Spyware.FlexiSpy

SUMMARY

Behavior

Spyware.FlexiSpy is spyware program that runs on either the Symbian OS or BlackBerry mobile devices. Once installed, it monitors phone call details and SMS text messages and sends them to a remote server.

Protection

• Initial Rapid Release version March 30, 2006
• Latest Rapid Release version June 14, 2008 revision 017
• Initial Daily Certified version March 30, 2006
• Latest Daily Certified version June 14, 2008 revision 016
• Initial Weekly Certified release date April 5, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

On Symbian OS:
The spyware arrives on the device as the following file:
FSL_Nokia_[Cellular Phone Name].SIS

When a user opens the file, the phone installer will display a dialog to warn users that the application may be coming from an untrusted source and may cause potential problems.

If the user clicks yes, the device will prompt the user to install "Phones".

When executed, the spyware drops the following files to the device:

• [DRIVE LETTER]:\system\recogs\FSLRECOG.MDL
• [DRIVE LETTER]:\system\recogs\FXSMON.MDL
• [DRIVE LETTER]:\system\apps\system\phones\FXSMON.EXE
• [DRIVE LETTER]:\system\apps\system\phones\MONUNINS.EXE
• [DRIVE LETTER]:\system\apps\system\phones\t4l.cfg
• [DRIVE LETTER]:\system\apps\system\phones\Fxs_caption.rsc
• [DRIVE LETTER]:\system\apps\system\phones\Fxs.rsc
• [DRIVE LETTER]:\system\apps\system\phones\Fxs.app
• [DRIVE LETTER]:\system\apps\system\phones\Fxs.aif
• [DRIVE LETTER]:\system\apps\system\phones\MONITOR.DLL
• [DRIVE LETTER]:\system\apps\system\phones\config.dat
• [DRIVE LETTER]:\system\apps\system\phones\monitor.log
• [DRIVE LETTER]:\system\apps\system\phones\phones.db

On BlackBerry:
The program arrives as the following Java application:
net_rim_app_console_pro.cod

Once installed, it monitors phone call details and SMS text messages and sends them to a remote server. The monitored logs can subsequently be viewed with a Web browser.

The program may contact the following Web sites:

• [http://]mobile.flexispy.com/serv[REMOVED]
• [http://]vervata.com/t4l-mcli/cmd/producta[REMOVED]

REMOVAL

On Symbian OS:

1. Install a file manager program on the device.
   
   
2. Enable the option to view the files in the system folder.
   
   
3. Delete the following malicious files:
   
   
   • [DRIVE LETTER]:\system\recogs\FSLRECOG.MDL
   • [DRIVE LETTER]:\system\recogs\FXSMON.MDL
   • [DRIVE LETTER]:\system\apps\system\phones\FXSMON.EXE
   • [DRIVE LETTER]:\system\apps\system\phones\MONUNINS.EXE
   • [DRIVE LETTER]:\system\apps\system\phones\t4l.cfg
   • [DRIVE LETTER]:\system\apps\system\phones\Fxs_caption.rsc
   • [DRIVE LETTER]:\system\apps\system\phones\Fxs.rsc
   • [DRIVE LETTER]:\system\apps\system\phones\Fxs.app
   • [DRIVE LETTER]:\system\apps\system\phones\Fxs.aif
   • [DRIVE LETTER]:\system\apps\system\phones\MONITOR.DLL
   • [DRIVE LETTER]:\system\apps\system\phones\config.dat
   • [DRIVE LETTER]:\system\apps\system\phones\monitor.log
   • [DRIVE LETTER]:\system\apps\system\phones\phones.db
     
     
4. Exit the file manager.

On BlackBerry:
Removal depends on how the program was loaded onto the device, and on device specific settings.

If the program was install OTA (or with an associated ALX file), navigate to the following option:
Options > Security Options > Application Permissions -> (BlackBerry key) -> Delete

If the program was loaded via cable, BlackBerry Enterprise Server (BES) refer to BES documentation for further details.