Spyware.MobileSpy

Spyware.MobileSpy

Updated:
02 May 2007
Name:
Mobile Spy
Publisher:
Retina-X Studios
Risk Impact:
Medium

Behavior

Spyware.MobileSpy is a spyware program that records SMS message and phone information and sends this information to a predetermined remote location.

This security risk must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 September 2018 revision 017
  • Initial Daily Certified version 03 May 2007
  • Latest Daily Certified version 02 September 2018 revision 005
  • Initial Weekly Certified release date 09 May 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Once installed on the mobile device, the security risk adds the following folders:
  • \Windows\AppMgr\Retina-X Studios Smartphone
  • \Program Files\Smartphone


Next, it creates the following files:
  • \Windows\AppMgr\Retina-X Studios Smartphone\4001.tmp
  • \Program Files\Smartphone\OpenNETCF.Net.dll
  • \Program Files\Smartphone\OpenNETCF.dll
  • \Program Files\Smartphone\Smartphone.exe
  • \Program Files\Smartphone\hsmsutil.dll
  • \Program Files\Smartphone\smarphone.log
  • \Windows\StartUp\Primary output from Smartphone.lnk
  • Smartphone.exe
  • hsmsutil.dll
  • MobileSpy.CAB

The program then creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone\"Instl" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone\"InstallDir" = "\Program Files\Smartphone"
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone\"InstlDir" = "\Program Files\Smartphone"
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"\Program Files\Smartphone\Smartphone.exe" = ""
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"InstallDir" = "\Program Files\Smartphone"
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"Role" = "003e700"
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"Uninstall" = "\Windows\AppMgr\Retina-X Studios Smartphone\4001.tmp"
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"Autologin" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"Password" = [PASSWORD FOR ACCOUNT]
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"Username" = [USERNAME FOR ACCOUNT]
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"RememberUser" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"ReportTime" = "1"

The mobile device may then be configured to record the following SMS messaging information:
  • Sender's Number
  • Recipient's Number
  • Date & Time
  • Message Contents
The mobile device may also be configured to record the following Phone call details:
  • Number Dialed
  • Number of Caller
  • Date & Time
  • Call Direction


The program establishes a HTTP connection every 30 minutes, and sends the gathered data to the following locations:
  • [http://]www.mobile-spy.com/webapi/sms[REMOVED]
  • [http://]www.mobile-spy.com/webapi/logi[REMOVED]
  • [http://]www.mobile-spy.com/webapi/callsl[REMOVED]
Install a file manager program on the device.
  1. Enable the option to view the files in the system folder.
  2. Delete the following malicious files:

    Smartphone.exe
    hsmsutil.dll
    MobileSpy.CAB
    \Windows\StartUp\Primary output from Smartphone.lnk

  3. Navigate to and delete the following folders:

    \Windows\AppMgr\Retina-X Studios Smartphone
    \Program Files\Smartphone

  4. Navigate to and delete the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone
    HKEY_LOCAL_MACHINE\Security\AppInstall\Retina-X Studios Smartphone\ExecutableFiles
    HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios

  5. Exit the file manager.
`