SymbOS/Trapsms.A!tr.spy - Released Mar 25, 2009 - Last Updated Apr 07, 2009
Visible SymptomsAbnormaly high phone bill.
A "Backuper" application is listed in the Application Manager.
Presence of file debug.log in c:\data\others or C:\Nokia\Others
Detailed AnalysisThis malware spies on SMS messages received by or sent from the mobile phone it is installed on.
It is installed on the mobile phone targeted by the attacker, usually under the name of "Backuper". It does not have any visible icon, which gives it better chances of remaining undetected by the victim.
A typical scenario is explained below:
Technically speaking, the spyware:
For Symbian OS 8.*, the malware drops the following files:
- The attacker registers on the spyware's website. From his/her account on the website, he/she purchases a version of the spyware.
- The attacker installs the spyware on the mobile he/she wishes to spy.
- All SMS messages sent from or received by the mobile are silently copied to the attacker's account. When the attacker is logged on the spyware's website, he/she can read all SMS messages handled by the mobile phone.
It may also create the following files:
- ./system/apps/smstrap/smstrap.exe: the main EPOC executable.
- ./system/smstrap.flg: installation flag.
- ./system/smstrap.xxx: this file identifies the spy's web account. When the spy purchases the spyware, this file is customized (personalized) for the purchaser.
On Symbian OS 9.*, dropped files are slightly different but the general scheme is the same:
- c:system\startup\SMSTrap.ini: this file requests the spyware to restart after reboot.
- C:\system\SMSTrap.xxx: information linking to the spy's account
- c:\system\bin\SMSTrap.exe: main EPOC executable.
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.