbsrvClient_0x200254B0.dll and wsdbsrvServer_0x200254B1.exe
WsLkApp_0x200254B2.exe
wsmsgsrv_0x200254A8.exe: sends SMS when appropriate, by calling functions of SmsDatagramService.
WsUninstallApp_0x200254B4.exe
wswatchdog_0x200254B5.exe

Several other files are installed on the phone, including a license manager.
The c:\data\wscache3 is particularly noticeable. It contains the application's settings (c:\data\wscache3\config.txt) and caches data to send to the remote web server.
In the private directory, we can also notice several resources are installed, including c:\private\200254B2\Alarm.wav, a strong and hideous sound played when remotely activated and used to locate the phone more easily or scare a potential thief away.