SymbOS/Flocker.A!tr.python - Released Apr 10, 2008 - Last Updated Feb 06, 2009
|
Alias/esTrojan-SMS.Python.Flocker.a |
Detection Availability
|
Visible SymptomsAbnormaly high phone bill.
The following message may be repeatedly displayed: (See Figure 1)
Message sending failed
The following files are created:
- !:\system\apps\Icq_reggerNEW\Icq_reggerNEW.app
- !:\system\apps\Icq_reggerNEW\default.py
- !:\system\apps\Icq_reggerNEW\Icq_reggerNEW.rsc
- !:\system\libs\keypress.pyd
- !:\system\libs\inbox.pyd
- !:\system\libs\appswitch.pyd
 Figure 1: the malware is not silent when failing to operate properly |
Detailed Analysis
This Trojan Horse poses as an "Icq_Python" install file, in order to trick the targeted user into installing it. After the installation phase, it can be found in the menu like any legitimate application, as can be seen on Figure 2 below:
 Figure 2: Malware's icon in the Symbian menu
Running the program from the menu triggers the following actions:
- The malware continuously sends SMS messages to a hardcoded, premium phone number (See Figure 3 and 4)
- It deletes SMS messages fom the Inbox whenever the sender is the aforementioned number, probably in an attempt to mask the premium service reply to the infected user.
Figure 3: Outbox
|
Figure 4: SMS details
|
|
|
Technical details
|
This piece of malware comes in the form a SIS archive embeding a python script file, and as such, can effectively run solely on phones that support Python.
The code used to send SMS messages features the following instructions:
e32.ao_sleep(01)#
...
e32.ao_sleep(rnd.uniform(000,001))#
In order to pause for a mere second between two premium SMS messages.
The actual instruction to send the messages is:
try:messaging.sms_send('3649',u'FILES 545')
Making the messages body empty.
|
Recommended ActionDelete all the dropped files with a file manager application and reboot the phone - or run FortiClient Mobile Security. |
