Spyware.FlexiSpy

Spyware.FlexiSpy

Updated:
02 July 2007
Also Known As:
Flexispy.A [F-Secure], SYMBOS_FLEXSPY.A [Trend]
Risk Impact:
Medium
Systems Affected:
Symbian OS

Behavior

Spyware.FlexiSpy is spyware program that runs on either the Symbian OS or BlackBerry mobile devices. Once installed, it monitors phone call details and SMS text messages and sends them to a remote server.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 25 April 2017 revision 005
  • Initial Daily Certified version 30 March 2006
  • Latest Daily Certified version 25 April 2017 revision 008
  • Initial Weekly Certified release date 05 April 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
On Symbian OS:
The spyware arrives on the device as the following file:
FSL_Nokia_[Cellular Phone Name].SIS

When a user opens the file, the phone installer will display a dialog to warn users that the application may be coming from an untrusted source and may cause potential problems.

If the user clicks yes, the device will prompt the user to install "Phones".

When executed, the spyware drops the following files to the device:
  • [DRIVE LETTER]:\system\recogs\FSLRECOG.MDL
  • [DRIVE LETTER]:\system\recogs\FXSMON.MDL
  • [DRIVE LETTER]:\system\apps\system\phones\FXSMON.EXE
  • [DRIVE LETTER]:\system\apps\system\phones\MONUNINS.EXE
  • [DRIVE LETTER]:\system\apps\system\phones\t4l.cfg
  • [DRIVE LETTER]:\system\apps\system\phones\Fxs_caption.rsc
  • [DRIVE LETTER]:\system\apps\system\phones\Fxs.rsc
  • [DRIVE LETTER]:\system\apps\system\phones\Fxs.app
  • [DRIVE LETTER]:\system\apps\system\phones\Fxs.aif
  • [DRIVE LETTER]:\system\apps\system\phones\MONITOR.DLL
  • [DRIVE LETTER]:\system\apps\system\phones\config.dat
  • [DRIVE LETTER]:\system\apps\system\phones\monitor.log
  • [DRIVE LETTER]:\system\apps\system\phones\phones.db


On BlackBerry:
The program arrives as the following Java application:
net_rim_app_console_pro.cod

Once installed, it monitors phone call details and SMS text messages and sends them to a remote server. The monitored logs can subsequently be viewed with a Web browser.

The program may contact the following Web sites:
  • [http://]mobile.flexispy.com/serv[REMOVED]
  • [http://]vervata.com/t4l-mcli/cmd/producta[REMOVED]
On Symbian OS:
  1. Install a file manager program on the device.

  2. Enable the option to view the files in the system folder.

  3. Delete the following malicious files:

    • [DRIVE LETTER]:\system\recogs\FSLRECOG.MDL
    • [DRIVE LETTER]:\system\recogs\FXSMON.MDL
    • [DRIVE LETTER]:\system\apps\system\phones\FXSMON.EXE
    • [DRIVE LETTER]:\system\apps\system\phones\MONUNINS.EXE
    • [DRIVE LETTER]:\system\apps\system\phones\t4l.cfg
    • [DRIVE LETTER]:\system\apps\system\phones\Fxs_caption.rsc
    • [DRIVE LETTER]:\system\apps\system\phones\Fxs.rsc
    • [DRIVE LETTER]:\system\apps\system\phones\Fxs.app
    • [DRIVE LETTER]:\system\apps\system\phones\Fxs.aif
    • [DRIVE LETTER]:\system\apps\system\phones\MONITOR.DLL
    • [DRIVE LETTER]:\system\apps\system\phones\config.dat
    • [DRIVE LETTER]:\system\apps\system\phones\monitor.log
    • [DRIVE LETTER]:\system\apps\system\phones\phones.db

  4. Exit the file manager.


On BlackBerry:

Removal depends on how the program was loaded onto the device, and on device specific settings.

If the program was install OTA (or with an associated ALX file), navigate to the following option:
Options > Security Options > Application Permissions -> (BlackBerry key) -> Delete

If the program was loaded via cable, BlackBerry Enterprise Server (BES) refer to BES documentation for further details.
Writeup By: Hyun Choi and James O'Connor