This application requires Javascript for optimal performance.

SymbOS/DaddySpy.A!tr.spy - Released Dec 17, 2009 - Last Updated Jan 21, 2010

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

The malware is hardly noticeable. Sometimes, the following symptoms may be noticed:
  • an application pops up when you dial *#000000#
  • high bill (due to sending SMS, e-mails and HTTP connections)
  • an application named 'Daddy's Eye' is listed in the Application Manager

Detailed Analysis

This malware is a multi-function phone bug. It records:
  • all incoming/outgoing SMS messages
  • voice calls on the phone
  • surrounding noise (activating the microphone)

It sends a copy of SMS and recordings to a malicious remote web server, via HTTP. Then, the malicious web server processes the information and either stores it on the spy's personal account on the web server, or sends the information to a configurable e-mail.
This malware is mainly advertised as a parental control utility and the installation procedure stipulates it should only be installed on your own phone. But, of course, there is no way to ensure this. Consequently, any spy with physical access to your mobile phone may install the malicious software on it.

The malware is all the more dangerous that it is not easy to spot on the device:
  1. all spy communications are hidden. For example, there is no trace of SMS sent by the malware.
  2. the Applications Menu does not show any icon for the malware.
  3. moreover, the malware has the ability to hide itself from the list of running tasks.
  4. functionalities of the spyware can be remotely enabled or disabled, by sending an SMS to the victim's phone. For instance, it is possible to remotely activate the microphone bug or the recording of calls.

Currently, the malware only affects Symbian OS 9 (or greater) mobile phones.



Technical Details


The malware installs on the phone or on a memory card of the phone as an application named 'Daddy's Eye'.
It installs the following files:
  • c:\System\esinst.ini
  • !:\resource\apps\DaddysEye_0x200270F5.r01
  • !:\resource\apps\DaddysEye_0x200270F5.r16
  • !:\private\10003a3f\import\apps\DaddysEye_0x200270F5_reg.rsc
  • !:\resource\apps\DaddysEye_0x200270F5.mif
  • !:\resource\apps\DaddysEye_0x200270F5.mbm
  • !:\sys\bin\DaddysEye_0x200270F5.exe: this is the main executable of the malware
  • c:\private\101f875a\import\[200270F5].rsc
  • !:\private\200270F5\backup_registration.xml
Furthermore, the following file may be noticed on the device:
  • c:\Data\Others\esm.dat

Upon installation, the malware pops up the configuration windows. The spy may configure settings listed below:
  • send spied information to a given e-mail or to the malicious web server.
  • send information immediately after it is collected, or at a given time.
  • send information concerning SMS messages only, or also voice calls
  • specify quality of voice call recordings (if voice calls are to be spied)
  • all collected information is sent via HTTP. Therefore, the malware requires a connection to Internet (Internet Access Point or Wifi). The malware asks the spy to configure which connection to use.
  • restart the malware after reboot or not
  • hide the malware from tasks list or not
See Figures 1 and 2 for malware's main configuration screen.

Figure 1. Main window Figure 2. Settings for the malware.

Once properly configured, the malware is hidden. A malicious daemon (DaddysEye_0x200270F5.exe) runs in background and does the spy work. The malicious daemon is also capable of handling incoming SMS commands. For instance, the spy may (remotely) enable or disable the program, or send an SMS to specifically enable the voice recording functionality. This SMS is automatically processed by the malware and removed from the message inbox. The malicious daemon acknowledges commands and answers back with an "OK" or "ERROR" message to the spy. See Figure 3.



Figure 3. SMS messages sent by the spy to remote control the malware

Apart from collecting SMS and voice recording data (time, date, phone numbers, duration...), the malware also sends to the malicious web server:
  • the IMEI, brand and model of the victim's phone.
  • installation language (French or Russian) of the malware. This language is typically used when sending e-mails to the e-mail the spy configured.
  • the malware's version (for example 3.00)
  • MMC (Mobile Country Code), LAC (Location Area Code) CellId of the victim's operator network, IP address: this information helps the malware locate (geographically) the victim.
See Figure 4 and 5 for information collected by the spy.

Figure 4. Information displayed on the malicious web server



Figure 5. Information sent by e-mail

Recommended Action

Open the Application Manager and uninstall the malicious application.

Reference: ID - 1185326