FlexiSPY Mobile Spyware: Monitoring Solution or Security Nightmare?
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
FlexiSPY is the latest in mobile device spyware that sells itself as a solution to "Protect your children" and/or "Catch cheating spouses." However, FlexiSPY has redefined what this means and wrapped it into a pay-for-feature business model. In other words, the company responsible for this product realizes that not everyone wants to spy in the same way, so it came up with four products to give the end user options.
The following summarizes each version:
- FlexiSPY BUG: Turns a mobile phone into a virtual bug that can be used by someone to listen in on nearby conversations. This version also includes a SIM change notification feature that phones home if the SIM card is replaced. This feature is useful if someone steals/finds your phone and decides to keep it.
- FlexiSPY LIGHT: Allows a phones "owner" to read SMS, call logs, and emails via the FlexiSPY portal.
- FlexiSPY PRO: Combines the features of the LIGHT and BUG version, but also includes a remote control feature that allows any Java-enabled mobile phone to remotely control the "infected" phone and perform enable/disable spy calling, start/stop captures, and several other functions via SMS messages.
- FlexiSPY PR: This version comes right out of a James Bond movie. It includes all the features and functions of the BUG, LIGHT, and PRO version; but it also includes the ability to remotely connect into a phone conversation and listen to it or record it in real time. In addition, the solution can perform GPS or cell name/ID tracking so the phone's "owner" knows exactly where the target is located.
In summary, this product redefines just how dangerous technology can be. It should also serve as a wake up notice to all mobile phone users about the fragility of their privacy.
In the next section, we'll take a closer look at the solution and see how it works.
Spying on FlexiSPY
This section takes a look at the various file functions contained in the program. We will provide a detailed analysis of the solution and what it does to your mobile device, so you can be better informed about how to prevent or remove this software should you discover it on your device.
The software comes as a packaged and signed CAB file, which essentially means that a user only has to copy it to the target's device and click on it to have it install.
Alternatively, the solution could easily be installed via an autorun hack via an external memory card. The significance of the packaging is not that it is a CAB file, but that it is signed by VeriSign, which does not consider this software malicious. Ironically, there are few who agree with this conclusion.
Inside the CAB package are the following instructions for installation:
- Create \Windows\VPhone.
- Copy in RBackup.exe.
- Copy in config file.
- Copy in setting file.
- Copy in VCStatus file.
- Copy in 1.sys, 2.sys, and 3.sys files.
- Copy in Response.txt file.
- Copy VPhone.dll to \Windows directory.
- Copy FPMapi.dll to \Windows directory.
- Copy VRILLibCM.dll to \Windows directory.
- Create HKLM\Software\Microsoft\Inbox\Svc\SMS\Rules\{F1488272-B6ED-455d-8D38-F3F00F6DA55F} with value of 1.
- Create HKCR\CLSID\{F1488272-B6ED-455d-8D38-F3F00F6DA55F}\InProcServer32 with value of FPMapi.dll.
- Create HKLM\Services\VPhone and add the following values:
- Dll = VPhone.dll
- Prefix = FPS
- Order = 9
- Keep = 1
- Index = 0
- Context = 0
- DisplayName = FP Service
- Description = FP Service
- Create HKLM\Software\VPhone\UC key with value of 1.
Once all this is in place on the device, the device is rebooted to allow the software to hook into the various pieces and parts of the phone needed to collect information.
Upon reboot, the program is ready to be configured by dialing *#900900900, which opens up a control panel.
It is important to note that the first item the "owner" of the phone will have to enter is a unique Flexikey that unlocks the software. This key is tied to a user account on the backend server through which the phones "owner" can view the logs generated by the target.
Once activated, the passcode needed to access the control panel is changed from the default *#900900900 to the unique Flexikey.
The file responsible for the configuration pane is RBackup.exe, which is stored in the \Windows\VPhone directory. Once the settings are configured, and the user hits apply, the details are saved into an "encrypted" setting file also stored in \Windows\VPhone.
We noted that collected information is also stored in this directory in the files 1.sys (email), 2.sys (phone calls) and 3.sys (text messages). These files are not encrypted, which means they can be opened in any text editor for review.
Upon reboot and a successful configuration, the three new services on the Windows Mobile device start recording and managing communications on the device.
In summary, FPMapi.dll monitors the incoming emails and text messages, VRILLibCM.dll is responsible for cell tower tracking, and VPhone.dll is responsible for everything else.
However, because these three files are started as a service, they are hard to detect for the average user, which means the program and its operations are likely to go unnoticed by the average Windows Mobile user.