A few days ago, an application named ‘SMS Replicator Secret’ was pulled out of the Android market. Like many other spyware of its kind, it silently forwarded incoming SMS messages to a configurable phone number, the official idea being to spy on your girlfriend.

I don’t like these types of ‘applications’ (women solidarity? next time advertise it as spying your boyfriend ;), even if they are meant as jokes, because one day they will end up in the wrong hands and do much more damage than expected. The recent Zitmo malware is a perfect illustration of this: initially written as a parental control application, it ended in the hands of the Zeus gang to spy on your online banking mTANs.

In the case of SMS Replicator Secret, the phone numbers it forwards SMS messages to are configurable in a hidden window. This window pops up as soon as one sends the infected phone an SMS message with a special password as text. The default password is ’000.’ The password is configurable in that window, too. See our detailed description here.

Hidden settings window on an infected Android mobile phone

What most people do not know is that there is a backdoor. The hidden window also pops up if you send an SMS with the text ‘red4life’. And that password is hard-coded, not configurable. See below the case insensitive SMS text verification in the source code:

if-nez	v7,l130e
move-object/from16	v0,v25
iget-object	v0,v0,com/dlp/SMSReplicatorSecret/SMSReceiver.msg
                            Ljava/lang/String;
move-object	v7,v0
const-string	v8,"red4life"
; equalsIgnoreCase(Ljava/lang/String;)Z
invoke-virtual	{v7,v8},java/lang/String/equalsIgnoreCase
move-result	v7

With an Android emulator, this commands pops up the hidden window:

sms send 01234 red4life
OK

My guess is that the author’s girlfriend is red-haired ;)

Seriously, it is very lucky SMS Replicator Secret is not remotely configurable, otherwise attackers could have randomly scanned the networks for infected phones and spy their incoming messages…

– the Crypto Girl

If smart phones were human, we would most probably compare them to assistants – you know, those organized persons we rely on to cope with our own lack of memory and who will remind us of any important meeting and never lose any valuable phone number.

Others would perhaps compare them to close friends to whom one can tell secrets (your bank PIN ?) or with whom one shares a few holiday or family pictures.

It looks like few of us consider the betrayal of such a close friend, turning him/her into our worst enemy. Yet, this is exactly what mobile phone spyware represent: they can intercept our phone calls, SMS or MMS messages, locate us geographically, listen to our surroundings, take pictures, download contacts, log activity, etc. True, most of us do not have much to hide, but nevertheless we would just plainly hate to be spied. Men once stood up for human rights. As a reminder, the Universal Declaration of Human Rights, article 12, states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Unfortunately, we, at Fortinet, have noticed an increase in new mobile phone spyware these last few months. Since March 2009, we have added detection for 9 new families, being the first ones to do so among other vendors for at least five (iPhoneOS/Trapsms, Spy/MobileSpy!iPhoneOS, Spy/CallMagic!SymbOS, Spy/Spyiolan!SymbOS, Spy/PhotoSpy!SymbOS). Mobile phone spyware now represent 10 percent of mobile phone malware for Symbian, WinCE and iPhones. And there are more to come. For instance, we even know of development suites dedicated to creating mobile phone spyware.

Nearly all mobile phone spyware are commercial with products shipping from tens to over thousands of dollars. They advertise on markets such as parental control, cheating spouses, employee monitoring or video surveillance. Whether those products are legal or not is actually not the point of this blog entry. The *fact* is that nowadays those spyware can be found on warez / underground forums, and hence end up (sometimes for free) in the wrong hands of malware authors or other cyber-criminals. The other fact is that we now spot samples in the wild, sent by SMS or MMS.

So, the risk is growing, that’s for sure. Keep an eye on your phone, and make sure it’s not betraying you.