Spy/Spyiolan!SymbOS
Analysis
This application uses the phone's camera as a surveillance device, and automatically sends emails, SMS or MMS messages to a configurable phone number if the camera detects movement. Alternatively, it can also play a sound or store multiple screenshots, record sounds close to the phone or phone calls.
Obviously, this application may threaten the end-user's privacy, particularly if it is installed by an attacker with user's consent. This is why it is classified at as a spyware.
Technical Details
The spyware installs without any problem on Symbian OS 7 or 8. Its name is "Spy!". A new application icon appears on the phone. The spy must then configure the spyware: several configuration options are available (see Figures 1 and 2).
Figure 1. Configuring motion detection | Figure 2. Configuring recording |
Once the spyware is configured, the spy must activate the tool (menu choice). The spyware will then starts its work. Figure 3 lists images taken when motion is detected. Those images are stored locally on the device and optionally sent by MMS or e-mail. Figure 4 shows a typical screenshot.
Figure 3. Motion is detected: screenshot listing. | Figure 4. Typical screenshot sent by MMS |
The spyware drops or uses the following files:
- !:\system\apps\spy\spy.aif
- !:\system\apps\spy\spy.app: the main application
- !:\system\apps\spy\spy_caption.rsc
- !:\system\apps\spy\spy.mbm
- !:\system\apps\spy\spy.rsc
- !:\system\apps\spy\Inbox: screenshots are stored in this directory
- sisboom.txt
- about.txt
- C:\System\Data\Spy.ini: the spyware's configuration file
- C:\system\shareddata\101f8421.ini
- C:\documents
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.