SymbOS/Flexispy.B!tr.spy

description-logoAnalysis

  • It is a Symbian virus, packed in .sis format.
  • Displays the following message prompting the user to install:
    Install FlexiSPY?
  • Drops the following files:
    • !:/system/apps/system/phones/flkcpr.exe (detected as SymbOS/Flexispy.B!tr.spy)
    • !:/system/apps/system/phones/fxmonitor.dll (detected as SymbOS/Flexispy.B!tr.spy)
    • !:/system/apps/system/phones/fxs.app (detected as SymbOS/Flexispy.B!tr.spy)
    • !:/system/apps/system/phones/fxs.rsc
    • !:/system/apps/system/phones/fxs_caption.rsc
    • !:/system/apps/system/phones/fxsmon.exe (detected as SymbOS/Flexispy.B!tr.spy)
    • !:/system/apps/system/phones/images.mbm
    • !:/system/apps/system/phones/monunins.exe
    • !:/system/programs/fcex.exe
    • !:/system/recogs/fslrecog.mdl (detected as SymbOS/Flexispy.B!tr.spy)
  • Once this SIS package is installed, the following files are executed in the background as system tasks:
    • flkcpr.exe
    • fxs.app
    • fxsmon.exe
    These files log phone activities such as calls, SMS messages, MMS messages and emails. The gathered information are then sent to the following server:
  • http: //www.{REMOVED}.com/factivation_mcli/cmd/productactivate
    A remote user may then access the gathered information over the internet.
  • The file fslrecog.mdl  serves as an autostart mechanism for the above three files.
  • recommended-action-logoRecommended Action

  • Terminate the following three processes using the task manager:
    • flkcpr.exe
    • fxs.app
    • fxsmon.exe
  • Delete all the dropped files using a file manager program or an AV software for mobile devices.
  • Telemetry logoTelemetry

    Detection Availability

    FortiClient
    Extreme
    FortiMail
    Extreme
    FortiSandbox
    Extreme
    FortiWeb
    Extreme
    Web Application Firewall
    Extreme
    FortiIsolator
    Extreme
    FortiDeceptor
    Extreme
    FortiEDR