SymbOS/Trapsms.A!tr.spy - Released Mar 25, 2009 - Last Updated Apr 07, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Abnormaly high phone bill.
  • A "Backuper" application is listed in the Application Manager.
  • Presence of file debug.log in c:\data\others or C:\Nokia\Others

    • Detailed Analysis

    This malware spies on SMS messages received by or sent from the mobile phone it is installed on.

    It is installed on the mobile phone targeted by the attacker, usually under the name of "Backuper". It does not have any visible icon, which gives it better chances of remaining undetected by the victim.
    A typical scenario is explained below:
    • The attacker registers on the spyware's website. From his/her account on the website, he/she purchases a version of the spyware.
    • The attacker installs the spyware on the mobile he/she wishes to spy.
    • All SMS messages sent from or received by the mobile are silently copied to the attacker's account. When the attacker is logged on the spyware's website, he/she can read all SMS messages handled by the mobile phone.
    Technically speaking, the spyware:
    • creates a debug log file (debug.log) which monitors the spyware's activity. In particular, the log records the spyware's version, the phone's model and IMEI: 
      2009-03-24 15:02:14
Spy, version 1.1.1 

2009-03-24 15:13:29
PhoneId:
Vendor=NOKIA
Model=N95
IMEI=7890000000000000

2009-03-25 10:29:53
Spy started
    • forwards the SMS messages (received or sent) on the phone via HTTP to hxxp://www.smstrpa.com/xxx. Depending on the victim's subscription and usage of SMS, this may lead to abnormally high phone bills. For each SMS, the spyware sends the SMS's phone number, body, time and direction (incoming or outgoing). This information is transferred using an XML template. Depending on circumstances, other information may also be sent over the Internet such as the victim's IMEI, IMSI or contents of the debug log file.
    • the information sent by the spyware is received and processed by the web engine. It is forwarded to the appropriate web account using data computed from smstrap.xxx. Indeed, this file ties the spyware to the spy's web account.
    For Symbian OS 8.*, the malware drops the following files:
    • ./system/apps/smstrap/smstrap.exe: the main EPOC executable.
    • ./system/data/storetraplog.dat
    • ./system/recogs/stmanager.mdl
    • ./system/smstrap.flg: installation flag.
    • ./system/smstrap.xxx: this file identifies the spy's web account. When the spy purchases the spyware, this file is customized (personalized) for the purchaser.
    It may also create the following files:
    • ./system/data/StoreTrapImeiOld.dat
    • ./system/data/StoreTrapImsiOld.dat
    • ./system/data/StoreTrapSmvCookie.dat
    • ./system/data/StoreTrapDefaultIAP.dat
    • ./system/data/trapsvcupd.sis
    • ./system/data/svctrapbackup.xml
    • ./Nokia/data/debug.log
    On Symbian OS 9.*, dropped files are slightly different but the general scheme is the same:
    • c:system\startup\SMSTrap.ini: this file requests the spyware to restart after reboot.
    • C:\system\SMSTrap.xxx: information linking to the spy's account
    • c:\system\bin\SMSTrap.exe: main EPOC executable.

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 801734