SymbOS/Flocker.AC!tr.python - Released Jan 30, 2009 - Last Updated Feb 13, 2009
Visible SymptomsAbnormaly high phone bill.
Unexpected sending of SMS messages to phone number 151
Keypad locking repeatedly
Presence of any of the following file:
Detailed AnalysisThis Trojan Horse is a variant of SymbOS/Flocker.A!tr.python. It poses as an "accelerator" for an Indonesian mobile phone carrier. After installation by an unsuspecting user, it can be found in the menu like any legitimate application (Figure 1 below).
Upon being run from the menu, it locks the keypad and attempts to send SMS messages to the short number "151". The payload carried by such messages is a command to generate micro-transfer of funds (typically under $1) between IM3 pre-paid card holders. Those funds are transferred to an IM3 pre-paid card, possibly held by the Trojan authors. They can be used to buy other IM3 services (call, send SMS/MMS/rings etc).
Figure 1: Menu icon as Indosat
Figure 2: M3-Transfer functionality
This malware affects mobiles with Symbian OS versions prior to 9.
This piece of malware comes in the form a SIS archive embedding a python script file. Consequently, it can only run on phones on which Python is installed.
It drops the following files:
Files contained in %system%\apps\indosat\ are the malware's main component files.
File appswitch.pyd is a legitimate application library used for switching, listing, ending, and killing running apps.
File %system%\libs\_messaging.pyd is an EPOC file while %system%\libs\messaging.py is a python script, they both contains SMS sending capabilities.
File %system%\libs\_pykeylock.pyd is an EPOC while %system%\libs\pykeylock.py is a python script, they both contain functions used for handset's keypad locking/unlocking.
When installed this malicious application goes by the name "Indosat Accelerator" (Figure 3).
Once the application is launched, its malicious activity consists in silently locking the keypad and sending an SMS. The malware continuously monitors the lock status of the keypad. As soon as the victim unlocks the phone, it re-locks it and sends another SMS. Thus, several SMS may be sent out without user's consent.
Figure 3: Installation procedure
The SMS messages sent to "151" attempt to transfer Rp. 5000 to an IM3 pre-paid card holder. Their content is fixed (hard coded) for a given variant of the malware (but different for different variants). The fund transfer will only succeed if the victim also is an IM3 card holder and has initially more than Rp. 15500 on his/her account.
Figure 4: SMS sent
Note this Flocker variant shares with SymbOS/Flocker.A!tr.python similar Python mechanisms. Yet, the rest is completely different: different Trojan application, different SMS payload and number, different goals.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.