SymbOS/Pbstealer.A is a trojan application that runs under Symbian Series
60 platform. Pbstealer.A pretends to be utility software that compacts
the phone contacts database. Instead of compacting information
Pbstealer.A reads the contact information database, and sends the contents
as text file to first bluetooth device it finds.
Pbstealer.A is a trojan and does not spread by itself, in order to be
infected user has to download SIS installation package that contains
Pbstealer.A. So while Pbstealer.A uses bluetooth for sending phone book
data, this data is pure text and cannot infect the receiving device.
Disinfection
Disinfection
F-Secure Mobile Anti-Virus is capable to detecting and deleting the
Pbstealer.A trojan. But Pbstealer.A can be simply removed by uninstalling
it with Symbian application manager
Pbstealer.A spreads in a SIS file which originally has name Pbexlorer.SIS,
pretending to be an utility for organizing phone contacts database.
The SIS file contains Pbstealer.A application file and string resource,
when the SIS file is installed the Pbstealer.A is started automatically.
Payload
When started the Pbstealer.A shows text
Compacting your contact(s), step2
Please wait again
until done...
While showing the text, the Pbstealer.A reads all contacts information in
the phone and copies that to a file C:\SYSTEM\MAIL\PHONEBOOK.TXT. After
building the text file, Pbstealer.A searches for the first device it finds
over bluetooth and sends the text file over Bluetooth.
When trying to send the file over bluetooth, the Pbstealer.A uses repeated
connection attempts, so that if user answers no, he will get immediately a
second connection request. This technique is similar to tactic used by
Cabir, except that Pbstealer will give up attempts after one minute and
exits with message.
If user of the target phone accecpts the bluetooth transfer, he will
receive a text file that contains information copied from the infected
phones contacts database.
![](/images/pixel.gif"){kind=tracking}
