Background:


Following a social engineering attack on a client of a NYC law firm, we were tasked with examining the client`s iPhone for signs of recent suspicious activities. Our interview of the client revealed strong circumstantial evidence that her iPhone may have been tampered with. She stated that she had been invited to a meeting at a hotel suite where her phone was inadvertently taken by another person, supposedly by accident, while she was out of the room. She said that the circumstances surrounding the meeting and the people who had attended was rather strange. She stated that her phone was returned an hour later. After getting her phone back, she started to suspect that something was done to it. Some of her friends received phone calls from an unknown individual that knew quite a bit about private conversations she had had with her close friends. Furthermore, a few weeks later, the person who had invited her to the meeting accused her of larceny of valuable jewelry. Based on her complaint, our client was arrested by the police.

Challenge:


Malware sweeps of iPhones can be quite challenging and go beyond typical mobile forensics. There are literally hundreds of spyware that are designed to be installed on mobile devices. They all hide their existence on the device in many ways. It takes state-of-the-art mobile forensic tools along with technical knowhow to engage in such an exercise.

Response:


We felt that justification existed to examine the phone for the existence of spyware. We met the client and took custody of the phone and placed it in a "faraday" bag to prevent it from communicating with the attacker, if it was in fact compromised. Typically, spyware will report not only on the activities of the phone, but will also transmit ambient room conversations and its geographic location. IPhones are designed to be very secure by default. No spyware can be installed on an iPhone unless it is "jailbroken" first. Consequently, our initial analysis was focused on determining if the phone was "jailbroken." We utilized two separate mobile forensic tools (CelleBrite UFED Touch and Oxygen Forensics Analyst) to perform the analysis. In our experience, these two mobile forensic tools are the best tools when it comes to iPhones and they complement each other very effectively. One of the tools reported the phone was "jailbroken" and the other reported that it was not. After in-depth analysis, we found that the phone was in fact "jailbroken." Interestingly, it had been "jailbroken" ten minutes after it was taken away from our client; she had a very good recollection of [and parking receipts to show] when the meeting took place. Further in-depth analysis had revealed that an extremely potent mobile phone spyware named "FlexiSpy" had been installed shortly thereafter. This software gives unlimited access of the victim's phone to the attacker, manipulating it in ways which most people would not even think possible.

The following is a list of some of the features of the spyware that was installed on the phone: spy on calls, listen to live calls, record calls, view call logs, listen to phone surroundings, record phone surroundings, spy on messages, read SMS messages, read MMS messages, send fake SMS messages, delete SMS messages containing keywords, read emails, spy on passwords, spy on GPS, view & track GPS location, spy on IM chats, spy on video files, view image files, listen to audio files, spy remotely (taking pictures using the camera), restart device, check device battery status, send SMS remote commands, spy on internet, spy on applications, address book, calendar, notes, installed programs, program activity, receive alerts when phone calls specific contacts, spy in secret by hiding jailbreak and by hiding itself from application list/task manager.

FlexiSpy allows a person who has installed the software on a victim’s phone to send "SMS" messages containing certain commands to the target device. The messages must be composed in a unique way, triggering an appropriate response from the spy software. We recovered a deleted SMS message showing a FlexiSpy command string: XXXXXXXXXXXX on the subject phone. In this instance, the message contained the command to “Enable Spycall and Interception,” as was indicated by the code “XXXXXXXXXXXX”. The next number, XXXXXXXXXXXX, is an activation code for the program. The last number, XXXXXXXXXXXX, was the monitor number. According to the FlexiSpy website, for their “Intercept Call” feature, which allows the user to patch into a live phone call to listen in, the program “uses a pre-defined number called the ‘Monitor Number’”, which the user would use for calling directly to the victim's phone to eavesdrop on an ongoing conversation. The FlexiSpy user knows when the victim is on a call because the “Watch List” function of FlexiSpy sends an SMS alert to the monitor number, letting the user know when a call is connecting on the victim's phone. Recovery of this text message allowed us to identify the perpetrator. The control number (which we replaced with a series of x's) was in fact the cell phone number of the individual who set up the meeting and later accused the client of larceny. .

Results:


We documented our findings in a very detailed report and forwarded it to the client's legal counsel.

Back to Case Studies