This application requires Javascript for optimal performance.

SymbOS/Acallno.B!tr.spy - Released Apr 27, 2009 - Last Updated Jun 26, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Since this Trojan Horse's purpose is to spy on the infected mobile device without its owner's knowledge, there are very few visible symptoms of the infection. The installation phase must either be performed on the targeted device by an attacker with physical access, or the attacker must trick the phone owner in doing so.

In the latter case, the phone owner should be particularly watchful if any of the following conditions are true:

  • The SIS package does not contain a valid certificate. This is typical of malware, because they do not bear Symbian's signature
  • The sis package does not install any visible application icon (this is typical of spyware attempting to hide their presence on the phone)
  • The installer goes by the name Phantom v3.0 or demo
  • Abnormally high phone bill
Finally, a reliable way to verify if a device is infected is to to check for the presence of the malware installed files with a file explorer application (see technical details below).

Detailed Analysis

  • This Trojan Horse allows for a nearly complete compromise of the targeted mobile device. Once installed, It has been observed to be capable of the following non-exhaustive list of actions:
    • track location of device
    • list missed/incoming/outgoing phone calls
    • intercept/spy/record incoming phone calls
    • retrieve IMSI and phone number of spied device each time the SIM is replaced
    • query IMEI
    • capture screenshot
    • turn on/turn off/dim/increase the background light of the phone
    Possible functionalities are listed at Figure 1 below.



    Technical details

  • This Trojan Horse consists in several modules implementing functionalities enumerated above. Those modules are controlled by SMS. The attack scenario is the following:
    • The attacker installs or gets the owner to install the Trojan Horse on the mobile phone to spy.

    • The attacker then crafts a special SMS that activates the Trojan Horse. This message contains a password and the phone number of the controlling phone (for example, the attacker's phone). This SMS is sent to the mobile phone to spy. The SMS is automatically processed by the Trojan Horse and does not appear on the device's incoming message box.

    • The attacker remotely controls the Trojan Horse with other SMS messages. Those messages enable or disable a specific functionality. If the attacker queries some information (for example, last missed phone calls), the Trojan Horse may either log the information in a file on the spied device (in that case the attacker needs to have physical access to the phone), or send information back to the controlling phone's number by SMS. Note that, if the operator supports this feature, it is possible to configure the Trojan Horse so that SMS messages are billed to the recipient (attacker) to help it go unnoticed on the victim's phone.

    • The attacker may install a helper application named Neo Control  on the controlling phone. This is a Java midlet that automatically crafts the appropriate SMS messages, with a valid format, depending on the actions the attacker chooses. Figure 1 shows a screenshot of this application.



      • Figure 1. Screenshot of Neo Control midlet, the application controlling the Trojan Horse. Listed are the Trojan Horse's functionalities.

  • Once installed, the Trojan Horse drops the following files:
    • c:\System\Apps\<IMEI>.ini: the name of this file is made from the IMEI of the infected device.
    • c:\System\Apps\dummy.ini
    • c:\System\Apps\s60capture.exe: module capable of taking screenshots of the infected device.
    • c:\System\Apps\s60dial.exe
    • c:\System\Apps\s60system.exe
    • c:\System\Apps\s60system1.exe
    • c:\System\Apps\s60systema.exe: main module of the Trojan Horse.
    • c:\System\Apps\s60systemdel.exe
    • c:\System\Apps\s60systemi.exe: module capable of intercepting phone calls.
    • c:\System\Apps\s60systemt.exe: module processing SMS events (incoming/outgoing messages).
    • c:\System\recogs\s60sysa.mdl: used to start C:\System\Apps\s60systema.exe.
    • c:\System\recogs\s60syss.mdl: used to start C:\System\Apps\s60system.exe.
    • c:\System\libs\mobinfo.dll: library exporting functions to retrieve phone information, such as the IMEI
    Moreover, depending on the malware's version and which functionalities are enabled, the following files may be found on the victim's phone:
    • c:\System\Apps\s60lightoff.exe: the modules in charge of switching off or dimming the lights of the infected phone. They are not included in all versions of the Trojan Horse.
    • c:\System\Apps\s60lighton.exe: similar to s60lightoff.exe, but switches on the light.
    • c:\System\Apps\s60system2h.exe: configuration module, creates the IMEI file.
    • c:\Logs\SysFiles\kumar: Trojan Horse's log file.
    • c:\Logs\Sysfiles\backup.txt
    • c:\Logs\SysFiles\backup1.txt
    • c:\Logs\Sysfiles\systemmode.txt
    • c:\Logs\SysFiles\debug.txt
    • c:\myrecording.wav: contains the recording of a call.
    • c:\btmp1.mbm: contains screenshots taken by s60capture.exe.
    • c:\check1.txt
    • c:\Record\Count.txt
    • c:\tim.txt
    • c:\TBitMapFile
    • c:\sc.txt
  • The following are messages and prompts sent by the infected phone to the controlling phone:
    • "I had received your BLUETOOTH request but I AM Busy or Check ur H/W address again!!!!!!!!"
    • "You can call me as my profile has changed to Active Mode!!!!!!!!"
    • "Please dont call me because my profile has changed to SILENT Mode!!!!!!!"

    Recommended Action

    Delete all the dropped files with a file manager application and reboot the phone - or run FortiClient Mobile Security.

    Reference: ID - 830143