We are asked to detect whether any spy software has been installed on a particular phone, sent to our lab. It is a mobile phone with no physical modification and nothing unusual in the physical appearance.
Based on my research, everything works on software level and the spy software does not show itself in applications. It secretly sends a copy of your messages and your call logs, even allows for interception.
So, is there any way to detect any spy software on a phone in the lab environment?
What model of phone is it?
It is a Nokia 6120.
In order to detect spy ware on a phone we have found it necessary to look at a variety of indicators. First things first however, does the phone you are looking at access the Internet? If not, then do not worry too much. There are some blue-tooth spy ware packages out there but they are limited by their range.
If you would like additional details, too many to scribe here, please call Mike at Prime Focus Forensics =- 512-853-9859 and I will be happy to fill you in on what we have learned.
Mike
For all NOKIA Series 60 v3 and v5 ANY installed application IS visible in App.manager.
zikmik - I've seen at least two forms of commercial spyware that has no visible features (even in App.manager). How did you make it visible?
yunus - you may have already figured this out, but if you install SecMan on the phone, you can turn off platform security. This means that the files that are usually protected by the phone are now visible. You can use a forensic tool such as Oxygen to view/extract the C (flash) D (RAM) and E (media card) , but not Z (ROM). What you want to do is then inspect C\sys\bin and look for unusual files. Remember that the files are likely to be compressed, so you'll need to inflate them to view their true contents.
Also another tip is check for any deleted files on the media card. If you're lucky the SIS file was put there temporarily during the install and then deleted. You can recover this deleted file and view it by using Encase or similar tool. Unpack the SIS file and inflate the exe's to view their contents.
You can also use SBSH FExplorer to view the processes running on the phone. Look for ones that don't have a valid signature such as those with [000000] next to their name. Commercial spyware usually installs about 5 files into c\sys\bin. Also check the raw sms receive and transmit files as these usually conceal the hidden messages.
Hope that helps.
TJ
zikmik - I've seen at least two forms of commercial spyware that has no visible features (even in App.manager). How did you make it visible?
Sorry for my bad english but with SEEN did you mean installing and work with them?
Hi zikmik - I meant that after the spyware has been installed, I couldn't find any indication that the spyware was there. So once its installed the user should not able to see the spyware program through app.manager. I was asking if you had found a way to make it visible?
Cheers
TJ
You wrote that you are from england but your english confusing me.
Hi zikmik - I meant that after the spyware has been installed, I couldn't find any indication that the spyware was there.
to make me clear, YOU install that app?
So once its installed the user should not able to see the spyware program through app.manager.
Why you use should? We obviously don't talk about same app…
I was asking if you had found a way to make it visible?
Cheers
TJ
What come up, must come down. So if app is install it must be a way to uninstall. How you can unistall it?