Spy/Spyiolan!SymbOS

Analysis

This application uses the phone's camera as a surveillance device, and automatically sends emails, SMS or MMS messages to a configurable phone number if the camera detects movement. Alternatively, it can also play a sound or store multiple screenshots, record sounds close to the phone or phone calls.
Obviously, this application may threaten the end-user's privacy, particularly if it is installed by an attacker with user's consent. This is why it is classified at as a spyware.

Technical Details

The spyware installs without any problem on Symbian OS 7 or 8. Its name is "Spy!". A new application icon appears on the phone. The spy must then configure the spyware: several configuration options are available (see Figures 1 and 2).

Once the spyware is configured, the spy must activate the tool (menu choice). The spyware will then starts its work. Figure 3 lists images taken when motion is detected. Those images are stored locally on the device and optionally sent by MMS or e-mail. Figure 4 shows a typical screenshot.

The spyware drops or uses the following files:

• !:\system\apps\spy\spy.aif
• !:\system\apps\spy\spy.app: the main application
• !:\system\apps\spy\spy_caption.rsc
• !:\system\apps\spy\spy.mbm
• !:\system\apps\spy\spy.rsc
• !:\system\apps\spy\Inbox: screenshots are stored in this directory
• sisboom.txt
• about.txt
• C:\System\Data\Spy.ini: the spyware's configuration file
• C:\system\shareddata\101f8421.ini
• C:\documents

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.