Spy/MobileSpy!WinCE
Analysis
This is a "commercial" Spyware tool, allowing for remote monitoring of a mobile device.
It must be noted that proper installation practically requires physical access to the targeted device. Indeed, when run the first time, the user is prompted with the login / password pair generated when buying the tool online (Fig. 1).
Upon successful completion of the login step, the user can click Capture to start the monitoring process, then select Hide to put the Spyware tool in "stealth" mode, making it effectively disappear in the background (Fig 2).
Subsequently, all SMS messages, phone calls information, and visited URLs are recorded and the resulting logs uploaded to the following server:
- http://www.{removed}spy.com
Figure 1: Initial Login |
Figure 2: Control Interface |
- key: HKEY_CURRENT_USER\Software\RetinaxStudios
- value: ReportTime ={time value}
- value: Username ={user name}
- value: Password ={password}
- value: AutoLogin ={0 or 1}
- value: RememberUser ={0 or 1}
- VN-GPRS
- SKT-WAP
- SFONE-WAP
- EVN-WAP
- DACT-GPRS
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.