SymbOS/Flocker.AC!tr.python - Released Jan 30, 2009 - Last Updated Feb 13, 2009


Alias/es

Trojan-SMS.Python.Flocker.ac

Visible Symptoms

  • Abnormaly high phone bill.
  • Unexpected sending of SMS messages to phone number 151
  • Keypad locking repeatedly
  • Presence of any of the following file:
    • %system%\apps\indosat\indosat.app
    • %system%\apps\indosat\indosat.pyc

    Detailed Analysis

    This Trojan Horse is a variant of SymbOS/Flocker.A!tr.python. It poses as an "accelerator" for an Indonesian mobile phone carrier. After installation by an unsuspecting user, it can be found in the menu like any legitimate application (Figure 1 below).


    Figure 1: Menu icon as Indosat

    Upon being run from the menu, it locks the keypad and attempts to send SMS messages to the short number "151". The payload carried by such messages is a command to generate micro-transfer of funds (typically under $1) between IM3 pre-paid card holders. Those funds are transferred to an IM3 pre-paid card, possibly held by the Trojan authors. They can be used to buy other IM3 services (call, send SMS/MMS/rings etc).


    Figure 2: M3-Transfer functionality



  • This malware affects mobiles with Symbian OS versions prior to 9.

    • Technical details
  • This piece of malware comes in the form a SIS archive embedding a python script file. Consequently, it can only run on phones on which Python is installed.


  • It drops the following files:
    • %system%\apps\indosat\default.py
    • %system%\apps\indosat\indosat.aif
    • %system%\apps\indosat\indosat.app
    • %system%\apps\indosat\indosat.pyc
    • %system%\apps\indosat\indosat.rsc
    • %system%\libs\appswitch.pyd
    • %system%\libs\messaging.py
    • %system%\libs\pykeylock.py
    • %system%\libs\_messaging.pyd
    • %system%\libs\_pykeylock.pyd


  • Files contained in %system%\apps\indosat\ are the malware's main component files.


  • File appswitch.pyd is a legitimate application library used for switching, listing, ending, and killing running apps.


  • File %system%\libs\_messaging.pyd is an EPOC file while %system%\libs\messaging.py is a python script, they both contains SMS sending capabilities.


  • File %system%\libs\_pykeylock.pyd is an EPOC while %system%\libs\pykeylock.py is a python script, they both contain functions used for handset's keypad locking/unlocking.


  • When installed this malicious application goes by the name "Indosat Accelerator" (Figure 3).


    • Figure 3: Installation procedure
  • Once the application is launched, its malicious activity consists in silently locking the keypad and sending an SMS. The malware continuously monitors the lock status of the keypad. As soon as the victim unlocks the phone, it re-locks it and sends another SMS. Thus, several SMS may be sent out without user's consent.


  • The SMS messages sent to "151" attempt to transfer Rp. 5000 to an IM3 pre-paid card holder. Their content is fixed (hard coded) for a given variant of the malware (but different for different variants). The fund transfer will only succeed if the victim also is an IM3 card holder and has initially more than Rp. 15500 on his/her account.


    Figure 4: SMS sent


  • Note this Flocker variant shares with SymbOS/Flocker.A!tr.python similar Python mechanisms. Yet, the rest is completely different: different Trojan application, different SMS payload and number, different goals.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 705259