SymbOS/Flocker.AC!tr.python


Alias/esTrojan-SMS.Python.Flocker.ac
Release DateJan 30, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.584
Description

Visible Symptoms

  • Abnormaly high phone bill.
  • Unexpected sending of SMS messages to phone number 151
  • Keypad locking repeatedly
  • Presence of any of the following file:
    • %system%\apps\indosat\indosat.app
    • %system%\apps\indosat\indosat.pyc

    Detailed Analysis

    This Trojan Horse is a variant of SymbOS/Flocker.A!tr.python. It poses as an "accelerator" for an Indonesian mobile phone carrier. After installation by an unsuspecting user, it can be found in the menu like any legitimate application (Figure 1 below).


    Figure 1: Menu icon as Indosat

    Upon being run from the menu, it locks the keypad and attempts to send SMS messages to the short number "151". The payload carried by such messages is a command to generate micro-transfer of funds (typically under $1) between IM3 pre-paid card holders. Those funds are transferred to an IM3 pre-paid card, possibly held by the Trojan authors. They can be used to buy other IM3 services (call, send SMS/MMS/rings etc).


    Figure 2: M3-Transfer functionality



  • This malware affects mobiles with Symbian OS versions prior to 9.

    • Technical details
  • This piece of malware comes in the form a SIS archive embedding a python script file. Consequently, it can only run on phones on which Python is installed.


  • It drops the following files:
    • %system%\apps\indosat\default.py
    • %system%\apps\indosat\indosat.aif
    • %system%\apps\indosat\indosat.app
    • %system%\apps\indosat\indosat.pyc
    • %system%\apps\indosat\indosat.rsc
    • %system%\libs\appswitch.pyd
    • %system%\libs\messaging.py
    • %system%\libs\pykeylock.py
    • %system%\libs\_messaging.pyd
    • %system%\libs\_pykeylock.pyd


  • Files contained in %system%\apps\indosat\ are the malware's main component files.


  • File appswitch.pyd is a legitimate application library used for switching, listing, ending, and killing running apps.


  • File %system%\libs\_messaging.pyd is an EPOC file while %system%\libs\messaging.py is a python script, they both contains SMS sending capabilities.


  • File %system%\libs\_pykeylock.pyd is an EPOC while %system%\libs\pykeylock.py is a python script, they both contain functions used for handset's keypad locking/unlocking.


  • When installed this malicious application goes by the name "Indosat Accelerator" (Figure 3).


    • Figure 3: Installation procedure
  • Once the application is launched, its malicious activity consists in silently locking the keypad and sending an SMS. The malware continuously monitors the lock status of the keypad. As soon as the victim unlocks the phone, it re-locks it and sends another SMS. Thus, several SMS may be sent out without user's consent.


  • The SMS messages sent to "151" attempt to transfer Rp. 5000 to an IM3 pre-paid card holder. Their content is fixed (hard coded) for a given variant of the malware (but different for different variants). The fund transfer will only succeed if the victim also is an IM3 card holder and has initially more than Rp. 15500 on his/her account.


    Figure 4: SMS sent


  • Note this Flocker variant shares with SymbOS/Flocker.A!tr.python similar Python mechanisms. Yet, the rest is completely different: different Trojan application, different SMS payload and number, different goals.
    • Description Last Updated Date: Feb 13, 2009
    Reference: ID - 705259