spy vs. spy

examining spyware on mobile devices
michael robinson | Christopher taylor

Introduction: The newest spy

Spyware can easily run on mobile devices.

It's in malware

and its
commercially
available.

Mobile malware up 273% in first half of 201 1

Monday 12 September 12:00

Malware for smartpho-nes and tablets- is up 273% in the first
half of 201 1 , compared with the same period in 2010, a study
has- shown.

Research fro m G Data Security Labs shows cyber criminals are
increasingly targeting mobile devices, with cross-platform Trojans
dominating the malware landscape.

In ttie fkst half of 201 1 , researchers recorded one new malware
stram every twelve seconds on average. G Data baBeves ttiere
is no end in sight to this malware Hood.

*VWth mobile malware, cyoe r crimina Is have discovered a new
busmess model," said Eddy Wi I terns, security evangelist at G
Data.

Even though this special underground market segment is stl

being set up, there is an enormous risk potential for moble devices and ther users, Willems said

NickiBot:

Spyware (GPS monitoring, sound recording, call
logs, e-mail uploading)
Fully controlled by SMS messages
Appears as "Android System Log" under installed
applications

(See www.csc.ncsu.edu/faculty/jiang/NickiBot.)

According to Willems, researchers are expecting

another spurt of growth in the moble malware sector ri the second half of the year.

■Qveral, G Data research shows malware is on the rise,
with a new record set ri the fist half of 201 1 of
1,245,403 new pieces of malware identified, a 15.7%
increase compared to the second half of 2010.

Willems says this growth is expected to continue over
the next six months and is on course to reach an
annual total of new malware strains for the year of at
2.5 million, compared with just over 2 million in 2010.

FREE VDI Seminars with
Brian Madden

18 Cities Worldwi

SECURITY

Jan 20, 2011 G:30 am

Soundminer Android Ma I ware
Listens, Then Steals, Phone Data

By Jeremy Kirk, IDG Haws

Researchers have developed a low-profile Trojan horse program for Google's Android
mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus
software.

SIMILAR ARTICLES:

Rasaarchars DtEMva r And ro id Data
Laaks: What Yqu Waad to Know

Ca n Yo u Trust Your Data to Goog le
Wallaf?

The malware, called Soundminer, monitors phone calls
and records when a person, for example, says their credit
card number or enters one on the phone's keypad,
according to the study,

Using various analysis techniques, Soundminertrimsthe

Soundminer

- Monitors phone calls (voice and keypad)

- Sends credit card data over the network

- Paired app with another Trojan

to transmit data, intercept outgoing phone calls and access contact lists might look
suspicious.

So in another version of the attack, the researchers paired Soundminerwith a separate
Trojan, called Deliverer, which is responsible for sending the information collected by
Soundminer.

Since Android could prevent that communication between applications, the researchers
investigated a stealthy way for Soundminerto communicate with Deliverer. They found what
they term are several "covert channels," where changes in a feature are communicated with
other interested applications, such as vibration settings.

Soundminer could code its sensitive data in a form that looks like a vibration setting but is
actually the sensitive data, where Deliverer could decode it and then send it to a remote

can tar That r-rvifart -iNhratinn cattinnc fhannol nnlu hac fi7 hitc nf harvHhAiiHth hi it that ic

August 22, 201 1 1 2 Comments

Mobile Mai ware Threats Growl Now They can Steal
Photos From Your Phone.

(f you're new here, you may want to subscribe to iny RSSfeed, Twitter and Facebook.Thanks for visiting!

I] Like 7

^ 7 l^—»l

Mobile devices are being tar
they can use to steal money
most countries. A good deal
malware tends to include stu

Hackers are disgui;
tens of thousands c
Marketplace orApp
communications (N
or Visa's payWave

F-Secure:

Photoscraping for harassment and blackmail.

Thanks to F-Secure team we know that

Chinese malware likes to spy. we've been keeping an eye out for various funclions r such as pholo
scraping. Stealing photos from a phone could be used for harassment and blackmail. A member of
Threat Response team in F-Securejust found something interesting in a Symbian malware sample.

And what they find is very disturbing:

The code of Trojan:SymbOSJSpinilogA includes a class named CMyCameraEngine which inherits and
implements the Symbian class MCameraObserver. This enables the trojan to receive control when an
image has been captured with the camera, Spinilog A then encodes the ra w bitmap to a JPG, which it
saves to the nhnne's memorv. This feature seems to still he unused and nossihlv incomnlete as the

Does Your Smartphone Need Anti-Virus Protection?

After hearing about what happened to Scarlett Joharssor it seems like everyone is talking
about what they can do to keep the private data on their smartphone private. While it is
important to follow best practices, it might be time, depending on which OS you rock on
your smartphone, to consider adding an extra level of protection,

Like

Commercialization of spyware

BlackBerry Spyware

Monitor, Trace and Track BlackBerry Smartphones

BlackBerry Spyware Spyphone Software

BlackBerry Spy technology delivers find out the specifics as to what people are saying on their Android as well as
who they really are talking to. Trace BlackBerry Phone Calls . Track BlackBerry Location; and determine
what is in SMS texts and email; find out internet activity; and a whole lot more. With BlackBerry Mobile
Phone Spy Software programs you may even cell phone tap to listen to smartphone calls and spy call
transform the smartphone right into a covert bug device. The BlackBerry operating system is particularly popular
with mobile device software developers and normally BlackBerry Spy applications are packed with features
unavailable with other systems; making BlackBerry Spy software powerful as solutions to Parental Monitoring ■
Workforce Monitoring and uncovering Cheating.

: : £ BlackBerry. |3

v iPhone

^BlackBerry

imi 003=300

■BlackBerry

Go to Phone Monitoring Websites

Compare Phone Monitoring Software

NOKIA

symbian

IBM Windows

m Mobile

BlackBerry Spy

Monitoring and Tracking applications is designed for most type of
ElackBerrys but there are a few limitations — if you're looking to capture
a history of Website Visits or Check MMS multi-media messages (images,
music and video], unfortunately BlackBerry will not support keeping track
of that. BlackBerry Tracker, Review SMS Texting &. E-mail, Call Event
Logging, Cell Phone Tap Calls and much more.

Goto Phone Monitoring Websites

Compare Phone Monitoring Software

Go To

Go To

Go To |

Go To

H

Go To j

'SHERIFF

Mob/Stealth

Did you catch the list of
compatible devices? \

BlackBerry Spyu

Monitor, Trace and Tra<

BlackBerry Spyware Spy phone

BlackBerry Spy technology delivers fir
who they really are talking to. Trad
what is in SMS texts and email; fin
Phone Spy Software programs you

transform the smartphone right into a

with mobile device software developers and normally BlackBerry Spy applications are packed with features
unavailable with other systems.; making BlackBerry Spy software powerful as solutions to Parental Monitoring.
Workforce Monitoring and uncovering Cheating.

: : : BlackBerry.

Go to Phone Monitoring Websites

Compare Phone Monitoring Software

'BlackBerry,

M! 003300

NOKIA

symbian

it ,' Windows

Mobile

Some commercial versions
don't require rooting of the phone.

* iPhones need to be jailbroken.

So what does it do?

Commercial spyware may capture

SMS activity

Location/GPS coordinates

Pictures

Videos

Inbound/outbound call logs
Browser activity (URLs)
E-mail

Identify SIM card changes

Interactive mode may include

Taking pictures
Recording videos

Record conversations/background via calls

Wiping the phone

Viewing the target phone's screen

Harvested data sent back to a server

For example:

^= English

HOME ' CALLS 1 SMS ' GPS ' PHOTO 1 URLS I PHONE ' LOGOUT '

Call Details !!!

Calls From: 05/23/2012

CallsTo : 05/23/2012

Call Type: I Ail

Jj Keyword :

□

Serial No

Time of Call

Phone Number

Type Of Call

Duration

1

2012-05-23 04:24:22

-999999#

Outgoing

00:00:00

2

2012-05-23 04:23:46

*999999#

Outgoing

00:00:04

□

3

2012-05-22 17:37:43

999999

Outgoing

00:00:00

□

4

2012-05-22 17:18:35

Outgoing

00:00:26

□

5

2012-05-22 17:14:26

57 1H ■

Outgoing

00*0:11

□

6

2012-05-22 17:13:36

*OQQQOOJi
33 33 33 r h

Outgoing

00:00:16

Delete Selected

Download CSV

Displaying 1 to 6 (of 6 Records}

>

records

Most Advanc
Software f

List of
Functions

Log Viewers

@ Account Summary ^£
% Call Details
H SBS Details
„c» GPS Details
I?; Url Details
" Cell Location
m Photo Details
*S Phonebook
^ Calendar Details
*^ Call Recordings Details

Environment Recordings

Live Pictures
£ Live Videos
1 Live Functionalities
H Settings

Change Password
■fll Logout

Products

Buy Online Stealth Club

Logged in as Michael Robinson [Logout]

Stealth Club > My Phones > SMS History

List of Text Messages

yj Account Home

±] Add New Phone

jj View Phones

yj Installation Guide

yj Blackberry Messenger

Configurations

jj How Spy Call Works

2j Invoices

2j Update Profile

yj Change Password

jj Logout

yj Calls History
yj SMS History
yj Contacts

yj Appointments History

yj Internet Browsing History

yj Bookmarks History

yj Emails History

yj Messenger Chat History

yj Recent Location

yj Location History

yj Calls Recording History

yj Surround Recording

History

jj Pictures History
yj Videos History

SMS His

Phone | Phone- 1 : | SMS Type | ALL Sort By | SMS Date/Time t | Order | Descending 4 |

Download in CSV (_) Current Page All Pages
□ Ty pe Sender Recipient SMS Text

□

Received

57i^^H

Hottie Jt^^^

2012-05-22
21 :45:25

□

Sent

703^^H

Test received

2012-05-22

17:18:12

□

□

Received
Sent

57'i^^B

Su perdu pert est
I

2012-05-22
17:17:44

2012-05-20
21 :51:01

□

Received

57'i^^H

Hey. Guess where I am?

2012-05-20
21 45:41

□

Sent

I

2012-05-20
16:01 :35

□

Received

57'i^^B

Thanks. What is the plan for tonight?

2012-05-20
16:01:10

□

Sent

57 J

I

2012-05-20
16:01:14

□

Sent

57

2012-05-20
1556:36

l^ceived

80

2012-05-20
13:51 :46

□

Sent ^

List of Functions

2012-05-20
13:21 :41

□

Received

80

2012-05-20
13:05:46

□

Sent

57

2012-05-20
13:04:50

n

R sr: sru r±rl

2012-05-16

SPY Bubble""

I / Truth Exposed

HOME ' CALLS ' SMS ' GPS ' PHOTO I URLS I PHONE 1 LOGOUT '

Live Photos Details

From: 05/23/2012

TO! OS/23/2012

1337672867 jpg
2012-05-22
00:47:42

Delete Selected

□ lp-
1337648244 jpg
201 2-05-21
17:57:02

Displaying 1 to 1 [of 2 Records}

<

Anti Theft for

Mobile with

Secure

Data

Backup and

Remote

Wipe

Download Now

Log Viewers

@ Account Summary
# Call Details

SMS Details
,ie» GPS Details
g LH Details

Cell Location

Live pictures

Any Question?

Stealth Club > My Phones > Location History

Logged in as Michael Robinson [Logout]!

2j Account Home

2j Add New Phone

>j View Phones

>j Installation Guide

2j Blackberry Messenger

Configurations

2j How Spy Call Works

►j Invoices

_>j Update Profile

yj Change Password

jj Logout

C.IIFht

yj Calls History
yj SMS History
hj Contacts

2j Appointments History

2j Internet Browsing History

yj Bookmarks History

*] Emails History

jj Messenger Chat History

2j Recent Location

2j Location History

yj Calls Recording History

yj Surround Recording

History

yj Pictures History
yj Videos History

Camp

yj Access Tracker
yj Bookmarks History
yj Emails History
yj Internet Browsing History
yj Keystroke Logs
yj Location History
yj MSN Chat History
yj Screenshot History
yj Skype Call Recording
yj Skype Chat History
yj Surround Recording
History

yj YAHOO Chat History

Location

Starting From

| Phone- 1 t ] 2012-05-19
M Show empty/unavailable location records

2012-05-22

Show |

Download in CSV (•) Current Page • • All Pages

| Download

W^ * Bl| V

Current Location Washington Metro | Hap | Satellite | Terrain

^ — — —

-a

West Falls
Church

Seven
Comers

Ashton
Heights

Run f;

h res

CD

earn M

Ai landale

Lake
Barer? ft

Bailey's
Crossroads

Mason
District Park

Alexandria
West

[ ^3

Morth

Springfield

Springfield

POWERED BY i 2 mi

Google

ip

a.

Lincalnia

■Shiriington
North Ridge

Seminary
Hill

Taylor Run

(24?)

Huntington

Old Town
West

Alexandria ■ v o Q V

•Jaw

To get the address of a location, click the certain marker on above map.

□

Date

Phone

□

1

2012-05-20 21 35:43

571

□

2

2012-05-20 21 47:43

571

□

3

2012-03-2016:17:26

571

□

4

2012-05-20 16:09:27

571

□

5

2012-05-2016:01:28

571

□

6

2012-05-20 15:53:27

571

□

7

2012-05-20 15:45:27

571

□

9

2012-05-20 15:37:26

571

I

□

9

2012-05-20 15:29:26

571

□

10

2012-05-2015:21:26

571

□

11

2012-05-2015:13:26

571

□

12

2012-05-20 15:05:24

571

□

13

2012-05-20 14:57:25

571

□

14

2012-05-20 14:49:23

571

□

15

2012-05-2014:41:23

571

□

16

2012-05-20 14:33:23

571

Latitude

Map data ©2012H3oag1e - Tl

Longitude

36 03569444444444
36 03569444444444

38.86923611111111

.14902777777777
14902777777777
■77.0493l||5555555

GPS Coordinates
(Actually cell phone towers^

38.801180555555554

-77.17333333333333

MdSieallh

Home

Products

Phones

Buy Online

Stealth Club

Demo

Affiliates

Blog

111

e suspe

monitor your kids

MONITORING

for Software
Mobile Phones

^^^^j ^^^^J ^i^iij! ^^^^^

Listen Phone Surro

Track Current I

Monitor Text M

mEM Vi ew Web Histo ry

Stealth Club > My Phones > Calls Recording History

Logged in as Michael Robinson [Logout]

Logged in as Michael Robinson [Logout]

jj Account Home

2j Add New Phone

jj View Phones

2j Installation Guide

2j Blackberry Messenger

Configurations

yj How Spy Call Works

yj Invoices

2j Update Profile

ij Change Password

>j Logout

jj Calls History
yj SMS History
jj Contacts

yj Appointments History

ij Internet Browsing History

yj Bookmarks History

yj Emails History

yj Messenger Chat History

yj Recent Location

yj Location History

yj Calls Recording History

yj Surround Recording

History

yj Pictures History
yj Videos History

Phone I Phone- 1 i | Observed Number | ALL £ | Sort By | Stealth Date/Time i | Order | Descending i \ | Show |

Q Select All/ Deselect All

□*>

□*)

Number: 7C3£^|

Number: 7C3^|

Number: 571

Number:

2012-0S-22 17:t

2012-05-21 17:5

2012-05-20 15:5

2012-05-20 13:4.

Number: 41Q£^|
2012-05-2013:40:32

Delete Selected Download Selected

How to playthese recordings?

Recorded phone calls

Alerts can be sent to a monitoring phone via SMS
directly from target or from the website.

Commands can be sent to the target phone
via the observing phone or website.

Principle differences between
malware and commercial versions:

Attack vector
(delivery method)

Logging

Installation

• Physical access: required.

• Android rooting: not always required.

• iPhone Jailbreaking: required.

• Internet connection: required.

• Ability to install apps from unknown
sources.: required

• Device may need to be rebooted.

The BIG question:

How do you know if you've been PWN'd?

You wouldn't know, would you?
Spyware is "undetectable."

Q: Will other people know that SpyBubble is installed or running on the mobiles I
provide them with?

A: No, there is no icon or symbol that shows the status of SpyBubble on the screen of the
mobile.

Will users know MobiStealth is installed or running?

Mo bi Stealth uses the latest innovations in mobile monitoring to keep your monitoring safe and secure. There are no indications that MobiStealth is
running while it is active. It runs in completely stealth mode.

Will users know Mobile Spy Is installed or running?

Mobile Spy uses the latest innovations in mobile monitoring to keep your monitoring safe and secure.
There are no indications that Mobile Spy is running while it is active. The program has no entries in the
User Menu, and its files are extremely discreet. Best of all, when Mobile Spy is running, there is NO
entry for it in the Task Manager. So it is your responsibility to notify any user they are being monitored.

Here's what we did:

We forensically examined smart phones

infected with different
commercial spyware products.

HTC Wildfire S (rooted)

on T-Mobile

LG Optimus Elite
on Virgin Mobile

LG Optimus V
on Virgin Mobile

Samsumg Galaxy Prevail
on Boost/Sprint

Apple iPhones 4s (jailbroken)

on T-Mobile

MDBILE=i^

SPY SOFTWARE FOR SMARTPHONES

M English w

Revealing Secrets Since 2005

Call Us!

U3A:(1)646-24<W063
UK: {44} 207-979-7126

PRODUCTS SUPPORT ' QUICK BUY

al Disclaimer

LEGAL DISCLAIMER

Get the facts and understand your liability

Flexispy Ltd. Full Legal Disclaimer

Updated £011

In some areas it may be a Federal or State offense to install software onto a phone you do not own, without the owners awareness &
consent. We do not condone the use of our software for any illegal purpose. By purchasing, download or using our software in any
way, form or fashion, you acknowledge & approve the following;

1 . You represent that FlexiSPY will be used exclusively in a lawful manner. If you're in doubt as to the legality of your planned usage
we require you consult with a registered attorney for the jurisdiction where you intend to use FlexiSPY.

2. You acknowledge you own the mobile phone you will install the software on, or have consent from the owner to administrate the
device & install software onto it.

3. FlexiSPY ltd will never release any of your private information or account data for any reason whatsoever, EXCEPT under threat of
legal action or court order. If you use our software to commit a crime & a warrant or subpoena for records is issued by court order
as part of an ongoing investigation, we are legally bound to comply. This may include the release of purchase information or other
customer data as ordered by a judge.

4. You acknowledge that you are solely responsible for how you use the software, & for complying with all relevant laws in your area.
You also acknowledge that neither FlexiSPY ltd, nor any of its agents, affiliates, directors, employees & associates may be held
liable, responsible or accountable for any type of damage, litigation or other legal action, which may arise either from your legal or
illegal use of FlexiSPY software, websites, or any other software & under no circumstances will you be eligible for any form of
compensation from the aforementioned.

Home

Products

Phones

Buy Online

Stealth Club

Demo

Affiliates

Blog

End User License Agreement

End User License Agreement (Ell LA)

It may be a federal and/or state offense to install monitoringjsurveillance software onto a Phone/Computer which you do not own or have proper
authorization to install. It may also bean offense in your jurisdiction to monitor the activities of other individuals. Check all state, federal and local
laws before installing any Monitoring Software such as Mobistealth. You may also have to notify a person that they are being monitored If they are
over age 18- . Federal or local law governs the use of some types of software; it is responsibility of the user to follow such laws."

The Computer Fraud and Abuse Act TCFAA". 16 U.S.C. $ 1030)

In Section 1030(g), CFAA provides that "[a]ny person who suffers damage or loss by reason of a violation of this section may
maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable rolief," 1& U.S.C,
1030(g). CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." Id. at
§ 1030(e)(8). CFAA defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a
damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue
lost, cost incurred, or other consequential damages incurred because of interruption of service." fd. al§ 103Q(e)(11).

*lt is the responsibility of the service user to determine, and obey, all applicable laws in their country and/or local jurisdiction regarding the use of
the software and services. The software and service is intended to provide the Licensee with the ability to capture, store and control their own
access to information.

installing Mobistealth, you represent that Mobistealth will be used in only a lawful manner. Logging other people's Cell Phone or Computer data or
installing Mobistealth on another person's Phone/Computer without their knowledge can be considered as an illegal activity in your country.
Mobistealth assumes no liability and is not responsible for any misuse or damage. It is the final user's responsibility to obey all laws in their country
and/or State

Regardless of the slate, It Is almost always illegal to record a conversation to which you are not a party, do not have consent to tape,
and could not naturally overhear, Federal law and most state laws also make it illegal to disclose the contents of an illegally
intercepted call or communication,

Federal law and most state laws also make it illegal to disclose the contents of an Illegally intercepted call or communication,
We do not manage the data, nor control distribution of data, nor access personal data captured or stored on servers and databases we provide.
We cannot, and have no responsibility to. access, recover, retrieve or read any data or information captured by Licensee or other party use of the
software and service. The publisher and vendor make no warranty, assume no liability, and are not responsible in any way for any misuse or
damage caused by using the software or services. The software user must accept all risk and liability for use. Use of the software and service
constitutes acceptance of these terms & conditions and grants indemnification of the software supplier. All trademark, copyright images and
word marks displayed on this website are property of their respective owners.

Computer
Monitoring Software

Pro Released

MEDIA COVERAGE

ore details J

PC WORLD

I If your mission is
' to spy on
someone who uses a Black Berry or
an Android phone, a service called
Mobistealth (left, $80 for three
months) promises to enable you to
monitor...

more details *^

caiHEHin

Con 8*G dollari per

tre mes i vi J

Refund Policy

1 . If there is any issue with functionality of Mobistealth on your Phone/Computer then we shall work with you to resolve the issue. If issue
cannot be resoled only then a refund will be issued. Customer is required to report the issue within 10 days of purchasing Mobistealth.

2. Customer bears the responsibility of installation of software on the target Phone/Computer that needs to be monitored. In the event a
purchase is made under the false assumption that physical access is not needed to install the software on the target/monitored
Phone/Computer, Mobistealth is not liable to issue any refund.

Disclaimer: SpvBubble is a Mobile Phone Spy Software, basically designed for monitoring your spouse, children or employees having Smartphone. Either you should own the

phone or you should have permission to monitor from the user of 7 smartphone.

If you fail to comply, depending on federal and state laws, you could be breaking the law. The SpyBubble will allow you to monitor Mobile phones as a tool MOT for illegal

purposes. Use only at your discretion. The use of the software is done at your own discretion and risk and with agreement that you will be solely responsible for any
damage to your Mobile or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from us or from the SpyBubble

web site shall create any warranty for the software. In addition, you agree to hold harmless the publisher and authors personally and collectively for any losses of
relationships, capital (if any) that may result from the use of this application. Your use of SpyBubble like other software agreements,, indicates your acceptance of these

disclaimers.

NOTE : AW trademarks on this site are property of their respective owners. These companies are not affiliated with SpyBubble.com in any way. Mentioned trademarks are
used solely for the purpose of describing phone and carrier compatibility for our mobile phone spy software.

User Legal Agreement

Information regarding our products and services.

All users are required to accept these terms as well as the terms located on the Legal Information page when creating
your account and upon purchase.

It is a federal and state offense to install surveillance software onto a device which you do not have
proper authorization,

We absolutely do not condone the use of our software for illegal purposes.

In order to purchase our software you MUST agree to the following conditions.

1 . You acknowledge and agree that you own the device you will install the software onto OR that you have the
expressed written consent of the owner to be an authorized administrator of the device and its users.

2. If you install our software onto a phone which you do not own or have proper consent, we wiil cooperate
with law officials to the fullest extent possible. This includes turning over requested customer data, and any
other purchase/product related information.

3. You agree that you will check all local, state and federal laws to make sure you are complying with all laws
in your region. It may be illegal in your region to monitor other individuals on your own device. You will never
monitor any adult without their valid permission.

4. You agree to the conditions in our EULA (End-User License Agreement). This includes the fact that we are
not liable for any type of damage, litigation, or legal predicaments that may arise due to use or abuse of Mobile
Spy or any other product.

5. All logs are subject to deletion after thirty (30) days for maintenance purposes.
© 2002-201 1 Retina-X Studios, LLC. All rights reserved.

End User License Agreement

NOTICE TO USER: PLEASE READ THIS CONTRACT CAREFULLY. BY USING ALL OR ANY PORTION
OF THE SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT

1. The user hereby undertakes to use the software responsibly and obey all applicable laws in which ever
jurisdiction the software is operating.

2. The user understands that the Server side data is held for the purposes of downloading to their own
systems and that this should be done on a regular basis and at least every seven (7) days. If data is not
downloaded within this period Spyera reserve the right to permanently delete it.

3. The user explicitly indemnifies Spyera for any harm financial or by reputation that may arise as a result of
the misuse of this software.

4. Intellectual Property Rights. The Software and any copies that you are authorized by Spyera to make are
the intellectual property of and are owned by Spyera Software LLC [Hong Kong}. The Software is protected
by copyright, including without limitation by international treaty provisions and applicable laws in the country
in which it is being used. You may not copy the Software, you may however transfer the license from one
phone to another providing the original device is first deactivated. You agree not to modify, adapt or
translate the Software. You also agree not to reverse engineer, decompile, disassemble or otherwise
attempt to discover the source code of the Software without the express written permission of Spyera . This
Agreement does not grant you any intellectual property rights in the Software.

5. Transfer. You may not rent, lease, sublicense or authorize all or any portion of the Software to be copied
onto another users phone except as may be expressly permitted herein. You may, however, transfer all your
rights to use the Software to another person or legal entity provided that:

fa) you also transfer this Agreement to such person or entity:

fb) you retain no copies, including backups and copies stored on a computer; and

fc} the receiving party accepts the terms and conditions of this Agreement and any other terms and
conditions upon which you legally purchased a license to the Software.

€. It is the responsibility of the user of Spyera to ascertain, and obey, all applicable laws in their country in
regard to the use of Spyera for "sneaky purposes' If you are in doubt, consult your local attorney before
using Spyera. By downloading and installing Spyera, you represent that Spyera will be used in only a lawful
manner. Logging other people's SMS messages & other phone activity or installing Spyera on another
person's phone without their knowledge can be considered as an illegal activity in your country. Spyera
assumes no liability and is not responsible for any misuse or damage caused by our Software. It's final
user's responsibility to obey all laws in their country, By purchasing & downloading Spyera, you hereby
agree to the above.

Forensic Tools

UFED Physical Analyzer

Parai s

Dmrice Seizure

MICRO ^SYSTEMATICA

(XRY

URL history

Title: FlexiSPY Product Download

URL: http://djp.cc

Cookie

Name: JSESSIONID
Domain: djp.cc

Search of physical dump

http://djp.cc/checkkeyPkey
Submit=Download.FSXGAD_2.03.3.apk/mnt/sdcard/download/
FSXGAD_2. 03. 3. apkapplication/vnd. android. package-archive

SD Card

\download\FSXGAD_2.03.3.apk

FLEXBP>

Physical Analyzer

File View Tools Python Plug-ins Report Help

/bookmark_thumbl/
s7ea2c639.jpg

support@flexispy.com

sdcard

.bookmark_thumb1
m7ea2cG35.jpg
n33fcBB43.jpg

s?ea2cS39.jpg |

Q s33fcSB43.jpg
Qj s901S4279.jpg
E-B Android
B-B data

i-E com .google . android. apps .maps
BB slacker
B-B user

Qj playsequence.dat

Q -B sbin
-B system

Qj bootcomplete.ro
Qj cwkeys
Pi default .oroD

ATTRIBUTION!

Registration Key
(in the picture)

▼ X

IntP^viPur'IPiWIY; «

^HH (DHtHi iuc*mh***iimw earn il
Ci^gi I Mfc Ibil^i 111 UIVK *rmvm\

A couple of glitches...

On the version we tested, we noticed:

• Messages appeared periodically that "unknown" obtained
"superuser access."

• The software didn't always launch on reboot.

• On CDMA phones, stealthy messages sent to the target
phone appeared to the user, i.e., they were not stealthy.

• Stealthy phone calls did not work on CDMA phones.
Note: A new version of the product has since been released.

FLEXBPY

XRY - C:\Documents and S etti n gs\Ad mi ni s trato r\Des ktop\p ro j \ H TC Wildfire S A5 1 Oe-post-i n stall, x

Home Edit View Export Toofe Help

Excel
2003

I

fS fwl fwl

HTML Google
Eartfi

Word

Word
2003

ptMfaj
XML

CASE DATA
DEVICE

GENERAL INFORMATION

APP USAGE

152 Running Apps

Superuser
(Evidence of rooting)

Application *

| Related URL

| Storage

Skin Picker

iia rket. android .c . . .

Device

S< nS:a"ns'

hips://

market, android. c...

Device

Slacker

https://

market, android. c...

Device

Sound set

https://

market, android. c...

Device

Status Bar

https://

market, android. c...

Device

Stocks

https://

market, android. c...

Device

Streaming Media Player

https://

market, android. c...

Device

Street View

https://

market, android. c...

Device

Superuser

https://

marketandroid.c...

Device

Swype

https://

marketandroid.c...

Device

Sync widget

https://

marketandroid.c...

Device

Ta k

https://

marketandroid.c...

Device

Tell HTC

https://

marketandroid.c...

Device

Tbs f;r home

hips://

marketandroid.c...

Device

T-Mobile Mall

https://

marketandroid.c...

Device

Touch Inpul

https://

marketandroid.c...

Device

Tra-s _ er

https://

marketandroid.c...

Device

TTS Service

hips://

marketandroid.c...

Device

Twitter widget

hips://

marketandroid.c...

Device

Updater

hips://

marketandroid.c...

Device

Upgrade Setup

hips://

marketandroid.c...

Device

User Dictionary

hips://

marketandroid.c...

Device

App Usage ^

Application Superuser

Related URL https : //ma rket. and roid . com/details?idl=c om. nosrmfou.ani

Storage Device

152 Selected Items: 1

FLEXBP>

Q Physical Analyzer

File View Tools

Python Plug-ins Report Help

B-E data
(+)■■■£ anr
El-jS backup
El -B data
!+)■■& local
S 'B misc
EE1-E3 property
B-F 1, system

(+)■■£? appusagestats
B-P^ dropbox
l+J-p^ registered_services
E)-£5 shared_prefs
©■■£5 sync
0-B throttle
El-P^ usagestats

PujsaqeJ5SW106
Q usage-201 20207

|_J usage-ZUlZlKI f
O usage-2fl12021S
Q accounts.db
Pi accounts. db-shm
Hi accounts. db-wal
■Qj appwidgetsxml
■Qj batterystats.bin
Qj called_pre_boots.dat
Qj entropy.dat
Qj packages.list
Qj packagesxml
Qj storage_reserve
■Qj uiderrors.txt
Q userbehavior.db
Q userbehavior.db-shm
Qj userbehaviorxml
Qj wallpaperjnfoxml
|tl-P^ devloQ

/data/system/usagedata/usage-20120207
contains a reference to: "com. android. insecurity"

UUUUU2AU
000002AE
OOOOD2BC
OOOO02CA
000002D8
000002E6^
OOOO*

0310
0000031E
00GG032C
0000033A
00000348
00000356
00000364
00000372
000003S0
0000038E
0000035C
000003AA
000003B8
000003C6
000003D4
000003E2
000003F0
000003FE
0000040C
0Q0DD41A

-7T

T7TT

Tf"

TmT

TT

et

"W

2E

TmT

IT

tttt

IT

UU

r .

2-

1 .

. s

•j .

2E

5 3

: i

00

65

71

75

00

s

3. .

R.

e

■ q

3. .

65

"3

74

4", ,

63

74

65

00

e .

- .

c

. -

76

03

00

7 4

00

7 5^

o :

00

02

00

00

00

v.

i

- .

Y ■

0^

: :

: :

01

•;■ :

00

: :

00

<D

: :

: j

: :

°\

00

::

00

00

00

::

00

00

00

00

: 3

loo

00

::

15

00

00

00

|63

00

6F

6E

2E

00

€1

6E

ool

o -

m .

.

. a

Q.

64

00

72

00

6T

65

64

2E

6D

ool

id.

r

o .

i .

d

. .

m.

73

00

65

00

63

00

75

00

72

00

69

00

74

ool

L.

«=

c .

u .

r

. i

t .

75

ool

: :

02

::

C7

34

01

00

00

00

o:

: j

13

::

00

6 3

6?

00

6E

00

2E

00

66

00

7£

::

2E

::

4E

o :

61

00

m .

f.

x .

. M

a .

65

00

6E

::

41

00

63

::

74

::

65

00

"6

00

i .

r.

A.

c .

-

. i

v .

65

74

: i

79

: :

02

: :

00

i .

-

y ■

00

00

: :

00

00

00

::

00

00

01

: :

00

00

00

00

: :

00

00

: :

00

00

00

00

00

00

00

00

14

: j

00

63

::

6r

::

6E

00

2E

::

61

6E

::

64

00

c .

Q

m .

a

. r.

d.

72

00

6?

00

65

00

64

::

2E

::

7 3

::

65

00

r .

a

i .

d.

. e

e .

74

74

: i

65

6E

67

73

00

t .

-

i .

r. .

g

. =

04

00

05

2F

00

00

-/-

03

00

00

: :

31

00

00

::

63

61

00

6E

00

1 .

c

. o

m .

2E

61

: :

6E

6 4

::

72

6r

65

00

a

n .

d.

r

i .

64

2E

: :

^3

6 5

::

74

^4

6 5

00

d.

=■ .

e .

-

. -

i .

6E

::

67

::

7 3

00

2E

::

7 7

00

65

::

66

00

n .

g

± .

7-:

. i

f.

65

2E

: j

57

65

: :

66

6 5

5 3

00

i .

i .

f

. i

£ .

65

7 4

74

65

00

6E

67

^3

00

e .

-

- .

i .

r.

■ g

□

^ I ^ j Find:

# Offset

Length

Value

Sourc

1 (k31B

{k12

msecurity

< I

f 1

Q Values IP

Bookmarks. |^ Highlights |^ Search

^ Search [1 results]

Length: 0x130 C Offset: 0x32E Selection: 0x2 A

File

\3 G

View

Tools.

Python

Plug-ins

Report

Help

B -l^j Smart Phones_PDr'S_rTidroid - Method 1.zip
GEl-F^ 1 - cache
(j-B data

anr

Ijl-P^ backup
data
local

'b-E? dm

Qj calllog.ref
Qj callmgrd.zip
Qj config.dat
Qj devjd
Qj event .db
D fx.log
Pj gmail.ref
Qj license .db
Qj logcat.log
Pi maind.zip
Qj pmond.zip
Qj preference .db
D s32
§ sms.ref

■Qj AccPrmsF.ini
■D AKB975Prms.ini
■pj rild_nitz_long_name_3102S0
■p] rild_nitz_short_name_3102S0
E)-p^ property

y gmail.ref

fxJog

X

| Hex View | File Info I

Q - ji m m

B

^ -SI fli

la

00000000

30

32

2D

30

37

2

30

3£

3A

31

3 /

3 A

3 3

3

00000010

39

35

3 A

2 :

57

4 1

52

4E

4 9

4 E

4 7

2 T

4E

4

00000020

6B

7 5

7

4 9

6E

73

74

61

6C

6C

69

6E

67

5

00000030

76

69

63

65

2£

31

37

39

3c

2 9

3A

2

53

7

00000040

74

2

64

61

65

6E

61

6E

73

2

2E

2E

2E

5

00000050

OD

OA

33'

32

2E

30

37

2

30

3£

3A

31

37

3

00000060

2E

3£

34

35

3A

2

57

41

52

4E

4 9

4E

4^

1

00000070

6E

69

74

6T

72

44

61

65

6E

61

6E

2£

32

3

ooooooeo

29

3A

2

6E

61

69

6E

2

2 3

2 :

4 3

72

65

6

00000090

2

7 3

79

7 3

7 4

65

6E

2

63

6r

6E

"4

65

7

OOOOOOAO

2E

2E

2E

DE

OA

3:

32

2E

30

37

2

3

3£

3

OOOOOOBO

3A

33

3£

2E

34

30

33

3A

2

57

41

52

4E

4

ooooooeo

2F

4E

er

6E

69

74

6F

72

44

61

65

6E

6r

6

OOOOOODO

30

31

3 9

2 9

3A

2

6E

61

69

6E

2 :

2 3

2

4

OOOOOOEO

70

6 5

72

2E

6C

61

61

70

2£

2 9

2 :

2E

2E

2

OOOOOOFO

30

32

2E

3 :

37

2

30

3£

3A

31

37

3A

33

3

00000100

39

33

3A

2 :

57

41

52

4E

4 9

4E

47

2z

4E

6

00000110

44

61

65

6E

6r

6E

2E

32

30

31

37

2 9

3A

2

00000120

69

6E

2

2 3

2

4 3

72

65

61

7 4

65

2

73

7

00000130

65

6E

2

6 3

6F

6E

74

65

£

^4

2

2E

2E

2

00000140

30

32

2E

3 :

37

2

30

30

3A

31

3"

3A

33

3

00000150

35

33

3A

2

57

41

52

4E

9

4E

4"

2?

43

6

00000160

4E

67

72

44

61

65

6E

6T

6E

2£

32

30

31

3

Find:

Offset

Length

Value

£1 Values ||T] Bookmarks : \ Highlights

/data/misc/dm/
callog.ref
callmgrd.zip
config.dat
dev_id
event.db
fx. log
gmail.ref
license. db
logcat.log
maind.zip
preference. db
s32

sms.ref

/d a ta/m i sc/d m/f x . I og

j| fx - Notepad

_E_

File Edit Format View Help

02 -

-07

OS

20

27

102

02 -

-07

OS

20

27

102

02 -

-07

OS

20

27

102

02 -

-07

OS

20

27

102

02 -

-07

OS

20

27

102

02 -

-07

OS

20

27

306

02-

-07

OS

20

27

369

02-

-07

OS

20

27

579

02-

-07

OS

20

27

709

02-

-07

OS

20

27

730

02-

-07

OS

20

27

971

02-

-07

OS

20

27

97 9

02-

-07

OS

22

17

071

02-

-07

OS

22

17

090

02-

-07

OS

22

17

109

02-

-07

OS

22

17

104

02-

-07

OS

22

17

605

02-

-07

OS

22

17

815

02-

-07

OS

22

21

020

02-

-07

OS

22

21

041

02-

-07

OS

22

21

126

02-

-07

OS

22

21

141

02-

-07

OS

22

21

196

02-

-07

OS

22

21

196

02-

-07

OS

22

21

196

WARNlNG/smscommandHel per (2016) : ==current settings==
WARNlNG/smscommandHel per (2016) : start capture: Yes
WARNlNG/smscommandHel per (2016) : Events :call 1 og , SMS , Emai 1 , IM
WARNlNG/smscommandHel per (2016) : Timer :lhour
WARNlNG/smscommandHel per (2016) : Max Event: 10
WARNiNG/smsobserver (2017) : regi sterobserver # refid:

WARNlNG/serviceManager(2017) :
WARNlNG/serviceManager (2017) :
WARNING/Ser vi ceManager (2017) :

: enabl eCaptureEmai 1 # ENTER ...
: enabl ecapturelm # ENTER ...

_____ _____ ,i : di sabl eCaptureLocati on # ENTER ...

WARNlNG/GpsTr acki ng(2017) : disable # ENTER ...
WARNiNG/EventDatabaseManager (2017) : countTotal Events # type_call: 0, type_sms: 0,

type_location: 0, type_im: 0, type_system: 2,
WARNlNG/EventManager (2017) : processNumberof Events # Number of events: 2 / 10
WARNiNG/socketstmcsms(2067) : Found a new sms
WARNING/Socketstmcsms(2067) : SMS command is detected I -> H ide

WARNING/SmsCommandManager (2016) : pr o cesssmscommand # +15712^ H : <*#1Q><0610776_

WARNiNG/socketstmcsms(2067) : Forward sms: false

WARNiNG/EventDatabaseManager (2017) : countTotal Events # TYPE_CALl_: 0, TYPE_SMS:

TYPE_LOCATION: 0, TYPE_IM : 0, TYPE_SYSTEM :

WARNlNG/EventManager (2017) : processNumberof Events # Number of events: 3 / 10
WARNING/Socketstmcsms(2067) : is Enable: true, Edition: PROX
WARNING/Socketstmccall (2067) : |5PTT_f!_7^

type_email: 0,
Total : 2

0,
3,

TYF
TOt

um, LU I L I UM. MkUA

t Monitor Number: "+1571 _
et Monitor Number: "+15712
sendResponse # response:

all" : Yes ,+15712

Hidden SMS command:
<*#50>

02-07

06:23

56.299

02-

-07

OS

23

56. 306

02-

-07

OS

23

59.431

02-

-07

OS

23

59.404

02-

-07

OS

23

59.469

02-

-07

03

23

59.496

02-

-07

OS

23

59.634

02-

-07

OS

23

59.700

02-

-07

03

23

59. 743

02-

-07

OS

23

59.756

02-

-07

OS

23

59.606

02-

-07

OS

23

59. 630

02-

-07

OS

24

00.106

02-

-07

OS

24

00.166

02-

-07

OS

24

00. 240

02-

-07

OS

24

00. 334

02-

-07

OS

24

00.429

02-

-07

OS

24

00.465

02-

-07

OS

24

00.466

?I_P^^

WARNiNG/socketstmcsms(2067) : s
WARNING/Socketstmccal 1 (2067) :
WARNlNG/smscommandHel per (2016)
WARNlNG/smscommandHel per (2016)
WARNlNG/smscommandHel per (2016) : ca

per (2016): WL status :Di sab
(2067): set keyword#l: 1
(2067): set keyword#2: ""
Manager (2017) : countTotal Events

V " TYPE_I_ OCATIQN :

(^Z)
_(206>*

WARNING/Socketstmcsms(2067)

3. 3] [10] OK

Confirmation of
response sent to
remote system

# type_call:
type_im: 0,

U_i____l_____fi_______i___i_i

0, TYPE_SMS:
TYPE_SYSTEM :
i____________^________i

type_email: 0,
Total : 4

Found a new sms

sms command is detected I -> Hide
Forward SMS: false
.16): processsmscommand # +1571_^B

<*#50><0610776l

WARNiNG/smscommandManager (2
WARN I N G / E ve nt Dat ab as eM an ag e

TYPE_LOCATION: 0, TYPE_IM : 0, TYPE_SYSTEM : 5, Total: 5

WARNiNG/socketstmcsms(2067) : isEnable: true, Edition: prox

WARNlNG/EventManager (2017) : processNumberof Events # Number of events: 5 / 10

■><1 . , Oxd>

WARNING/Socketstmccal 1 (2067)
WARNlNG/socketstmcsms(2067)
WARNING/Socketstmccal 1 (2067
WARNING/Socketstmcsms(2067)
WARNING/Socketstmccal 1 (2067
WARNING/Socketstmcsms(2067)
WARNING/Socketstmccal 1 (2067
WARNlNG/socketstmcsms(2067)
WARNING/Socketstmccal 1 (206
WARNING/Socketstmcsms(2067)
WARNlNG/socketstmcsms(2067)
WARNING/Socketstmcsms(2067)

E

isEnable: true, Edition: prox
isEnable: true, Edition: prox

IsEnable: true, Edition: P.
set Monitor Number: "+1571 .

set Monitor Number: "+1571
set Monitor Number: "+1571

isEnable: true, Edition: prox
isEnable: true, Edition: prox
__________p__i_i_____-

set keyword#l: ""
set Monitor Number: "+15713
WARNING/Socketstmccall (2067) : set Monitor Number: "+15711
WARNiNG/socketstmcsms(2067) : set keyword#2: ""

Software version
PROX

WARNlNG/smscommandHel per (2016) : ==current setti ngs==
WARNlNG/smscomraandHel per (2016) : start capture: Yes
WARNlNG/smscommandHel per (2016) : Events :call log,SMS,Em.
WARNlNG/smscomraandHel per (2016) : Timer :lhour
WARNlNG/smscommandHel per (2016) : Max Event: 10
WARNiNG/smsobserver (2017) : regi sterobserver # refid:

WARNlNG/serviceManager(2017) :
WARNlNG/serviceManager(2017) :
WARNING/Ser vi ceManager (2017) :

: enabl eCaptureEmai 1 # ENTE
: enabl ecapturelm # ENTER .

_____ _____ , : di sabl eCaptureLocati on # ENTER ...

WARNlNG/GpsTr acki ng(2017) : disable # ENTER ...

WARNiNG/EventDatabaseManager (2017) : countTotal Events # type_call:

type_locatiqn: 0, type_im: 0,

WARNlNG/EventManager (2017)
WARNlNG/socketstmcsms(2067
WARNING/Socketstmcsms(2067
WARNlNG/smsCommandManager (
WARNiNG/socketstmcsms(206~

/d a ta/m i sc/d m/f x . I og

ATTRIBUTION!

Hidden SMS command &
Registration Number

type_email:
Total : 2

J: " Found a new SMS

1: sms command is detected' -> Hide^^

#316) : pro cesssmscommand # +1571_^^^B

|: <*#10xO610776_B

^Bx+1571_^H

■xD>

06:23:56.263
06:23:56.299
06:23: 56. 306

WARNiNG/EventDatabaseManager (2017) : countTotal Events # TYPE_CAl_l_: 0, TYPE_SMS: 0, TYPE_EMAll_ :

TYPE_LOCATION: 0, TYPE_IM : 0, TYPE_SYSTEM : 3, Total: 3

WARNlNG/EventManager (2017) : processNumberof Events # Number of events: 3 / 10
WARNiNG/socketstmcsms(2067) : isEnable: true, Edition: prox
WARNiNG/socketstmccall (2067) : IsEnable: true, Edition: prqx
WARNiNG/socketstmcsms(2067) : set Monitor Number: "+1571 _
WARNiNG/socketstmccall (2067) : set Monitor Number: "+15712

WARNlNG/smscommandHel per (2016) : sendResponse # response: 166 2. 03. 3] [10] OK
WARNlNG/smscommandHel per (2016) : ==current setti nqs==
WARNlNG/smscommandHel per (2016) : cal 1 : Yes ,+15712
WARNlNG/smscommandHel per (2016) : WL status : Di sab I e
WARNiNG/socketstmcsms(2067) : set keyword#l: 1
WARNING/Socketstmcsms(2067) : set keyword#2: ""

WARNiNG/EventDatabaseManager (2017) : countTotal Events # TYPE_CAl_l_ : 0, TYPE_SMS: 0, TYPE_EMAIL :

TYPE_LOCATION: 0, TYPE_IM : 0, TYPE_SYSTEM : 4, Total: 4

WARNlNG/EventManager (2017) : processNumberof Events # Number of events: 4/10
WARNiNG/socketstmcsms(2067) : Found a new sms
WARNING/Socketstmcsms(2067) : SMS command is detected I -> Hide
WARNING/Socketstmcsms(2067) : Forward SMS: false

WARNlNG/smscommandManager (2016) : or ocesssmscommand # +1571_^H___B : <*#5Dx0610776^M^H><1 , .

~ = ~ — ntTotal Events # TYPE_CAl_l_: 0, TYPE_SMS: 0, TYPE_EMAIL :
E_LOCATION : , TYPE_IM : , TYPE_SYSTEM : 5 , Total : 5

true, Edition: prox

erof Events # Number of events: 5 / 10

ATTRIBUTION!

Monitoring
number

UO . __■■+ . UU. __■■+ U

08:24:00. 334
08:24:00.429
08:24:00.46 5
08:24:00.466

0XD>
0,

i _.h_k h j_ in ij / Of u _. r_ _: L Of L I II _. Of I ll_J ^ £.\J _l i- J

WARNlNG/socketstmcsms(2067)
WARNING/Socketstmcsms(2067)

WARNiNG/socketstmccall (2067) : set Monitor Number
WARNiNG/socketstmcsms(2067) : set keyword#2

■_._!_ ItEywcr

set keyword#l
set Monitor Number

true, Edition: prox
true, Edition: prox
true, Ec
r^*T_i_J4jjber| "+15712
or Nu^fbeJ: "+1571J
r Numberl "+1571_f~
or NumbehiH_________________

true, Edition: prox
true, Edition: prox
d#l: ""

/data/misc/dm/logcat

_J log cat - Notepad

File Edit Format View Help

connecti vi tyservi ceC 167): getMobileDataEnabled returning trueD/
connectivi tyservi ceC 187): getMobileDataEnabled returning truei/

Tel ephonyRegi stryC 187)
Tel ephonyRegi stryC 187)
Tel ephonyRegi stryC 167)
connecti vi tyservi ce( li 0- getMobileDataEnabled returning trueD/
connecti vi tyservi ce( 11 T ) : getMobileDataEnabled returning truei/

notifyDataConnecti on : state=l i sDataConnecti vi tyPossi bl e=true reason=tr
notifyDataconnecti on() state=li sDataconnecti vitypossi bl e()true , reason
broadcasiDa^^onne^^^nSt^^C^^

Acti vityManager ( 187): start proc com. androi d. browser tor broadcast com. androi d. browser/. htc. uti
Tel ephonyRegi stryC 187)
Tel ephonyRegi stryC 187)
Tel ephonyRegi stryC 167)

getMobileDataEnabled: true

1015, 2001}!/

notifyDataconnecti on : state=2 i sDataconnecti vi tyPossi bl e=true r eason=si mLoaded i nterf aceName=rmnetO networkType=8D,/
notifyDataconnecti onC) state=2i sDataconnecti vi tyPossi bl eOtrue , reason=si mLoadedD/

broadcastDataConnecti onstatechangedC) state=CONNECTEDtypes=def ault , supl , admi n , dun , hi pri , i nterf aceName=rmnetOD/

statusBarservi ceC 265): updateicon si ot=data_connecti on index=16 viewmdex=12 ol d=statusBariconCpkg=com. androi d. systemui i d=0x7f 020073 level=0 vi si bl e=f al se num=0 )
i con=statusBar lconCpkg=com. androi d. systemui i d=0x7f 02006c level =0 visible=true num=0 )v/

Notif i cati onser vi ceC 187): chargi ng. . . d/

StatusBarservi ceC 285): old notification: when=1329526736034 ongoi ng=f al se expanded=andr oi d. wi dget . Li nearl_ayout@405e5988 contentvi ew=androi d. wi dget. Remotevi ews@405eledOD/
statusBar ser vi ceC 285): new notification: when=1329526768909 ongoi ng=fal se contentvi ew=androi d. wi dget. Remotevi ews@40 5ala88v/
Notif i cati onser vi ceC 187): chargi ng. .. D/

StatusBarservi ceC 285): old notification: when=1329526768909 ongoi ng=fal se expanded=andr oi d. wi dget . Li nearl_ayout@4058d4b8 contentvi ew=androi d. wi dget. Remotevi ews@405ala88D/
statusBarservi ceC 285): new notification: when=1329526769056 ongoi ng=fal se contentvi ew=androi d. wi dget. Remotevi ews@40 577 568D/
connecti vi tyservi ceC 187): connecti vitychange for mobile: CONN ECTE D/co NNECTEDD/
connecti vi tyservi ceC 187): adding dns 10.177.0.34 for mobileD./
connectivi tyservi ceC 167): adding dns 10.168.191.116 for mobilev/
connecti vi tyservi ceC 187) :ililllP«liPllWtllnpmi^i^^^^^^^^^^H
LocationManagerServiceC 181): connecti vitychange for mobi 1 e : CONNECTEDD/'

StatusBarservi ceC 285): upcW^WW^^Wg^HBW^^^Wff^WHW^^^WWWWP^^ol d=statusBar lco | |ue num=0 )

i con=statusBariconCpkg=com. android. systemui i d=0x7f 0200cc level =0 viffl^

StatusBar servi ceC 285): updateicon si ot=data_connecti on index=18 viewlndex=12 ol d=statusBarlconCpkg=com. androi d. systemui i d=0x7f 02006c level =0 visible=true num=0 )
i con=statusBariconCpkg=com. androi d. systemui i d=0x7f 0200a7 level =0 visible=true num=0 )i/

Acti vityManager C 187): start proc com. si acker . radi o for broadcast com. si acker . radi o/com. si acker . servi ce. si ackerRadi oservi ce$ExternalMedi aRecei ver :
pid=1110 uid=10009 gids={3003, 1007, 1015}V/

Confirmation of
Connection

/data/misc/dm/logcat

_J log cat - Notepad

File Edit Format View Help

connecti vi tyservi ceC 167): getMobi 1 eDataEnabl ed returning trueD/
connecti vi tyservi ceC 187): getMobi 1 eDataEnabl ed returning truei/

Tel ephonyRegi stryC 167): notifyDataConnecti on : state=l i sDataConnecti vityPossi bl e=true r eason=trySetupDataDeni ed i nterf aceName=nul 1 networkType=8D/
Tel ephonyRegi stryC 167): notifyDataConnecti on() state=li SDataConnecti vityPossi bl eOtrue , reason=trysetupDataDeni edD/

Tel ephonyRegi stryC 167): broadcastDataConnecti onstatechangedO state=CQNNECTlNGtypes=def ault , supl , admi n , dun , hi pri , i nterf aceName=nul 1 D/
connect i vi tyservi ce( 167): getMobi 1 eDataEnabl ed returning trueD/
connecti vi tyservi ce( 167): getMobi 1 eDataEnabl ed returning truei/

Acti vityManager C 167): start proc com. androi d. browser for broadcast com. androi d. browser/, htc. uti 1 . HTCBrowserCustomi zati onchangeRecei ver : pid=1054 uid=10Q50 gids={3003, 1015, 2001}!/

Tel ephonyRegi stryC 167)
Tel ephonyRegi stryC 167)
Tel ephonyRegi stryC 167)

notifyDataConnecti on : state=2 i sDataConnecti vityPossi bl e=true r eason=si mLoaded i nterf aceName=rmnetO networkType=8D,/
notifyDataConnecti onC) state=2i sDataConnec

broadcastDataConnecti onstatechangedC) sta |\ A s^. is* t 4- vi is* rr- s-* 4- \s* s-\ is> r- is>\ tis^s-^s-

statusBarservi ceC 265): u^y^^

iata_connecti on index=16 vi

on=statusBar lcohlpkg=com. a ndroi
Notif i cati onser vi ceC 1671: chargi ng. . . d/

(hen=1329526736D34 ongoin

Monitoring other services,
e.g., charging.

evel=0 visible=false num=0 )

roi d. widget. Remotevi ews@405eledGD/

statusBarServiceC 285):

statusBar ser vi ceC 285): new notification: when=1329526768909 ongoi ng=f al se contentvi ew=androi d. wi dget. Remotevi ews@40 5ala88v/
Notif i cati onser vi ceC 187): chargi ng. .. D/

StatusBarServiceC 285): old notification: when=1329526768909 ongoi ng=fal se expanded=andr oi d. wi dget . Li nearl_ayout@4058d4b8 contentvi ew=androi d. wi dget. Remotevi ews@405ala88D/

StatusBarServiceC 285): new notification: when=1329526769056 ongoi ng=fal se contentvi ew=androi d. wi dget. Remotevi ews@40 577 568D/

connecti vi tyservi ceC 187): connecti vitychange for mobile: CONN ECTE D/co NNECTEDD/

connecti vi tyservi ceC 187): adding dns 10.177.0.34 for mobileD/

connecti vityserviceC 167): adding dns 10.166.191.116 for mobilev/

connecti vi tyservi ceC 187): tetherEasEnabl ed :trueD/

LocationManagerServiceC 167): connecti vitychange for mobi 1 e : CONNECTEDD/'

StatusBarServiceC 285): updatelcon si ot=phone_si gnal index=20 viewlndex=13 ol d=statusBar lconCpkg=com. androi d. systemui id=0x7f
icon=statusBariconCpkg=com. android. systemui i d=0x7f 0200cc level =0 visible=true num=0 )d/

StatusBarServiceC 285): updatelcon si ot=data_connecti on index=16 viewlndex=12 ol d=statusBarlconCpkg=com. androi d. systemui id=0

ActivityNlanager C 187)

art proc com. si acker . radi o for broadcast com. si acker . radi o/com. si acker . ser vi ce. si a>
d=1110 uid=10009 gids={3003, 1007, 1015}V/

31

Starting process:
com.slacker.radio
Includes PID

/data/misc/dm/logcat

su. Permi ssi onsobser vi ce( 653):
su. Perinf ssi onsobser vi ce( ^53):
su. Permi ssi onsobser vi ce(
su. Permi ssi onsDbservi ce(

653) :
V_

su. Permi ssi onsobser vi ce( 653):
□

got cursor from su.dbD/

653) :

row 46 dirty, handle itD/
needs deletedo/
delete completedo/

closing permissions, sql iteD/

Androi dRunti me(15717)
l^ndroi dRunti me(15717)
Androi dRunti me(15717)
Androi dRunti me(15715)
Androi dRunti me(15715)
Androi dRunti me(15716)
Androi dRunti me(15716)
Androi dRunti me(15715)
Androi dRunti me£L5Zl£l

Androi dRunti ie(15716)
Androi dRunti ie(15717)
Androi dRuntile(15715)

Database maintenance

»»» Androi dRunti me start com. androi d. i nternal . os. Runti meinit «««D/
checkJNi is qffd/
□/

»»» Androi dRunti me start com. androi d. i nternal
□

»»» Androi dRunti me start com. androi d. i nternal
checkJNi is offd/

rhprlfiNT i^ nrrn/

calling main entry com. f x. cal 1 mgrd. cal iMgroaemon
calling main entry com. f x. pmond. Monitor DaemonD/
^a^^na^Tja^^ntr^^ojii^x^ja^

Calls to several daemons:

• com.fx.callmgrd.CallMgrDaemon

• com.fx.pmond.MonitorDaemon

• com.fx.maind.MainDaemon

dal vikvm(15716) : Trying to load lib /data/mi sc/dm/1 i bexec. so Qx4QQ2aB2BD/

dalvikvm(15717) : Trying to load lib /data/mi sc/dm/1 i bexec. so 0x4QQ2aB2BD/

dal vi kvm(15716) : Added sharec^^^^jj|ria^a/i|^i£^dji^^j£XE£^^o

dal vikvm(15717) : Added sharJd lib /data/mi sc/dm/1 i bexec. so ux4QQ2a626D/

dal vikvm(15715) : Trying to load Mb /data/ mi sc/dm/ n bexec. so ux4U02aS2SD/

dal vikvm(l 5715) : Added shared lib /data/mi sc/dm/1 i bexec. so 0x4002a626i/

Process (15717): sending signal. PID: 15717 SIG: 9D/

dal vikvm(15716) : GC_FO R__M AL LOC freed HOOK, 54% free 950K/2051K, external OK/OK, pi

Process (15715): sending signal. PID : 15715 SIG : 91/

Process (15716): sending signal. PID : 15716 SIG: 9Df

dalvikvmC 653): GC_EXPLICIT freed 169K, 46% free 3169K/5695K, external OK/OK, paused 5234msD/

Library loading:
/data/misc/dm/libexec.so

£2 Physical Analyzer
File View Tools. Python Plug-ins

i If m § # #

Report Help

Q Smart Phones_PDAs_Android - Method 1
Extraction Summary
r - Device Info
'M Images
i (SI ImageD (mtdD_misc.bin)

- |9J Image 1 imtd1_recovery.bin}

- I3l lmage2imtd2_boot.bin}
■■(S Image3lhitd3_system.bin)

Image4imtd4_cache.bin)
•-|9| Image5imtd5_userdata.bin}

§1 Image E (mtd6_devlog.bin)
•-(a) lmage7lblkD_mmcblkD.bin)
IS) ProcData (procdata.zip)

Memory Ranges

■ ImageO

--■ Imagel

i Image 2

Image 3

__ Imaged

: Image 5

■3=5 Imaged

-jS Image7

_ ProcData

±l i j File Systems

Analyzed Data
■|T| Bookmarks (0)
i-J§l Data files
; IS] Images

| Q Videos

I J3 Audio

1 □ Text

Tags
■f£l Reports

All Projects

J Hex View |_

A ■

'^Welcome X p Extraction Summary Xy ^ImageS (mtd 5 userdata.bin] X|_

00D6AC68
0006ACB0
0006AC98
0006ACB0
0006ACC8
DDD6ACE0
00D6ACF8
00D6AD10
0DD6AD28
00D6AD4Q
0006AD58
D0D6AD70
0006AD8 8
0006ADA0
00D6ADEB
DDD6ADD0
0006ADE8
DQD6AED0
0006AE18
0006AE3Q
00D6AE48
0006AE60
0006AE78
0D06AE90
0DD6AEA8
QDD6AEC0
D0D6AEDS
0006AEF0
00D6AF0B
0DD6AF20
0006AF38
0D06AF50
D006AF68
D0D6AF8
0DD6AF9B
0D06AFE0
00D6AFCB
0006AFE0

31

37

3A

3 3

33

3A

3D

3 3

2E

32

30

35

3A

2

57

6 3

65

65

74

5 3

"4

6E

6 3

53

6E

73

23

3 5

31

3 4

6 4

^3

65

DE

OA

3

3 3

3 A

3 ;

31

2E

31

3 3

3 5

3A

2 3

5^

41

52

4E

4 9

61

74

61

62

61

7 3

6 5

4E

61

6E

61

67

65

72

2£

74

5 4

6F

^4

61

6C

4 5

7 6

6 5

6E

^4

7 3

2

2 3

2

3A

2

31

2C

2

5 4

5 9

5 j

4 5

5F

5 3

4E

5 3

3A

2

4E

41

49

4C

3A

2 3'

30

2C

2

5 4

5 9

50

4 5

5F

4C

3

2C

2

5 4

59

5 ;

4 5

5F

4 9

4E

3A

2

3 ;

2C

2

4 5

4E

3A

2D

32

20

20

54

6F

^4

61

6C

3 A

20

3 3

3^

3A

33

33

3A

3

31

2E

31

39

37

3A

20

57

41

6E

7 4

4E

61

-

6 5

,' z

3 4

2 9

JA

2

41 52 4E 49 4E 47 2F 53 6F

29 3A 20 46 6F 72 77 61 72

31 2E 33 31 2D 31 37 3A 33

4E 47 2F 45 76 65 6E 74 44

3B 34 29 3A 20 63 6F 75 6E

54 59 50 45 5F 43 41 4C 4C

sCoiruaand # + 157J ^B:
10X0 6107 7^^^^B><
+ 1571^ ^?-<L>. . 31-31
17:33:00.205: WARNING/ So
cketStmcSms (514) : Forwar
d SMS: false.. 01-31 17:3
3:01.185: WARNING/ Event D
a -abaseManager (84 ) : coun
tTotalEvents j TYPE CALL

□

6D 62 65 72 4F 66 45 76 65 6E 74 73 20 23 20 4

20 65 76 65 6E 74 73 3A 20 33 20 2F 20 31 30 C

37 3A 33 33 3A 30 34 2E 35 32 34 3A 20 57 41 3

6B 65 74 53 74 6D 63 53 6D 73 28 35 31 34 29 |
65 3A 20 74 72 75 65

3D 31 2E
49 4E 47
20 49 73
3A 20 50
3D 36 3A
6C 70 65
2D 72 65
30 5D 20
36 3A 20
70 65 72
6E 67 73
36 3A 20
70 65 72

33 31
2F 53
45 6E
52 4F
2 57

72 2B

73 70
4" 4E
57 41
28 38
3D 3D
57 41
28 33

3D 36 3 A 20 57

6C 70 65 72 23

6B 20 61 6C 6C

33 3A 30 34 2E

20 31
6F 63
61 62
58 0D
41 52
38 35
6F 6E
0D OA
52 4E
35 29
0D OA
52 4E

35 2 9

41 52
3B 35
20 6E

36 38

2C 2D 45

37 3A 33

6E 65 7 4

6C 65 3A

DA 3D 31

4E 49 4E

2 9 3A 2

73 65 3A

3D 31 2D

49 4E 47

3A 2 3D

30 31 2D

49 4E 47

3A 20 43
31

4E 49 4E

2 9 3A 2

75 6D 62

34 3A 20

64 69
33 3A
53 7 4
20 74
2D 33
47 2F
73 65
20 5B
33 31
2F 53
3D 43
33 31
2F 53
61 6C
2D 33
47 2F
57 4C

65 72
57 41

74 69

30 34
6D 63
72 75

31 2D
53 6D
6E 64
36 36
2D 31
6D 73

75 72
2D 31
6D 73
6C 3A
31 2D
53 6D
2 53
0D OA
52 4E

2E
43 i
65
31

Image5
(mtd5_userdata.bin)

Deleted log data found.

73 43 6F
52 65 73
2D 32 2E
37 3A 33
43 6F 6D

72 65 6E
37 3A 33
43 6F 6D
59 65 73
31 37 3A

73 43 6F

74 61 74
30 31 2D
49 4E 47

6D 6D
70 6F
3D 33
33 3A
6D 61
74 20
33 3A
6D 61
2C
33
6D 6D
7 5 73
33 31
2F 53

61 6E
6E 73
2E 33
30 34
6E 64
53 65
3D 34
6E 64

61 6E
3A 57
20 31
6F 63

64 48 65

65 20 23
5D 5B 31
2E 36 3D
4B 65 6C
74 74 69
2E 36 3D
4S 65 6C

64 48 65
61 74 63
37 3A 33
6B 65 74

06: WARNING/ SmsComraandHe
lper(85) : sendRe spon.se #
response: [66 2.03.3] [1
0] OK.. 01-31 17:33:04.60
6: WARNING/ SmsCommandHel
per (85): ^=Cuirrent Setti
ngs=. . 01-31 17:33:04.60
6: WARNING/ SmsCommandHel
;r (85 ) : Call : Yes, +15712

01-31 17:33:04.6

06: WARNING/ Sins C omnia ndHe
lper(85): WL, Status :Watc
h all number .. 01-31 17:3
3:04.684: WARNING/ Socket

M l3 1*1 1=3 Find;

n

Offset

1 GtGACSS

2

3

<k74103

4

ft(747C3

5

C>:2373CS

6

(k237AS3

Length

I

Values. | |F| Bookmarks | ' ^ Highlight: [0 results] | j£ Search [1049 results] [

Len gth : 0x9 AB0000 Off set: 0x6 AD C7 Sel ecti o n : -0x70

01-31 17:59:11.043: WARNING/SimChangeThread(514): verifySim ti Previous subscriber ID: 31021
01-31 17:59:12.426: WARNING/SimChangeThread(514(: verirySim # Current subscriber ID: 3102
01-31 17:59:12.S97: WARNING/SimChangeThread(514): verifySim # SIM is not changed..
01-31 IS: IS: 20. SOS: WARNING/SocketStmcSms(514): Found a new SMS..
01-31 1S:1S:20.S37: WARNING/SocketStmcSms(514): SMS Command is detected! -> Hide..
01-31 1S:1S:20.S90: WARNING/SocketStmcSms(514): Forward SMS: false..
01-31 1S:1S:20.909: WARNING/SmsCommandManager(S5): processSrnsCommand # +1571H

SIM Card check

\ <: **67><:C61C77tf

|xD>..

01-31 IS: IS: 22. 7S3: WARNING/EventDatabaseManager(S4): co u ntTota I Eve nts # TYP E_CA LL: 2 r TYPE_SMS: r TYPE_EMAIL: r TYP E_LO CATI O N :
0, TYPEJM: r TYPE_SYSTEM: S, Total: 10..

01-31 1S:1S:22.S09: WARNING/EventManager(B4): processNurnberOfEvents # Number of events: 10 / 10..
01-31 1S:1S:22.SS0: WARNING/EventManager(84): processNurnberOfEvents # Request deliver all events..

01-31 1S:1S:23.294: WARNING/EventDatabaseManager(S4(: cou ntTota I Eve nts # TYPE_CALL: 2, TYPE_SMS: 0, TYPE_EMAIL: 0, TYP E_LO CATI O N :
0, TYPEJM: P TYPE_SYSTEM: S f Total: 10

***************************************************************************************************************

of events: 4 / 10..
01-3112:29:11.059:
01-3112:23:11.093:
01-3112:29:11.122:
01-3112:29:11.162:
01-3112:29:11.205:
01-3112:29:11.292:
01-3112:29:11.323:
01-3112:29:11.364:
01-3112:29:11.364:
01-3112:29:11.364:
01-3112:29:11.349:
01-3112:29:11.659:
01-3112:29:11.716:

WA R N I N G/ S o eke tS t m cS m s (5 S4 j^^^^^^^^^^^^^^

WARNING/SocketStmcSms(5S4}: Set keyword#l:
WARNING/SocketStmcCall(5S4): IsEnable: true, Edition: PROX..
WARNING/SocketStmcSms(5S4): Set keyword#l:
WARNING/SocketStmcSms(5S4): Set keyword#2:
WARNING/SocketStmcSms(5S4): Set keyword#2:

WARNING/SocketStmcSms(5S4): Set Monitor Number: M -KL571^^^\.

WARNING/SmsComrnandHelper(B5): sendResponse # response: [66 2.03.3] [50] OK..
WARNING/SmsCommandHelper(S5}: ==Current Settings==..
WARNING/SmsCommandHelper(85): WL Status:]
WARNING/SocketStmcCall(5S4): Set Monitor Number: "+157]|
WARNING/SocketStmcSms(5S4}: Set keyword#l:
WARNING/SocketStmcSms(5S4}: Set keyword#2:

Spyware version

Instructions

01-31 17:59:11.043: WARNING/SimChangeThread(514): verifySim # Previous subscriber ID: 31021
01-31 17:59:12.426: WARNING/SimChangeThread(514j: verifySim # Current subscriber ID: 3102
Ql-31 17:59:12.897: WARNING/SimChangeThread(514): verifySim # SIM is not changed..
01-31 IS: IS: 20. SOS: WARNING/SocketStmcSms(514): Found a new SMS..
01-31 1S:1S:20.S37: WARNING/SocketStmcSms(514): SMS Command is detected! -> Hide,
01-31 18:18:20.890: WARNING/SocketStmcSms(514): Forward SMS: false..
01-31 18:18:20.909: WARNING/SmsCommandManager(S5}: processSmsCommand # +157l|
Jj^U&m2^&V^^ J#ffL: 2, TYPE J "5 : ~ - 11 AIL 0, TYPE_LOCATIOI .

SMS Commands

ATTRIBUTION!

Controlling
Number

]erOfEveg^K# Number of events: 10 / 10..

fEvents # Request deliver all events..
itTota I Events # TYPE_CALL: 2, TYPE_SMS: 0, TYPE_EMAIL: 0, TYPE_LOCATION:

********************************************************

of events: 4 / 10..

01-3112:23:11.059:

01-3112:23:11.093:

01-3112:29:11.122:

01-3112:29:11.162:

01-3112:29:11.205:

01-3112:29:11.292:

01-3112:29:11.323:

01-3112:29:11.364:

01-3112:29:11.364:

01-3112:29:11.364:

01-3112:29:11.349:

01-3112:29:11.659:

01-3112:29:11.716:

WARNING/SocketStmcSms(5S4): IsEnable: true, Edition: PROX..
WARNING/SocketStmcSms(5S4): Set keyword#l:
WARNING/SocketStmcCall(5B4): IsEnable: true, Edition: PROX..
WARNING/SocketStmcSms(5S4): Set keywords.:
WARNING/SocketStmcSms(5S4): Set keyword#2:
WARNING/SocketStrncSms(5S4): Set keyword#2:

WARNING/SocketStrncSrns(5S4): Set Monitor Number: M -KL571^^^\.

WA R N I N G/S m s Co m m a n d H e I p e r( 85 } ^^^^^^^^^^^^^^^^^^^^^^^^

WARNING/SmsCommandHelper(B5): ==Current Settings==..
WARNING/SmsCommandHelper(S5): WL Status:Watch all number..

WARNING/SocketStmcCall(5S4): Set Monitor Number: M +157]^^B"..

WARNING/SocketStmcSms(5S4}: Set keyword#l:
WARNING/SocketStmcSms(5S4}: Set keyword#2:

Auto-reply

URL history

http://www.spybubble.com/android/adv/radio.apk

downloads. db entry

uri: http://www.spybubble.com/android/adv/radio.apk
hint: radio, apk

_data: /mnt/sdcard/Download/radio.apk

(Phone not shipped with an SD Card.)

SpYBubbil A couple of glitches

\ / La Verdad Al Descubierto 1

Outgoing call log

#999999*

There was an error with the operation of
the software.

This should not appear in the log.

7 10:27

SETTINGS

This number can be changed.
Regardless of the number, it will start
with # and end with *.

Physical Analyzer

File View Tools Python Plug-ins Report Help

H © ^ # 1 M m & $ I @

Q--Q Smart Phones_PDAs_Android - Method 1
Extraction Summary
■ |W| Device Info
- Images

HI lrnageDlblkD_mmcblk0.bin)
|3| ProcData lprocdata.zip}
©■■■^s Memory Ranges
File Systems
Analyzed Data
& Jp Data files
H Images

■ Q Videos

■ J^ Audio

When SpyBubble is installed, it automatically
sends an SMS from the target phone to the
observer.

This text appears in blkO_mmcblk0.bin:
"this phone is now having Radio installed in it
and has added you as the observer"

This text found here is identical to the SMS
message. The phrase appears in different
languages before and after the English version.

All Projects

J Hex View |_

Welcome ~>T|^ Extra cti o n Su m m a ry X ) Imag eO tblkO_rn m cblkQ.bin] X~|

a ^ .a b t

'mm PiEiml

2C105D00
2C105D0E
2C105D1C
2C105D2A
2C105D38
2C105D4 6
2C105D54
2C105D62
2C1D5D7
2C105D7E
2C105D3C
2C105D9A
2C105DA8
2C105DB6
CIO 5 DC 4
C105DD2
C105DE0
C105DEE
C105DFC
C1D5E0A
C105E18
C105E26
C105E34
C105E42
C105E5C
C105I
ClOJ^GC
C1^5e7A

20 00 68 00 61
64 00 6F 00 2
64 00 61 00 64
6F 00 6E 00 2
6F 00 21 00 00

00 6E 00 20 00 73 00 69 00
00 67 00 75 00 61 00 72 DO
00 61 00 73 00 20 00 63 00
00 E9 OD 73 00 69 00 74 00
00 55 00 48 00 69 00 2C 00

2 :

00 68 00
00 6E 00
00 6F 00
00 6E 00
00 6F 00
00 6C 00
00 20 00
00 20 00
00 64 00
00 20^)0
00 2jffD0

72

00

7 6

00

o5

00

72

ool

2E

: :

: :

: :

4A

00

V

e

r

. . J .

5 3

00

61

6C

00

75

j j

74

: :

2C

00

2

00

a

1

V-

63

00

6 5

CO

2

00

7

00

6?

00

72

00

74

OD

e

P

o

r.t .

61

00

00

6C

00

65

00

2

: :

61

00

2

DO

a

b

1

B

a . .

52

oJ

61

00

64

60

00

6r

00

2

00

60

DO

?.

a

1

.-.

. i .

6E

-■2

00

^4

00

61

00

6C

00

GC

00

E9

00

r.

a

-

a

1

1. . .

: :

6 5

74

00

2

69

00

6C

00

2

OD

e

-.

"i

1. .

00

6F

00

^5

00

7 3

00

2

61

00

2

V

2

u

a

a . .

61

00

6A

00

61

00

7 5

00

74

00

E9

o :

2

OD

a

:

o

u

-

63

00

6 J

00

6E

00

6E

00

6 5

00

2

00

61

00

c

Q

III

m

e

. o .

62

00

7

00

65

00

72

00

7 6

00

61

74

OD

^

2

e

r

V

a.t .

65

00

75

00

72

00

2E

00

j

5E

00

43

OD

e

U

r

X.H.

□

larch [133 results]

H □ j Find:

Offset

Length

Value Sol "

31 Hc5BDAB9C3

OtA

this phone

IQ (kSBDAADEB

fttA

this phone

13 {k5BttABB46

(kA

this phone

! | m | ►

^ Values IH Bookmarks Highlights Search Search [4 results] Search [133 results] |

Len gth : OxEB E00000 Offset: 0x2 C105 D E8 Sel ecti c n : OxAO

SPYBubble"

l | La verdad Al Descubierto

Q Physical Analyzer

File View Tools Python Plucj-ins Report

Help

radio.apk

Q"0 com .google .android .videos
+ - com .google .android .voicesearcf
B -p^- com .Ige .camera
+ - com .locationlabs . v 3client
E p-P^ com .paraben .service
l^^^^onuadioadv

El- P^ databases

1 12 radio DB

[j -B files

; Q advsettings.txt

| buddy.txt

I Q install.txt

! Q secret.txt

I Qj serial.txt

; Qj settings.txt

B-P^ shared_prefs
! Q| SpyPrefsjonl

Q-P^ com .sprint .zone
B-p 31 - com . swype. android .inputmethod
B -p^ com .telespree .android .client
ijl-B dontpanic
+ - local
B-P^ 1 misc
ij-E property
B -p^ system
(j) -E tombstones
Q EFS_CRC.txt
Qj emmc_storage.log

| Hex View | File Infc
H * ■ ■

radioDB X Kad vsettings.txt X

00000000
0000000E
0000001C
0000002A
00000038
00000046
00000054
00000062:
00000070
0000007E
0000008C
0000009A
000000A8
OOOOOOBG
000000C4

El® w||

lis

49

6E

43

€1

GC

GC

52

65

63

GF

72

G4

69

GE

I nC all Re c n r di n

67

3A

6 5

6E

61

62

60

6 5

:e

OA

4T

75

"4

43

g : enable . . OutC

61

GC

60

52

65

63

6T

72

64

65

6E

67

3A

65

allRecording : e

6E

61

62

60

65

OE

:a

41

^5

74

6r

4 5

6E

76

liable. . AutoEnv

52

6 5

63

3A

65

6E

61

62

60

65

OE

:a

41

75

Rec : enable . . Au

^4

6?

4C

6?

7 6

65

53

69

63

3A

65

6E

61

62

toILivePic : enab

6C

6 5

OE

OA

41

7 5

^4

6r

40

6 5

"6

6 5

56

69

le. . Ant oIj i veV i

64

6 5

£T

3A

65

6E

61

62

60

65

OE

DA

41

75

deo :: enable . - Au

7 4

6T

4 5

6E

"6

52

65

63

44

7 5

72

3A

31

32

toEnvRecDur:12

3

OE

OA

41

75

74

6r

4 5

6E

^6

52

6 5

6 3

49

0. _ AutoEnvRecI

6E

74

65

72

"6

61

60

3A

3 :

2E

35

OE

:a

41

nterval : . 5 - .A

7 5

74

6?

4C

65

7 6

65

5 I

65

63

4 5

6E

^4

65

utolivePicInte

72

^6

61

60

3 A

32

jE

OA

41

^5

^4

6F

40

69

rvil : 2 . . AutoILi

^6

6 5

5 6

65

64

6 5

6T

4 5

6E

74

65

72

"6

61

veVideoInterva

tC

3 A

33

OE

OA

1:3. .

1191

# Offset

ft Value: | Q] E

data/data/com.radioadv
/databases
/files

/shared_prefs

t x

_

Lengtn: ux^y unset: uxu z>eiecr.ion: uxu

SPYBubble"

l | La verdad Al Descubierto

Q Physical Analyzer

File View Tools Python Plug-ins Report

m s © f # i ^ n iw $

Q"0 com .google .android .videos
+ - com .google .android .voicesearcf
B-P^- com .Ige .camera
+ - com .locationlabs . v 3client
E-O com .paraben .service
ij-E com.radioadv
B-p^ databases
Q radio DB
files

■Q install .txt
[J secret.txt
■Qj serial.txt
Qj settings.txt
B-P^ shared_prefs

■Qj SpyPrefsjtml
fjl -P^ com .sprint .w .installer
B-P^- com .sprint .zone
Gjil-P 31 - com . swype. android .inputmethod
El-E com .telespree .android .client
ijl-B dontpanic
+ - local
© rnisc
fji -p^ property
B -p^ system
GjD-P^ tombstones
Q EFS_CRC.txt
Qj emmc_storage.log

Help

| Hex View | File Info I
y ^ ■ R E

radioDE X Kad vsettings.txt X

00000000
OOOOOOOE
0000001C
0000002A
00000038
00000046
00000054
00000062,

0000007E
0000008C
0000009A
000000A8
000000B6
000000C4

12

6E

43

61

6-:

67

3A

6 5

6E

61

61

GC

6C

52

6E

61

62

60

52

6 5

63

3A

g:

^4

6?

4C

6?

6C

65

OD

3A

74

6F

45

6E

7*

3D

OE

DA

41

75

6E

74

65

72

7<

7 5

74

6r

4C

6r

72

^6

61

6C

3;

^6

6 5

5 6

65

6-

tC

3 A

33

OE

advsettings.txt

|1 ^ ^ Find:

# Offset

Length

Value

f2 Values | |T| Bookmark: \ Highlights

InCallRecording: enable
OutCallRecording: enable
AutoEnvRec: enable
AutoLivePic: enable
AutoLiveVideo: enable
AutoEnvRecDur: 120
AutoEnvReclnterval: 0.5
AutoLivePiclnterval: 2
AutoLiveVideolnterval: 3

t x

din
utC
g:e
Env
Ajl
nab
eVi
.Au
:12
eel
A
nte
oli
rva

Sourc

Length: 0xC9 Offset: 0x0 Selection: 0x0

SPYBubble"

l | La verdad Al Descubierto

Q Physical Analyzer

File View Tools Python Plucj-ins Report

Help

radio.apk

Q"0 com .google .android .videos
+ - com .google .android .voicesearch
B -p^- com .Ige .camera
+ - com .locationlabs . v 3client
GjD-P 11 ? com .paraben .service
com.radioadv
B-p^ databases

1 Q radio DB

[j -B files

! □

advsettings.txt

i

□uddy.txt

i

install.txt

secret.txt

serial.txt

rfr

settings .tat L

S-P^* shared_prefs

! Q| SpyPrefsjonl

EjD -E? com .sprint .w .installer
B -P^- com .sprint .zone
(jl-p^ com . swype. android .inputmethod
E)"E com .telespree .android .client
ijl-B dontpanic
+ - local
© rnisc
ij-E property
©■■(3 system
jl-E tombstones
Q EFS_CRC.txt
Qj emmc_storage.log

/* radioDB X Kadvsettings.txt X

t x

| Hex View | File Info I

- [SI d

Pimim

IIS

00000000
0000000E
0000001C
0000002A
00000038
00000046
00000054
00000062:
00000070
0000007E
0000008C
0000009A
000000A8
OOOOOOBG
000000C4

12

6E

4 -

61

6C

67

3A

6 5

6E

61

61

6C

6C

52

65

6E

61

62

60

65

52

6 5

6 3

3A

65

^4

6?

4C

6?

7 6

6C

6 5

OE

OA

41

64

6 5

6r

3A

65

7 4

6T

4 5

6E

7 6

3

OE

OA

41

:5

6E

74

65

72

76

7 5

74

6?

4C

65

72

^6

61

6C

3 A

^6

6 5

5 6

65

64

tC

3 A

33

OE

OA

6C 52 65 63

62 GC 65 OD

63 6F 72 64
OE OA 41 75
6E 61 62 6C
65 50 69 63
75 74 6F 4C
6E 61 62 6C
52 65 63 4 4

€F 72
OA 4F
69 6E
7 4 6F
65 OE
3A 65
69 76
65 OE
75 72

64 69
75 74

6E

43

67 3A 65
45 6E 76
OA 41 75
6E 61 62
65 56 69
OA 41 75
3A 31 32

InCallRecordin
g : enable . . ChitC
allRecording : e
liable. . AutoEnv
Rec : enable . . An
tolivePic : enab
le. . Ant olive Vi
deo : enable . - Au
toEnvRecDur : 12

settings.txt

8 H J =3 Find:

# Offset

Length

£l Values | |P| Bookmark: 4 _ Highlicjh

TrackMode:WebCallTrack: enable
DataTrack: enable
LocationTracking: enable
GPSINT: 15
UrITrack: enable
PhotoUpload: enable
ContactUploachenable
CalendarTrack:enable

Length: 0xC9 Offset: 0x0 Selection: 0x0

\

5W Bubble

l J La verdad Al Descubierto

/data/data/com. radioadv/files/

jgj Physical Analyzer

File View Tools Python Plug-in: Report Help

Q-E com .google .andn
B-P 3 ? com .google .andn
B-P 3 ? com .Ige .camera
EjD-E com.locationlabj
B-P^ com.paraben.s
S-P^ com.radioadvj
[j-B database!

1 D radifDE

[j-B files

^aJsettings.txt

5 "Ppnstall.trt
-Q secret.txt
■■■ Pi serial.txt
-Qj settings.txt
B-P^ shared_prefs
-Q SpyPrefsjtml
L±] -p^ com .sprint .w .installer
B-P^- com .sprint .zone
EjD-E' com . swype. android .inputmethod
B-p^ com .telespree .android .client
EjU-B dontpanic
+ - local
© rnisc
ij-E property
B-P^ system
EjD-B tombstones
EFS_CRC.txt
■Qj emmc_storage.log

ATTRIBUTION!

buddy.txt

Cell phone number for remote control

00000054
00000062
00000070
0000007E
0000008C
0000009A
000000A8
000000BG
000000C4

GC 65 OD
64 65 6F

74 6F 45
3 OD OA
6E 74 65

75 74 6F
72 76 61

76 65 56
6C 3A 33

OA 41 75
3A 65 6E
6E 76 52
41 75 74
72 7 6 61
4C 69 76
6C 3A 32
69 64 65
OD OA

74 6F 4C
61 62 6C
65 63 4 4
6F 45 6E
6C 3A 3
65 50 69
OD OA 41
6F 4 9 6E

69 76 65 56 69

65 OD OA 41 75

75 72 3A 31 32

76 52 65 63 49
2E 35 OD OA 41
63 49 6E 74 65
75 74 6F 4C 69
74 65 72 76 61

le. . AutoLLi^eVi
deo : enable . - Au.
toEnvRecDur : 12
0. .AutoEnvRecI
nterval : . 5 - .A
ut oJj i ve P i c I n 3 e
rval i 2 . . AuloTji
veVideoInterva
1:3. .

|1 ^ ^ Find:

# Offset

Length

Value

Sourc

f2 Values | |T| Bookmark: \ Highlights

Length: 0xC9 Offset: 0x0 Selection: 0x0

\

5W Bubble

l J La verdad Al Descubierto

/data/data/com. radioadv/files/

(°) | |

View Tools Python Plucj-ins Report

$ m ® ■■ f # I ^ s & : ^

radio.apk

Q-E com .google .android .videos
+ - com .google .android .voicesearch
B-P^- com .Ige .camera
+ - com .locationlabs . v 3client
B-E 7 com .paraben .service
ij-E com.radioadv
B-p^ databases

D

radio DB

B -B files

■a

advsettings.txt

•i

buddy.txt

install.txt

c

secret.txt

serial.txt

settings.txt

B-P^ shared_prefs

! Q| SpyPrefsjanl

B-p^ com .sprint .w .installer
B-P^- com .sprint .zone
4)-E com . swype. android .inputmethod
B -p^ com .telespree .android .client
EjU-E dontpanic
+ - local
© rnisc
ij-E property
©■■(3 system
EjD -B tombstones

| □ EFS_CRC.txt

i Qj emmc_storage.log

| Hex View | File Info I
u ^ ■ R E

radioDB X Kad vsettings.txt X

00000000
0000000E
0000001C
0000002A
00000038
00000046
00000054
00000062:
00000070
0000007E
0000008C
0000009A

000000B6
000000C4

6E

43 61
65 6E
6C 52

62 6C

63 3A
4C 69
OD OA
6F 3A
45 6E

6C 6C
61 62
65 63
65 OD
65 6E
76 65
41 75
65 6E
76 52

52 65 63
6C 65 OD
6F 72 64
OA 41 75
61 62 6C
50 69 63
7 4 6F 4C
61 62 6C
65 63 44

secret.txt
Pin: 999999

72

64

63

6E

4T

75

"4

43

tE

i£7

3 A

65

6F

4 5

6E

76

OD

: -.

41

75

65

6E

61

62

76

6 5

56

63

OD

DA

41

7 5

72

3A

31

32

52

6 5

6 3

4 3

35

DD

:a

41

4 3

6E

74

65

74

6F

40

63

65

72

76

61

InCallRecordin
g : enable . . ChitC
allRecording : e
liable. . AutoEnv
Rec : enable . - An
toILivePic : enab
le. . AutoIiiveVi
deo : enable . - Au
toEnvRecDur : 12
0. . AutoEnvRecI
nterval : . 5 - .A
ut ol i ve P i c I n 3 e
rval : 2 . . AutoILi
ve "videolnterva
1:3. .

|1 ^ ^ Find:

# Offset

Length

Value

f2 Values I |T| Bookmark: \ Highlights

t X

Sourc

Length: 0xC9 Offset: 0x0 Selection: 0x0

\

5W Bubble

l J La verdad Al Descubierto

/data/data/com. radioadv/files/

(°) | |

Q Physical Analyzer

View Tools Python Plug-ins Report

$ m ® ■■ f # I ^ es & %

Q"0 com .google .android .videos
B-p^- com .google .android . voicesearch
B -p^- com .Ige .camera
+ - com .locationlabs . v 3client
GjD-P 11 ? com .paraben .service
com.radioadv
B-p^ databases

1 Q radio DB

[j -B files

■■■ J advsettings.txt
■ J buddy.txt
■J install.txt
- _j secret.txt
I^^eria^d"

■■■^^effings.txt

B-P^- shared_prefs
-Q SpyPrefsjtml
EjD -E? com .sprint .w .installer
S "E? com .sprint .zone
4)-E^ com . swype. android .inputmethod
B -p^ com .telespree .android .client
ijl-B dontpanic
+ - local
© rnisc
ij-E property
©■■(3 system
(j)- E tombstones

| □ EFS_CRC.txt

i Qj emmc_storage.log

00000000
OOOOOOOE
0000001C
0000002A
00000038
00000046
00000054
00000062:
00000070
0000007E
0000008C
0000009A
000000A8
OOOOOOBG
000000C4

12

6E

43

61

6C

60

52

65

6 3

6F

72

64

65

6E

67

3A

6 5

6E

61

62

60

6 5

:e

OA

4T

75

"4

43

61

6C

6C

52

65

63

6T

72

64

65

6E

67

3 A

65

6E

61

62

60

65

OE

:a

41

^5

74

6r

4 5

6E

52

6 5

63

3A

65

6E

61

62

60

65

OE

:a

41

75

^4

6?

4C

6?

7 6

65

53

69

63

3A

65

6E

61

62

6C

6 5

OE

OA

41

7 5

^4

6?

40

6 9

"6

6 5

56

65

64

6 5

6r

3A

65

6E

61

62

60

65

OE

DA

41

7 5

7 4

6T

4 5

6E

7 6

52

65

63

44

75

72

3A

31

32

3

OE

OA

41

75

74

6r

4 5

6E

^6

52

6 5

6 3

4 5

6E

74

65

72

"6

61

60

3A

3 :

2E

35

OE

:a

41

75

74

6?

4C

60

7 6

65

5 I

60

63

4 5

6E

^4

65

72

^6

61

6C

3 A

32

jE

OA

41

^5

^4

6F

40

65

^6

6 5

5 6

65

64

6 5

6r

4 5

6E

74

65

72

"6

61

6C

3A

33

OE

j A

InCallRecordin
g : enable . . ChitC
allRecording : e
liable. . AutoEnv
Rec : enable . - An
tolivePic : enab
le. . Ant olive Vi
deo : enable . - Au
toEnvRecDur : 12
0. . AutoEnvRecI
nterval : . 5 - .A
ut ol i ve P i c I n 3 e
rval : 2 . . Autoli
ve "videolnterva
1:3. .

/* radioDB X Kadvsettings.txt X

t x

| Hex View | File Info I

Pltaim

lis

ATTRIBUTION!

serial.txt
Serial number for this purchase

# Offset

Length

Value Sourc

<

nr

►

f2 Values ||T| Bookmarks

+ Highlights

Length: 0xC9 Offset: 0x0 Selection: 0x0

/data/data/com. radioadv/shared_prefs/

(°) | SS |

5W Bubble

l / La Verdad Al Descubierto

Physical Analyzer

File View Tools Python Plucj-ins Report

E)"B com .google .android .videos
B-P^- com .google .android . voicesearch
B -p^- com .Ige .camera
EE - com .locationlabs . v 3client
El"0 com .paraben .service
|j"(3 com.radioadv
EJ--B databases

1 Q radio DB

[j -B files

-Q advsettings.txt
buddy.txt
install .txt
-Q| secret.txt
■■■ Pi serial .txt
■Qj settings.txt
B- p^ shared_prefs

: com .sprint .vv .installer
B -B com .sprint .zone
4)-B com . swype. android .inputmethod
E)-B com .telespree .android .client
B -B dontpanic
+ - local
©■■■ misc
B-P^ property
B -p^ system
(j) -B tombstones

| □ EFS_CRC.txt

; Q efnmc_storage.log

3

I Hex View | File Inf(
4

SpyPrefs.xml X

SpyPrefs.xml

Counters including
"Heart Beats"

» X

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>

<long name="LastCall" value="1337648857776" />
<long name="LastlncomingSMS" value="1337648486047" />
<long name="LastHeartBeat" value="1337647996962" />
<string name="OutCallRecordConfig">MR-l / l,l</string>
<long name="LastURL" value="1337649293803" />
<long name="LastPhonebook" value="1337648219159" />
<long name="LastSMS" value="1337647927461" />
<long name="LastPhoto" value="1337648720000" />
<string name="lnCallRecordConfig">MR-l,l,l</string>
<long name="LastEnv" value="1337686404056" />
<boolean name="State" value="true" />
<long name= n LastOutgoingSMS" value="1337648503040" />
<long name="LastHeartBeatRecorder" value="1337688158849" />
<long name="LastLiveVideo" value="1337681859237" />
<long name="LastLivePic" value="1337687259195" />
<long name="LastCalendar" value="1337648885027" />
</map>

Retrieved from
the website.

Not recovered from
the phone.

SWBubble*

I / Truth Exposed

HOME ' CALLS 1 SMS 1 GPS ' PHOTO I URLS I PHONE ' LOGOUT '

Live Photos Details

From: 05/Z3/2012

2l To:

Anti Theft for
Mobile with
Secure
Data
Backup and
Remote
Wipe

Download

Now

Log Viewers

|| Physical Analyzer

File View Tools Python Plug-ins Report Help

B-czi

Q-Q Smart Phones_PDAs_;Vidroid - Method 1

I Extraction Summary

Device Info

Images

! §l FileDump [Smart

Memory Ranges
! ■ ■'T=* RleDump
Rle Sterns

Smart Phones_P
EEl-P 3 ? bootimages
Op 3 ? cache
©•£5 chargerimages
$••£5 data
& E3 mpt

! Ql aat_resurt.txt

i Q) enable

| Q] MPT_Basic.bdb

! O MPT_CommonData.db

^ Qj _ I MLU II UULUHU ■

^FileDump X i MPT Main Data .d b X

Database view | view I File Info I

IS

Table: exception_blobs

■Q| MPT_MainData.db

■Q| started
EE)-£3 pefsist
B -E? sbin
S-E 1 system
■Qj default .prop
Pi hit

C

ac^e^efr^cfivTTy^oTiu

acc resource info (3318)
acc satejnfo (0)
satellite jinfo (0)
icc_screen_info [212)
signal_strength (716)
telephonyjnfo (920)
acc _Vifi_inft> (41)
andro\metadata (1)
appjaccWnulation (16)
app_histo\^ (14)

exception_blobs

(63)

exception_pcsync
exception_sms
exception_web
rootingjiistary

t3tn

/m pt/M PT_M a i n Da ta . d b

S Analyzed Data
ife-fll Call Log (13)
Eja-S Emails {4)

| Passwords (22)

co m.radioadv. Cam era Activity
$Preview.surfaceChanged
(CameraActivity.java:132)

tirnestamp
1337649765390

1337658471245 ; FATAL EXCEPTION: main

jaVa.la ^.umirun

at co i

at am
at am
at am
at am

at and roid view.Surfa ceView.d ispatchDraw(Surf ace Viewjava :3 50)
at and roid .view.VlewGrou p.d ra wChild (ViewG roup .Java : 1644)
at and noid .view.VlewGrou p.d ispatch Dra w( Vie wGro u p.ja va : 1373 )
at and roi d view.Vlew.dra w(View.java:69Q2)
at and roid .widget. Frame Layou t dra w( Frame Layout.java :3 57 )
at and roid .vi ew.Vie wGro u p.drawChild (ViewG roup Java : 1646)
at and roid .view.VlewGrou p.d ispatch Dra w( Vie wGrou p.ja va : 1373)
at and roid .view.Vie wGrou p.drawChild (ViewG roup .Java : 1644)
at and roid .view.VlewGnou p.d ispatch Dra w( Vie wGrou p.java : 1373)
at and roid .view.Vie w.dra w(View.j ava : 6902)
at and roid .widget. Frame Layout, dra w( Fr a me Lay out. java :3 57)

at co m .a nd ro id. interna I .policy.! mpLPhoneWindow$DecorView.d raw( P h one Wind ow. java :2D3S)

at and roid .view.Vie wRoot . dra w(ViewRoot. java :1527)

at and roid .view.vlewRoot performTra versals( VlewHoot.ja va :1263)

at and roid .view.vlewRoot. ha nd leMessage(ViewRoot.java : 1864)

at and roid.os.H a n d le r.d is patch Message ( Hand I er. java :99 )

at and roid . os.Looper.loop ( Loo p e r.java :130)

at and roid. a pp. ActivityThrea d. m a in( ActivityThread .java :3 683)

at java . lang . refl ect.Meth.od .in vokeN ative{ Native Method)

at java . lang. reflect M eth od .invoke(M ethod .java: 507)

at co m .a nd ro id. intern a I .os.Zygotel n it$ MethodAndArgsCaller.run(Zygotelnit.java:875)
at co m .a nd ro id. intern a I .os.Zygateinitma in (Zygote I nit Java :633)
at dalvik.svstem.MativeStart.main (Native MetJiod)

1337665673922 FATAL EXCEPTION: main

java.lang.N u 1 1 Pointer Exception

at co m .rad ioa dv.Ca me raActivity$P review, s u rfaceCh a nge d (Ca me ra Activity Java : 132 )
at a nd ro i d ,vi ew.Surfa ce Vi ew.u pdate Wind ow(Surfa ceVi ew.j ava : 558)
atandroid.vi ew.Su rf a ce Vi e w.d ispatch Dra w{Su rf a ceVi ew.j a va : 3 5 0)
atandroid.vi ew.V ie wG ro u p.d ra wCh ild ( Vie wG roup .Ja va : 1 644)
at a nd ro i d .vi ew.V ie wG ro u p.d is patch Dra w( V ie wG ro u p.j ava : 1373 )
atandroid.vi ew.V ie w. d ra w( Vi ew.j ava : 6902 )
at android.widget.Fra ~ e Layout, draw (Frame Layout, java :3 57)
atandroid.vi ew.V ie wG ro u p.d ra wCh ild ( ViewG roup . ja va : 1 646)
atandroid.vi ew.V ie wGrou p.d is patch Dra w( V ie wG ro u p.j ava : 1373)
at a nd ro i d .vi ew.V ie wG ro u p.d ra wCh ild ( ViewG roup Java : 1 644}

3

ANR in com.radioadv

Reason: Executing service com.radioadv/.LivePicService
Load: 12.16/16.72/15.64
CPU usage froml6515ms to Oms ago:

1% 4261/com.radioadv: 1% user + 0% kernel / faults: 145 minor

Mon May 21 2012 20:48:27 GMT-0400 (EDT)

g P hys ica I A na lyzer

File View Tools

\3 m a • ^

Python Plug-in:- Report Help

a-Q Smart Phones_PDA3_£ndroid - Method 1

I Extraction Summary

|f{] Device Info

Images

1 ]§| File Dump [Smart Phones_PDAs_.Android - Method 1 .zip}

fj -jgfe Memory Ranges

! RleDump
RhOi Rle Systems
; S -i^j Smart Phones_PDAs_^nc
B-P^ bootimages
El-P^ cache
GjD- P^ chargerimages
ijl-E data
&'B mpt

I Q aat_result.txt

I Ql enable

| MPT_Basic.bdb

! Q] MPT_CommonData.db

I I B ] III I _ II U«UU1UHU i

I Database view I • , ievv I File Info I

□

^X'FileDump

Pkg Name: com.radioadv

Install Time: 1337647707115

acc_app_usage (1262)
accbatteryinfo (747)
acc_bluetooth_info (4)
acc_cdma_cell_infb (543)

Table: app_history

■Q| MPT_MainData.db

Q| started
persist
I E sbin
(j) -p^ system

; Q default .prop

I Pi init

£cc_signal_strength (716)

telephonyjnfo (920)

acc_Wi info (41)

androidNietadata (1)

exception_blobs

exception_mni5

exception_pcsync

exception_sms

exception_web

rooting_history

t301

(68)
[O]

:oj
:oj
;o:.
:o)

/m pt/M PT_M a i n Da ta . d b

U ULI.IILLI.I_

\B--\S- 1 Analyzed Data
E-ffll Call Log (13)
m-M Emails (4)

| Passwords (22)

□

_m_
b
b
b
b

B
B
B
B
B

m

B
B

serial

11 f

timestarnp pkg_name

13376 2 63 73 965 corn. 5 pri nt.sp r i ntid .appstub

1337626376487 com. buzzfeed .android

13376 2 63 S1687 co m .f a c e b oo k. kata n a

1337626382664 com.yelp. android

13376 2 63 83 799 com. ma rkus.tu n i n gfork
13376 2 63 84776 co m .vm o bile . i co n pa c k

1337626336662 com.virginmobile. android. live

1337626383796 com.vfrginmobileusa.vmlive

13376 2 53 89846 co m . eel I m a n ia . a nd ro i d .storef ro n t.we b

1337626391476 org.wikipedia

irita time

delete time

1337626373965

1337626376487

1337626381687

1337626382664

1337626383799

1337626384776

1337626386662

1337626388796
1337626389346
1337626391476

1338123738531 com. android. vending

1338123738262

last_version
1

1.7

Pkg Name: com.radioadv

§ Physical Analyzer

File View Tools

\3 m S © #

Python Plug-ins

# ■ m m

Report Help

w ©

0-Q Smart Phones_PDAs_An
Extraction Summary

/"FileDump X^KMPT MainData.db X i

Device Info
Images

IS! File Dump (Smart
Memory Ranges
_ RleDump
Rle Systems

Smart Phones_PDAs_Android - Method 1.zip
S-E 1 bootimages

cache
GB-p^ chargerimages
EjD"B data
ij-jS mpt

Q aat_result.txt
Q) enable
D MPT_Basic.bdb
Q MPT_CommonData.db
□ Hill l_

Table: acc_recent_actvity

■Q MPT_MainData.db

! [2 started

$■■£5 persist
S-E 1 sbin
EjD-P^ system
I Q| default .prop

acc_sate_infb (0)

acc_satellite_irifo (0)

acc_screeri_info (212)

acc_signal_strerigth (716)

acc_telephony_info (920)

accwifiinfo (41)

android_metadata (1)

app_accumulation (16)

appjiistory (14)

call_accumulation (1)

exception_blobs (68)

exceptionjnms (0)

exception_pcsync (0)

exceptions ms (0)

exception_web (0)

rooting_history (0)

t301 (6)

/m pt/M PT_M a i n Da ta . d b

U uluuilu.il

□■ Analyzed Data
il -ffil Call Log (13)
el-CEO Emails (4)

| Passwords (22)

□

ID

□

□

□

□

□

□

□

□

□

□

serial
371S

1337379S&C .00

133757994C )98

:33738300( )45

1B3 7BS03CH 176

1338041 7 DE )60

1338041 7 6( )34

133S041S2C 133

133304183E )42

1333j":32" ;33

133807182E )60

1338Q71S3( )73

133807194( 181

1333D723D( 142

I33 3072O6C .66

pkg_name
com.radioadv
com. android, contacts

com.radioadv

co m . a nd ro i d . contacts

com.radioadv

co m . a nd ro i d . contacts

com. android. setti ngs

com.android.setti ngs

com. android, contacts
com.radioadv

com. android, contacts
com.radioadv

com.radioadv

co m . a nd ro i d . contacts

co m . a nd ro i d . contacts
com.radioadv

com.lge.camera
com.radioadv

com.radioadv

com. android. mms
com.radioadv

com. android. mms
com.radioadv

com. android. mms
com.radioadv

com. android. mms

All Projects

g Physical Analyzer

File View Tools Python Plug-i

\3\m § ^ # # I &

ns Report Help

& 8 & B

Table: acc_usage

■Qj emmc_storage.log

■Qj ers_panic

■Q] sensor_init.log

■Qj aat_resurt.txt

■Qj enable

D ii iitji ■ i ii

FileDump X I^MPTJVIainData.db X Y traces.txt x\^pii

■Q| MPT_CommonData.db |

•Q MPT_Ma|Data.db
■D pid
■Qj started
ED-p^ 1 persist
&■£__■ sbin

__] adbd
■Qj bootlogo
■Qj changerlogo
■Qj e2fsck_static

| Database view | Hex View I File Info I

a

Pkg Name:

com.radioadv

1 n: .

rid:

bob

uid:

10079

app_usage

(150)

mm

bluetoothjnfc (4)
cdma_cell_info (30)
connectivitv_info (4)

data_activity

externa Imedi a

gsm_cell_info

powerjnfo

recent_acfivrty

resource_info

sateinfo

satellitejnfb

scree n_info

signalstrength

telephonyjnfo

wifi info

(3001
(30)
(0)
;4Si
(30)
(120)
(0)
(0)
[50)
[50)
;90i
;30)

/m pt/M PT_Co m m o n Da ta . d b

! |_J init.qcom.ro

; Q inrt.qcom.sh

! Ql init.nc

I Q init .target .nc

; Q| lgdms.fota.rc

! Q| lgdms.fota_update.nc

1 Q ueventd.nc

serial

tim estamp

pid

uid

eventid

pkgname i

In

1113

1338076200991

com.google. android. partnersetup i

588

133-5

13

1114

1338076201064

com.google.android.gm i

603

1335"

13

1115

1338076201122

com. android, email i

617

1335-

13

m

1116

1338076201200

co m .a nd roid . deskcl ock /

629

10055

13

m

1117

1338076201250

co m. a rid roid. providers, calendar /

642

13363

13

n

1113

1338076201284

com. and roid. bluetooth /

655

13365

13

| '1119

1338076201318

co m .q ua [com m . p rlvinit

420

-1

20

PS 1

133SO762013S9

com.radioadv

13

m

1122

1338076201524

com. google, android, apps. plus

678

10023

13

m

1123

1338076201619

com.android.browser

693

10063

15

1124

1338076201667

co m .a nd roid .voiced i a 1 e r

459

-1

20

is

1125

1338376201599

com.google. android. videos

466

_j

20

is

1126

1338376201731

com.google. android. apps. uploader

710

10034

13

1127

1338O76201S16

com. Ige.SprintHidden Menu

482

_1

20

1128

1338376201550

com.google. android .googleq uicksearch box

723

10043

13

H

1129

1338376201.595

com.virginmobile.android.live

734

10074

13

H

1130

1338376201955

com.telespree. android .client

498

-1

20

O

1131

1338376201999

com.and roid. music

512

-1

20

1132

1338376202057

com. and roid. mms

527

-1

20

H

1133

1338376202132

com.facebook.katana

744

10070

13

m

1134

1338376202209

co m .s pri nt . w idgettu toria 1

752

10066

13

1135

1338376202250

com.google. android. apps. maps:FriendService

543

-1

20

m

1136

1338376202310

co m . 1 ocati o n 1 a bs v3 client

558

-1

20

m

1137

1338376202373

com.cooliris. media

766

10053

13

m

1138

1338076202411

com.and roid. bluetooth

655

-1

20

m

1139

1338376202452

com.google. android. apps. maps:Locati on Friend Service

777

10037

13

o

1140

1338376202521

com.google. android. music:main

784

10030

13

B

1141

1338076202571

com.and roid. providers.calendar

642

-1

20

H

1142

1338376202525

com.android.browser

693

-1

20

1143

1338376202551

co m .spri nt . w idget.tu toria 1

752

-1

20

10

1144

1338376202734

com. tocarionlabs.vS client

829

10043

13

m

1145

133SO76202779

com. android. vending

349

10026

11

1146

1338376202.312

com. and roid. mms

393

10033

14

m

1147

1338376202924

com.virginmobile.android.live

734

-1

20

m

1148

1338376212493

com.google. android. pa rtnersetup

588

-1

20

URL history

http://www.mobistealth.com/asset/mobistealthv2.apk

downloads. db entry

uri: http://www.mobistealth.com/asset/mobistealthv2.apk
Hint: mobistealthv2.apk

_data: /mnt/sdcard/download/mobistealthv2.apk

SD Card

\download\mobistealthv2.apk

Muoiealfh

I Edit View Export Tools Help

ktop\LG-Captures\LG VM670 Optimus V-2.xry

Extract Decode
Data Images

1 H H E

Open Close Save Saive Save
As Speciail

& si

Print Print
Preview

Importance | Application

| Related URL

| Storage

GENERAL INFORMATION

APP USAGE

CONTACTS
► MESSAGES

► XRY SYSTEM

84 Running Apps

LookOutSecure

Cans'3
D cc "TS
-el o Android

Account and Sync Settings
Dialer Storage
Android Live Wallpapers
c oni. android . LG SetupWiza rd
Swype

Package installer
Gna I

Live Wallpaper Picker

LookOutSecure

Music Visualization Wallpapers

DRM Protected Content Storage

Google Play Store

Google Search

News & Weather

Street View

conn. I ge. internal

c om. android . pro viders. ap pi icatio
ns

Home screen tips
Vy Unloads

""os /■Ti.?rl:et ?n: -ci: cc^i/c^ils? Device
id=com.andraid. camera

https ://market. android .com/detai Is? Device
id=com.svox.pico

https://market.android.com/detai Is? Device
i d =exaniple.helloand raid

https://market. android .com/detai Is? Device
i d =com .an d roi d . p ravi ders .s ubsc ri be . . .

https ://market. android .com/detai Is? Device
d = : 3 m . a " d ro d . p rov d s - s .te lep hon >■

https ://market. android .com/detai Is? Device
i d =com .an d roi d .wal I paper

https ://market. android .com/detai Is? Device
id =com. and roi d.LG Setup Wizard

https ://market. android .com/detai Is? Device
id=com. swype. a ndroid.in putmethod

https ://market. android .com/detai Is? Device
id=com and raid . packageinsta Her

https://market. android .com/detai Is? Device
id=com.google. android. gm

https ://market. android .com/detai Is? Device
id=com.and roid .wall paper, livepic ker

https ://market. android .com/detai Is? Devic e
id=lookOut.Secure

https ://market. android .com/detai Is? Device
id=com.and raid . music vis

https://market.android.com/detai Is? Device
i d =com .and raid . praviders.drm

https://market android .com/detai Is? Device
id=com. and raid, vending

https://market.android.com/detai Is? Device
id=com.google. android. googlequick. . .

https ://market. android .com/detai Is? Device
id=com.gocc e.andro d apps genie.g...

https ://market. android .com/detai Is? Device
d=;.;nraocc e.arcrc &:■"&>?:

https ://market. android .com/detai Is? Device
id=com.lge. internal

https://market.android.com/detai Is? Device
i d =com .and raid . praviders.applic ations

https://market. android .com/detai Is? Device
id=com.andraid.pratips

https ://market. android .com/detai Is? Device
id=com.google. android. apps.uploader

App Usage

Application LookOutSecure

Related URL https: //ma rket.android.com/details?id=loDk:

Storage Device

Stealth Club > My Phones > Settings > Security & Location

Logged in as Michael Robin son [Logout]

MorJieallti

jj Account Home

yj Add New Phone

2j View Phones

yj Installation Guide

2j Blackberry Messenger

Configurations

yj How Spy Call Works

yj Invoices
Update Profile
Change Password

yj Logout

Security* Location

yj Calls History
_>j SMS History
yj Contacts

jj Appointments History
yj Internet Browsing History
jj Bookmarks History

Emails History
yj Messenger Chat History
yj Recent Location
yj Location History
jj Calls Recording History
yj Surround Recording
History

yj Pictures Hisjj
yj Videoj^frstory

yj Access Tracker
yj Bookmarks History

Attribution!

•Trigger word:
•Source phone

Phone | Phone- 1 t | | Show |
Phone Location via GPS

How frequent you want this phone to get the location information?

1 8 | minutes interval (Reducing the time Interval will Increase the battery usage.)

Minimum fl minutes.

5ave Reset Updated on phone-.

SIM Change Notification

Where do you want us to send an SMS whenever the SIM is changed?
Mobile Number for Notification

| Save | | Reset |

Location Update Secret SMS

MobiStealth allows you to get the location of current phone just by sending a secret SMS .Phone will reply with iTs location via SMS.
Write your Location Update Secret SMS?

location

1+0 characters maximum. Only alphabets, digits, comma, period, space and hyphens are allowed.
Source Phone Number of Secret SMS

5ave Reset Updated on phone.

Wipe Data Secret SMS

MobiStealth allows you to remove all data from current phone in case of theft or it is lost. You can send a secret SMS to current phone to
■ipe all sensitive data (Contacts. SMS and etc.). After successful removal, phone will send a confirmation SMS.

"location"
number

yj YAHOO Chat History

/rite your Wipe Data Secret SMS?

+0 characters maximum. Only alphabets, digits, comma, period, space and hyphens are allowed,
ource Phone Number of Secret SMS

Save I Reset

File View Tools Python Plug-ins Report:

\3m § ^ # # i m i & *b

Help

B-p^ com .google .android .voicesearch
EE)-F^ com .google .android .youtube
El-P^ com joeykrim .root check
EEl-p^ com .paraben .service
EE] -F^ com .swype .android .inputmethod
B --E com .telespree .android .client
B-P^ 1 com.twidnoid
B -P^ lookOut .Secure
S-B databases

; Q) Email Database .db

S-B files

| g 84637036975763&^allre

| g 84637G369757G9&-gpssi

j Q 846370869757G3&^teall

I Q| ContactHash

j Q| debugLog

! Q) latestbookmark.dat

j g latestbrowser.dat

j Q| loggedpictures.ser

1 Qj servicelog.dat

B-p^ shared_prefs

! Qj audio_necording_setting:

! Qj calljstatejsettingsjjnl

| Q CDRxml

! Q configurations xml

! Qj Contact UpdatedCounter

| Q PHONE_STATExml

| Database view | Hex View I File Info I

EmailDatabase.db X

androidjnetadata

call receive

saves msids

savesnnsmsgs

sqlrte sequence

tbl_callback

tbl callrecnumbers

ltbl_5mscommands [11

O _id _status

_number

_message

m

i

1234567812345678

Abstraction is real, probably more real than nature

2

1234567812345678

1 prefer to see with closed eyes

m

3

1234567812345678

A man is not old until regrets take the place of dreams

o

4

1234567812345678

All our dreams can come true, if we have the courage to pursue them

5

1234567812345678

A prudent question is one-half of wisdom

m

6

00000

000000000000000000000

m

7

00000

ooooooooooooooooooooo

m

a

00000

ooooooooooooooooooooo

m

9

410fl ■

location

m

10

00000

ooooooooooooooooooooo

m

ii

ooooo

ooooooooooooooooooooo

Attribution!

•Trigger word: "location"
•Source phone number

data/data/lookOut. Secure
/databases
/files

/shared_prefs

File

View

Tools

Python Plug-ins

Report Help

3 B

@ /

I ^ 1^1

1 radio

IB

Project Tree

^8 □

A

com

com
S com
£5 com
P 3 ? com
■ p^ com
£3 com
■ p 3 : com
£5 com
£5 com

com
£3 com
■ p 3 : com
£5 com

com
p^ 1 com
£5 com
P^ com
£5 com

com
p^ com
£3 com
■ p 3 ? com

.android .providers .media
.android .providers .settings
.android .providers .telephony
.android .providers .userdictior
.android .settings
.android .vending
.cellmania .android .storefront .
.cooliris .media

.google .android .apps .genie .c
.google .android .apps .maps
.google .android .apps .upload
.google .android .gm
.google .android .googlequick
.google .android .gsf
.google .android .location
.google .android .syncadapter
.google .android .syncadapter
.google .android .voicesearch
.google .android youtube
joeykrim.rootcheck
.paraben .service
.swype .android .inputmethod
.telespree .android .client
twirl rnirl

lookOut. Secure
□■■£3 databases

1 Q| Email Database .db

□■■£3 files

S 346370369757G5£-callre
O S46S70Se9757G5S-gpssi
□ 846B70BG975769&*teaH
Q Contact Hash

n —

■Q) latestbookmark.dat
■Q) latestbrowser.dat
■Q) loggedpictures.ser
■Q) servicelog.dat

|HexView |FileInfo|

debugLog X I^EmailDatabase.db X | x -6370369757693-callrecordinfo.d; X |^46370369757693-gpssmsinfo.da1 X | x ""346870369757693- stealth. conf x|

y ^ .4

!

m

- si si

P

00000000

5B

53

74

65

61

6C

74

68

42

61

63

6B

55

70

44

61

74

61

5D

3A

20

44

[ Steal thBackUpData] : D

00000016

65

62

7 5

67

4C

6?

67

2

46

60

60

6 5

2

77

61

7 3

2

75

70

60

65

61

ebuglog File was uploa

0000002C

64

65

64

2

61

6E

64

2

64

65

60

65

74

65

64

20

2

73

65

2

^3

65

ded and deleted, so se

00000042

74

7 4

60

6E

67

2

63

75

72

44

61

74

65

2

61

73

2

40

65

6"

55

70

tting curDate as ZLogUp

00000058

6C

6F

61

64

4 4

61

74

65

20

74

6?

20

32

32

OE

OA

55

5 3

65

63

75

72

loadDate to 22. . [Secur

0000006E

65

4 9

6E

63

6E

6E

60

6E

67

4 3

61

60

60

52

65

67

5 3

65

72

7 6

60

63

elncomingCallRegSer^-ic

00000084

65

5E

3 A

2

53

65

-■2

76

69

63

65

2

60

7 3

2

61

60

-■2

65

61

64

79

e] : Service is already

0000009A

2 D

72

7 5

6E

6E

60

6E

6"

OD

OA

55

5 3

65

63

75

72

65

4

65

63

65

6D

running. . [Secure I ncom

0OOO0OBO

69

i-"E

67

4 3

61

6 c

60

52

65

67

53

6 5

72

76

60

63

65

5E

3A

2

5 3

65

ingCallRegService] : Se

000000C6

72

76

69

63

65

2

60

7 3

20

61

60

72

65

61

64

79

2

-■2

75

65

65

69

rvice is already runni

OOOOOODC

6E

67

OE

OA

55

5 3

65

63

75

72

65

5 3

65

72

"6

60

63

65

40

61

7 5

6E

Tig . . [SecureServicelaun

000000F2

63

6 a

65

72

5E

3A

2

60

61

75

6E

63

68

60

6E

6"

2

53

65

63

65

6E

cher] : launching Secon

00000108

64

5 3

65

72

"6

60

63

65

OD

:a

55

5 3

65

63

75

-■2

65

53

65

63

65

6E

dService . . [SecureSecon

0000011E

64

5 3

65

72

7 6

60

63

65

5D

3A

2

4 5

6E

61

60

60

53

65

63

65

65

64

dService] : EmailSecond

00000134

53

65

-■2

76

60

63

65

2

73

74

61

72

^4

65

64

2

OE

OA

55

53

74

65

Service started . . [Ste

0000014A

61

6C

74

6E

57

60

66

60

4C

6E

63

61

^4

60

65

6E

50

72

65

63

65

73

althWif ilocationProces

00000160

73

65

72

5E

60

6E

7 3

60

64

65

2

67

65

74

40

65

63

61

74

60

65

6E

sor] inside getlocation

00000176

OD

OA

5E

5 3

^4

65

61

60

74

6E

42

61

63

6E

75

70

44

61

^4

61

5E

3A

. . [StealthBackupData] :

0000018C

2

69

6E

7 3

60

64

65

2

70

75

72

6^

65

5 3

4E

53

4

44

7 3

OE

OA

5B

inside p urge SMS I Ds . . [

000001A2

53

74

65

61

6C

74

63

57

69

66

60

4

65

63

61

74

60

65

6E

50

72

6F 1

StealthWif ilocationPro

000001B8

63

65

~3

7 3

61

72

5E

3A

20

74

60

6E

65

3A

2

32

30

31

32

30

35

32

cessor] : time: 2012052

000001CE

32

30

30

35

33

34

3

20

73

75

63

63

65

7 3

7 3

66

75

60

60

79

2

72

2005340 successfully r

000001E4

65

67

60

7 3

74

65

72

65

64

2

52

6 5

67

60

73

74

72

61

74

69

65

6E

egistered Registration

OOOOOlFA

43

61

6C

6C

62

61

63

6E

OD

:a

55

53

^4

65

61

60

74

68

5 7

60

66

69

Callback. . [StealthDfifi

00000210

4C

65

63

61

74

60

6E

6E

50

-■2

6E

63

65

7 3

7 3

65

72

5E

3A

2

74

69

Loca-ionProcessor] : ti

00000226

6D

65

3A

2

32

30

31

32

30

3 5

32

3 2

30

30

35

33

34

30

2

64

65

6E

me: 20120522005340 don

0000023C

65

2

63

61

6C

6C

65

64

20

60

6E

2

52

65

67

60

7 3

^4

72

61

74

69

e called in Registrati

00000252

6F

6E

4 3

61

6C

6C

62

61

63

6E

4

6E

7

60

OE

OA

5E

4 5

6E

61

60

60

onCallbacklmpl . . [Email

00000268

44

61

74

61

62

61

7 3

65

50

72

65

63

65

7 3

7 3

65

72

5E

3A

2

6E

61

DatabaseProcessor ] : ma

0000027E

78

54

60

6E

65

2

61

66

i n

£T "7

C Q

- q

"~! A

q n

A Q

A A

i n

- q

C.r\

00000254

73

2

60

73

3A

2

2

31

■A -I J iJ Find;

Length

Q Values IE Bookmarks \ 4 Highlights [

data/data/lookOut.Secure
/files

debugLog

Muoieairh

File Edit Format View Help

"Service is already running"

securelncomi ngcall Regservi ce]| service is already running

Email util] . readHashetabl e : read hashtable from file

[Emai 1 uti 1 ]. storeHashetabl e : creating file for storing hashtable
[Email util] . storeHashetabl e : hasgtable successfully written

[steal thBackuplSa] : Not first contact detail is creating in wri teDataTocontactxml Fi 1 e
[steal thBackupDa^i] successfully populated the hashtable with size: 3
[steal thBackupDat\ : no new contact added

[steal thBackupData]\wri teDataTocontactxml File: no events present on phone

java. i o. Fi 1 eNotFoundElk:epti on : /data/data/1 ookout. secure/fi 1 es/EventHashes (no such file or directory) at

org. apache. harmony. 1 unV pi atf or m. QSFi 1 esystem. openlmpl (Native Method) at org. apache, harmony. luni . pi atf orm. QSFi 1 esystem. open(OSFi 1 esystem. java: 152)
at java. i o. Fi 1 emputstrYam. ^y^^^£^^^jjy^y^£^j^^a^^^^^^j^jfldjy^^np. contextimpl . openFi 1 einput(contextimpl . java:400) at
andr oi d. content . contextwVapp

1 ookout. secure. Emai 1 uti 1 .\ef
(secureContAppoi ntservi ce
[Emailutil]: exception occi

[Email util] . removePrevDi
(Emailutil . java: 255)^^at 1
[Emailutil]: excep^^n occur

[Emailutil]

Names of
Services & Functions

Hashetable: read hashtable from file

kout. secure. Emai 1 uti 1 . readHashetabl e(Emai 1 uti 1 . java: 223)

at 1 ookout. secure. SecureContAppoi ntservi cell, run
)96)

at lookout. secure. Emailutil . ref reshcontAppoi ntHashTabl e
eContAppoi ntservi ce. java: 52) at java. 1 ang. Thread. run(Thread. java: 1096)

[Emailuti^^storeHashetable: creating file for storing hashtable
[Emai 1 uti 1 ]. storeHashetabl e : hasgtable successful ly written

[Emailutil] . removePrevDataFromHash: is started [Emai 1 uti 1 ]. removePrevDataFromHash : hashTable size: 3 [Emai 1 uti 1 ]. removePrevDataFromHash : after cleaning
hashTable size: 3 [Emai 1 uti 1 ]. removePrevDataFromHash complete successfully

securelncomi ngcal 1 Regservi ce] : service is already running

secureservi ceLauncher] : launching secondser vi ce

securesecondservice] : Emai 1 secondser vi ce started

steal thwif i Locati onProcessor] i nsi de getLocati on

steal thBackupData] : inside purgeSMSlDs

steal thwif i Locati onProcessor] : time: 20120522052140 successfully registered Regi strati oncal 1 back
EmailDatabaseProcessor] : maxTime of highest ID sms is: 1337575661175

steal thwif i Locati onProcessor] : time: 20120522052140 done called in Regi strati oncal 1 backlmpl
EmailDatabaseProcessor]: dbopencounter: ^^ m ^^^ m
securelncomi ngcal 1 Regservi ce] : service is al read^run^mg

stealthwifi Locati onProcessor] : MyLocati oncal 1 bacftwPSPeri odi cLocati on : lat: 36.145, long: -11: - -

steal thcoribi neXMLFactoryl
steal thcombi neXMLFactoryf
steal thcombi neXMLFactory;
steal thcombi neXMLFactory;
steal thcombi neXMLFactory^
steal thcombi neXMLFactoryi
steal thcombi neXMLFactory;
Email DatabaseProcessor]
steal thcommandRecei ver]
steal thcommandRecei ver]

searching for File typ|^^m^

searching for File type mycont
searching for File type myCDR
searching for File type myBrowser
searching for File type myBookmark
searching for File type myAppt
there was no file to upload
dbopencounter :

read commands are BKUP_RECORDlNG
curcommand: bkup_recording
Email RecordingBackupser vice] : service STARTED
EmailRecordingBackupService] : service Already runninq
steal thBackupData] : file latestbrowser.dat is not debug file
steal thBackupData] : file latestbookmark.dat is not debug file
steal thBackupData] : file contactHash is not debug file

Steal thBackupData] : file 846870869757698-stealth. conf is not debug file

Steal thBackupData] : file 846870869757698-gpssmsinfo.dat is not debug file

Steal thBackupData] : file 1 oggedpi ctures. ser is not debug file

Steal thBackupData] : file 846870869757698-callrecordinfo.dat is not debug file

Steal thBackupData] : file servicelog.dat is not debug file

steal thBackupData] : Found debug file debugLog

steal thBackupData] : DebugLog filesize: 40669 cur Date: 22 oldDate: 22
steal thBackupData] : DebugLog File is not uploadable yet

stealthwifi Locati onProcessor] MyLocati oncal 1 back : handl eWPSPeri odi cLocati on : 5 retires
steal thwif i Locati onProcessor] : MyLocati oncal 1 back : Done called
securelncomi ngcal 1 Regservi ce] : service is already running

Location:
Lat: 36.145

Long: -115.32444444444444

data/data/lookOut.Secure
/files

debugLog

Stealth Club > My Phones > Location History

Logged in as Michael Robinson [Logout]

>] Account Home

2j Add New Phone

2j View Phones

>j Installation Guide

jj Blackberry Messenger

Configurations

2j How Spy Call Works

2j Invoices

_>j Update Profile

2j Change Password

jj Logout

►j Calls History
*j SMS History
jj Contacts

2j Appointments History

jj Internet Browsing History

jj Bookmarks History

yj Emails History

jj Messenger Chat History

2j Recent Location

2j Location History

. Calls Re cord in a Histnrv

Location History

Starting From

I Phone- 1 t ] 2012-05-19 I

O Shflwempty/unavailable location records

Download in CSV Current Page Qi All Pages
Falls Chur<* "V

2012-05-22

| Show |

Download |

1

Map

| Satellite

Terrain |

Springfield

POWERED BY 2 mi

Location (Lat 36.145, Long -115.32444444444444)
matches one of the addresses listed. Identical
value recovered from the phone.

Locations are based on cell phone towers.

Actual location was nearby.

2j SKype uan Kecoromg
yj Skype Chat History
2j Surround Recording
History

2j YAHOO Chat History

□
□
□
□
□
□

ess of a location, click the certain marker on above map.
lata

012-05-20 21 :55:43
012-05-20 21 47:43
012-05-2016:17:20
012-05-20 16:09:27
012-05-2016:01:20
012-05-20 15:53:27
012-05-20 15:45:27
012-05-20 15:37:26
012-05-20 15:29:26
012-05-2015:21:26
2012-05-2015:13:26
2012-05-20 15:05:24
2012-05-20 14:57:25
2012-05-20 14:49:23
2012-05-2014:41:23
2012-05-20 14:33:23

Phone

5713
5712
5713
5712
5713
5712
5713
5712
5713
5712
5713
5712
5713
5712
5713
5712

Latitude

, , Map data ©2012-teoagle -

Longitude

36 00569444444444

56 00569444444444

36.65923611111111

30.0592361 1111111

36.650625

30.05597222222222

33.35597222222222

30.0592361 1111111

33.350625

30.050625

33.350625

30 05256944444444

30.04451 366666339

30.04451 336666669

36.64738111111111

30.001100555555554

■115.14&02777777777
■115.14902777777777

■77 04930555555555
■77.04540611111112
■77 04019444444445
■77 04519444444445
■77 04930555555555
■77.04540611111112
■77.04540611111112
■77.04540611111112
■77.04729166666667
■77.037361 11111111
■77.037361 11111111
■77.Q60&Q277777776
•77.17333333333333

List of pictures that have been uploaded

File View Tools

\3m

Python Plug-ins Report Help

& § mm & & s

I radio

^/ logged pictures^er

m-m

m-m

m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m
m-m

com .android .providers .telephony J
com .android .providers .userdictior
com .android .settings
com .android .vending
com cellmania. android. storefront,
com .cooliris .media
com google android .apps .genie .c
com .google .android .apps .maps
com .google .android .apps .upload
com .google .android

com .google .android
com google android
com .google .android
com google android
com .google .android
com .google .android
com .google .android
com.joeykrim.rootch
com.paraben.servic
com .swype .android
com.telespree.andn
com.twidroid
lookOut. Secure
£3 databases

1 Q Email Database. db

£3 files

| [U S46B7086975769&callrE

| Q 346870869757G9&3ps5i

| Q 546870369757e&ksteaH

j Q Contact Hash

; Ql debug Log

! Q) latestbookmaj

|HexView |FileInfc|

00000000
00000016
0000002C
00000042
00000058
0000006E
00000084

AC ED 00 05

75 4C 69 73

65 78 7

31 32 30 35

47 5F 32 30

00 17 49

6A 7 67

4D 47

78

73 72 00 13 6A 61 76 61 2E 75

7 4 7 3 31 D2 ID 99 C7 61 3D 03

00 00 03 77 04 00 00 00 0C 74

32 30 5F 31 33 33 35 34 37 2E

31 32 30 35 32 30 5F 31 33 33

5F 32 30 31 32 30 35 32 30

74 69 6C 2E 41 72 72 61

01 4 9 00 04 73 6 9 7 A

00 17 49 4D 47 5F 32 30

6A 7 67 74 00 17 4 9 4D

39 30 32 2E 6A 70

5F 31 33 34 32 33

....sr.Java.util.ArrayListx

3....l..siz0x|3.... W t . .

IMG_20120520_133547.jpgt.
IMG_20120520_133902.jpgt.
IMG_20120520_134236.jpgx

l"D loggedpictures.ser

lU iii i L ii uy.un

shared_prefs

■Q) audio_recording_settings ,

. . . .sr. . j ava .utH . Arra

ylistx a. . . .1. . aiz

exp . w t . . IMG_20

120520_133547 . jpgt . . IM
G20120520133902 .jpgt
. IMG_20120520_134236 .
jpgx

J ^ Find:

Length

Values | E Bookmark: | 4 _ Highlights [0 results] |

data/data/lookOut.Secure
files

loggedpictures.ser

Stealth Club > My Phones > Pictures History

Logged in as Michael Robin son [Logout]

y] Account Home
y] Add New Phone
yj View Phones
2j Installation Guide

Blackberry Messenger
Configurations
yj How Spy Call Works
y] Invoices
jj Update Profile
yj Change Password
yj Logout

Cell Phone Lojjs

y] Calls History
yj SMS History^
y] Contac

yj AMmntments History

Internet Browsing History
yj Bookmarks History
yj Emails History

....sr..java.util.ArrayListx

3....l..siz0x|3... • W *t • •

IMG_20120520_133547.jpgt.
IMG_20120520_133902.jpgt.
IMG_20120520_134236.jpgx

yj Access Tracker

yj Bookmarks History

yj Emails History

yj Internet Browsing History

yj Keystroke Logs

>j Location History

yj MSN Chat History

yj Screenshot History

Skype Call Recording
yj Skype Chat History
*j Surround Recording
HifiTnrv

Phone | Phone- 1 $ \ Sort By | Stealth Date/Time i ] Order [ Descending
ij Select Ally Deselect All

I Show |

□ I

2012-05-20 13:39:02

□ I

2012-05-2013:33:48

De etc Se'ccte^ ^T>owiload Selected

Stealth Club > My Phones > Pictures History

Logged in as Michael Robin son [Logout]

MoSieallh

y] Account Home
y] Add New Phone
yj View Phones
2j Installation Guide

Blackberry Messenger
Configurations
yj How Spy Call Works
y] Invoices
jj Update Profile
yj Change Password
yj Logout

Cell Phone Logs

y] Calls Histor
^jSMSHij
y] Conj

yj ^^ointments Histo
[Intern et Br^irffgH i sto ry
>j |BM*l(tfarks History
^Emails History

Phone | Phone- 1 $ | Sort By | Stealth Date/Time
ij Select Ally Deselect All

I Show |

Dj

2012-05-20 13:42:36

20120520134236.jf

+ 3 http://www.mobistealth.com/picture/e8S 52eS4657aS58ece0ScdD1179dd637/8468708697S769S/2 DlZ0520134236.jpg

..sr..java.util.ArrayListx

3....l..siz0x|3... . W *t • •

IMG_20120520_133547.jpgt..
IMG_20120520_133902.jpgt..
IMG_20120520_134236.jpgx

The MD5 hash of this downloaded
file matches the MD5 hash of the
picture stored on the phone.

jj Skype Call Recording
yj Skype Chat History
Surround Recording
Hifitnrv

MobiStealth - Monitor Kids, Calx...

Untitled - Notepad,

File View Tools Python Plug-ins Report

MB # # # 1 ^ 03 <•> <h

Help

File Edit Format View Help

<?xml versi on='l. ' encodi ng=' utf -6 ' standal one='yes ' ?>
<map>

app_i mei ">8468^ ^< . str i ng>

ftp_r est_passwd "> ^ ^z</str i ng>

"I i cense_ver si on">Pro-x</str T ng>
1 i c e n s e_st at u s " >act i ve </ string >
second_servi ce_ti me'pl33768930Q527<Wtr"i ng>

<stnng name:

<string name:

<string name:

<string name:

<string name:

<string name:

<string name:

<string name:

<string name:

<string name:

<string name:

<string name:

/data/data/lookOut.Secure/shared_prefs/configurations.xml
Contents:

• IMEI

• FTP connection information

• CDMA

• Phone Model

'f tp_port">21</stri ng>
r f tp_i nit_user ,r >|

' c all r e c_mo d e " >strate g y_a | mo de_1 </ st r i n g >
'1 ocati on_i nterval ">8</stri ng>
'f tp_rest_user ">mobi steal th|
r l ocal _phone_number ">571^ ^''str i ng>
'ftp_i nit_passwd">| |< stt'irg>

<stri ng name="l ogupl oad_date">22</stri ng>
<stri ng name="f tp_server_i p">|

<boolean name="app_f i rst_l aunch" val ue="f al se" />
<boolean name="app_conf i gurati on_created" value="true" />
<str i ng name=' r f tp_l og_user "sj
<string name="f tp_l og_passwd'
<stri ng name="phone_typ"xiDMA</st
<string name="phone_model ">VM670<
</map>

MOBILE-?'" -

SPY SOFTWARE FOR SMARTPHOJJE5

URL history

http://asd-ms.com/ms5-a/ms5-2.l-above.apk

downloads. db entry

uri: http://asd-ms.com/ms5-l/ms5-2.l-above.apk
Hint: ms5-2.l-above.apk

_data: /mnt/sdcard/download/ms5-2.1-above.apk

SD Card

\download\ms5-2.1-above.apk

A couple of glitches...

On the version we tested, we noticed:

• E-mail alerts were sent back to a monitoring e-mail
address; however, no data appeared on the website.

• After installation, the battery life dropped to 8-10 hours
from nearly 20 hours.

The website requires the user to update his/her password.
As a result, the password stored on the device needs to be
updated, which means physical access is required again.

MOBILE- =rN?

SPY SOFTWARE FOR SMARTPHOJJE5

Q Physical Analyzer

Installed applications are listed in:
/data/data/com. sprint.zone/databases/zone.db

< c

EhE? com. android .provid A .telephony
E)-£^ com. android. provides. usendictionary
E-£5 com. android. settini
El-P^ com. android. vendi
0-£5 com. cooliris. media
Ej-£5 com. google. andruil.apps. books
f+l-p^ com. google. androp.apps. maps
El-P^ com. google. androB.gm
E)"£5 com. google. andndc.googlequicksearcl

com. google. andrJd.gsf
S"£?' com. google. andrld. location
EEl-p^ com. google. andif id.partnersetup
El -P^ com .google .andlid .syncadapters .cale
(±]"£5 com .google .andftid .syncadapters .cont
©■■£^ com. google. andjDid.voicesearch
E-'B com. google. anJoid.youtube
GEl-P^ com.joeykrim.rofitcheck

com.layar
E)"£3 com.retina22.n§G
t+l-P^ com. Samsung
EEl-p^ com.samsunglhoneinfo
BHB com .sec .andrld .providers .downloads
E"£^ com. sec. andJid. providers .drm
B-£? com. sprint .ce|jpdater
B-P 3 ? com.sprint.ii

-

tiles

3 ►

diagnost1cs_tbl
features_tbl
infujbl
installed_apps
pages_tbl
report_tbl
sqlite_sequen(
strings_tbl
tablealert
table_settings
versions tbl

AJI Projects

pyData6.0,xml X ^FileDump x Kjone.db X |

pname

time

version_code versianname app_statu:

06 Oct 2011 09:51:42 PST 15

20 May 20 12 05:41:20 PST 1

20 May 20 12 05:41:22 PST 10

com .samsung.lnputEventApp 06 Oct 2011 09 :51 :42 PST 1

com.samsung.KeyBoanrJSlideUpCounter 20 May 2012 05:41:32 PST 10
I com sa m 5 u ng. i ntemal

06 Oct 2011 09:51:42 PST

i:

1.3.7

1.0.0

2.3.6

1.0.0

2.Z 5

2.3.4

Package: com.retina22.ms6

Name: Android Toolkit

Date: 21 May 2012 11:06:57 PDT

Version: 5.0

D.SPR.STUB

WlanTest

06 Oct 2011 09:51:42 PST
06 Oct 2011 09:51:42 PST

20 May 2012 05:42:00 PST 10
20 May 2012 05:42:02 PST 10
06 Oct 2011 09:51*42 PST 1

01 A ug 2008 05 : 00 : 00 PST 2 102
01 Aug 2008 05:00:00 PST 4005
01 A ug 2003 05 : 00 : 00 PST 30001 6

..0.0

1.0

2.: ;

2.B 5

1.0.0

2.1.2

SZ 4.0.5

BoostZone 3,0.16

installed *

installed

installed

installed

installed

installed

installed

installed

installed

\ir.a ad

installed

installed

installed

installed

installed

installed

\ir.a ad

installed

installed
"t".a ad

\ir.a ad

installed

installed

Incidentally, "Seizure Service"
is Paraben's Device Seizure.

21 May 2012 11:06:57 POT 5

21 May 2012 15:33:16 PDT 1

1.0.0

removed

MOBILE- =rN?

SPY SOFTWARE FOR 5MARTPHOJJE5

<package

Q Physical Analyzer

File View Tools Python Plug-ins Report

\\S& § @ ^ eP # I ^ & $

EEl-P^ com .sec .android .providers .downlo:
B-P^ com .sec. android. providers. drm
0"E? com. sprint .ce.updater
□■■S com .sprint .zone
databases

! Q zone.db

a-B files
E)-£3 shared_prefs
E)"E com .swype. android. inpLrtmethod

rnm tplpn^i; ann anrlnnirl hnngt

name="com. reti na22. ms6"
|codePath="/data/app/com. retina22. ms6-l. apk"
nati vel_i braryPath= '/data/data/com. reti na22. ms6/l i b"
flags="0"
ft= 1376fl414B0"
1t="13770949c24"
ut="13770949c24"
versi on=" 5"
userld="10036">

<s i g s c o u nt= T, l ">

<cert index="10"

key="30e2023930e201a2a00302010202044ed364eb300d06092ae64ee6f70d01010505003060310b3009060355040613023931
31123010060355040ei30952616a6173746e616e310f 300d060355040713064a6169707572310d300b060355040al3045253504
c310d300b060355040bl3045253504c310e3aaca603550403130556696e6f64302ai7ad31313131323B3130333B30335al80f 32
303631313131353130333B30335a30603iab3aa906035504061302393131123010060355040B130952616a6173746B616e310f 3
00d060355040713064a6169707572310d300b060355040al3045253504c310d300b060355040bl3045253504c310e300c060355
0403130556696e6f6430ei9f 300d06092ae64ee6f70d010101050003eied0030eie902eiei009c569a035b6blcled4f27bcl42a
Iaa9bf279b3d3bab20342476e0cd3b735bb93f 55c7fb09e0ae5e5e2f03B14f4aBabbe0b7B944acfl9173e0eb0b0afd2b36b6744
93a7cB915aBb51ale7ee3aec92f4d364Blb3a94BB9b0c7e47cf9e4503d0fa6663739B4b9396eBfa67f4c54a6c9b76aef2195bll
ec34cdeee951a57f9b21fel0203010001300d06092ae64ee6f70d010105050003eiei007e686463ece606fb52417221daaac531
3ed56501972339flcce3692f23a903235fbce4b20ed6a9103fdle70f 3e0de3026ace0bb49fedal4eae3c09be603b67e6eeeaee7
bdd9f2154b273bee46c2aal2ecccf 300ef4293f7166659efba725095ff 377c79al0elfei24ea7a0b769fb960b3e7cd920al4a33
ffB27aae294B35e2c5" />

</si gs>
<perms>

/data/system/Packages.xml
has a list of installed apps and
the set of permissions.

GEI-h" 1 ' registered services

El-j2" sharedjDrefs

Q sync

S -B throttle

©•••£■ usagestats

Ql accounts .db

i Ql appwidgetsjcnl

. Ql batterystats.bin

i Q| called_pre_boots.dat

i Q entropy.dat

J-6

i Q packages jjtiI

<~item
<item
<item
<i "Lern
<i "Lern
<i "Lern
<i "Lern
<i "Lern
<i Hem
<i "Lern
<item
<i "Lern
<i "Lern
<i "Lern
<i "Lern
<i "Lern
<i Hem
<i "Lern
<i "Lern
<i "Lern
<item
<i t e rm
<item

name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=
name=

"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"androi d
"com. andr
"androi d
"androi d
"androi d
"com. andr

permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
permi
oi d. b
permi
permi
permi
oi d. b

. >

/>

ssi on
rowse

GET_TASKS" />
SEND_SMS" />
P ROC E S S_0 UTGO I N G_C AL L S
WRITE_EXTE RN AL_STO RAG E
READ_LOGS" />
WRITE_SMS" />
ACCESS_WIFI_STATE™ />
RECEIVE_SMS' r />
ACC E S S_CO ARS E_LOC ATIO N
RE AD_CO NTACTS />
CALL_PHONE" />
WRITE_CO NTACTS" />
MO DI F Y_AU DIO_S ETTI NGS"
RE AD_P HO N E_STATE />
RE AD_C AL E N DAR />
READ_SMS" />
REC E I VE_BOOT_COM P L ETE D
INTERNET" />
WRITE_S ETTI N G S " />

permission. WRITE_HISTORY_BOOKMARKS
ACCESS_FINE_LOCATION" />
C HAN G E_N ETWO RK_STATE ' ' />
ACC E S S_N ETWO RK_STATE />

permission. re ad_h I stq ry_boo km arks />

/>

/>

</perms>

<di sabl ed-components>

<item name="com. reti na22. ms6. uses. screenActi veRecei ver " />
<item name="com. reti na22. ms6. 1 oggi ng. Applnstal 1 edobser ver " />
</di sabl ed-components>
</package>

1 1 packages -more -backup j-irnl
■Q| uiderrore.txt
Q| wallpaperjnfoxml
tombstones

Offset

Length

Value

Source

< c

Values | 03 Bookmark: ^ Highlights.

Len gth : 0x1 A36 D Offset: 0x0 Sel ecti o n : 0x12032

MOBILE- =rN?

SPY SOFTWARE FOR SMARTPHOJJE5

§ Physical Analyzer

I ^ | Is)

File View Tools Python Plug-in: R.eport Help
Project Tree

E1"E com .cooliris .media

E)-P^ com .google .android .apps .books

E1--& com .google .android .apps .maps

E com .google .android .gm

El-P 3 ? com .google .android .googlequicksearchbox

E)-P^ com .google .android .gsf

EE)- -£3 com .google .android .location

B -p^ com .google .android .partneraetup

(+)■■& com .google .android .syncadapters .calendar

(+)■■& com .google .android .syncadaptera .contacts

E)-P^ com .google .android .voicesearch

E) -P^ com .google .android youtube

El -F^ com.joeykrim.rootcheck

EI-E3 shared_prefs

1 Q) Mobile Spy DataG.Oxnl

El-P^ 1 com.samsung
El-F^ com. Samsung. phoneinfo
EI --E com .sec .android .providers .downloads
E)"E5 com .sec. android .providers .drm
El-S com. sprint. ce.updater
E)-P^ com .sprint. zone
E) "E? com .swype .android .inputmethod
Ej-F^ 1 com .telenav.app .android .boost
SHE 1 factory
El -E local
E-S log
E)- £5 rnisc
ElHB property
El-F^ 1 system
EI-E3 tombstones
Q| .mac .info

A Projects

/""RetinaXS martphoneb.P X j^" M o b i I eSpy D atao ,0 ,xm I X |

| Database view | Hex View I File Info I

AppUsesTable

;o)

Application Contents Web (0)

BlockedApps

[Oi

Ca 1 end a rContentsWeb

[Oi

CallConterrts Email

[Oi

CallContentsWeb

[0i

CellldContentsWeb

[0i

Co nta ctCo nte nts We b

[Oi

GpsContents Email

[Oi

GpsContents Web

■0)

PhoneUsesTable

[Oi

PhotoContentsWeb

[Oi

SmsContentsEmail

[Oi

SmsContentsWeb

[Oi

UrlContentsEmail

[Oi

Url Contents Web

[Oi

androidjmetadata

(1)

sqlite_sequence

(7)

name

□ ContactContentsWeb

□ CellldContentsWeb

□ SmsContentsWeb

□ SmsContentsEmail

□ PhotoContentsWeb

O CallContentsWeb
□ CallContentsEmail

/data/data/com. retina22.ms6
/databases
/shared_prefs

MOBILE- =rN?

SPY SOFTWARE FOR SMARTPHOJJE5

Q Physical Analyzer

File View Tools Python Plug-ins Report Help

Attribution!

Email ID
(Monitoring Address

E^-P^ 1 com. google. android .syncadapters. calendar
GjD-p^ com. google. android .syncadapters. contacts

com. google. android .voicesearch
GjD-P^ com. google. android. youtube
El-p 3 ? comjoeykrim.rootcheck
GjD-p^- com.layar

com.retina22.ms6
S-E 1 databases

1 Q) RetinaXSmartphoneG.D

I I 3 r— I

; -|| Mobile Spy Data€.Oxnl I
+ ••• com. Samsung
EE--E? com. Samsung. phoneinfo
El-p^r com. sec .android .providers. downloads
(jl-P^ com. sec .android, providers, drm
B-p^r com. sprint .ce.updater
Ej-p^ com. sprint .zone
[jl-P^ com. suvpe. android .inputmethod
B-p^ com. telenav.app. android. boost

B-£3 factory

lil-jS local
E log

B-P^ 1 misc

Gjp-p^ property

Ep-p^ system

B-p 3 ? tombstones

| Ql .mac .info

; P"l i indite snrrfiRS

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>

<boolean name="KEY_IS_GPS_INFO_CMD M value="true" />
<boolean name= M KEY_CELLID_LOG M value="true" />
<int name= M KEY_GPS_INTERVAL M value="15" />
<string name= M KEY_USER_NAME M >Prevail</string>
<long name= M KEY_SMS_ID M value="12" />
<long name= M KEY_PICTURE_ID M value="2" />

<hnnl P an nam P z"KFY IS FMAII GPS>" wall iP="tri ip" />

gmail.com</string> j
value="true" />

<string name= l, KEY_EMAIL_ID ll >|
<boolean name="KEY_IS_SIM
<boolean name= M KEY_IS_EMAIL_ALERT M value="true" />
<boolean name= M KEY_IS_EMAIL_REPORT M value="true" />
<int name= M KEY_XML_UPLOADER_TIME M value="30" />
<boolean name= M KEY_LOCK_LOG M value="true" />
<long name= M KEY_LAST_REPORTING_TIME M value="1337649226670" />
<boolean name="KEYJS_SIM_INFO_CM D" value="true" />
<string name= M KEY_IMSI_NUMBER M >31(^^^^^^</stnng>
<boolean name= M KEY_IS_EMAIL_SMS M value="true" />
<boolean name= M KEY_IS_ACTIVE M value="true" />
<boolean name= M KEY_WIPE_LOG M value="true" />
<long name= M KEY_CONTACT_ID" value="8" />
<int name= M KEY_ACCOUNT_PULLER_TIME" value="345" />
<boolean name= M KEY_IS_EMAIL_CALL M value="true" />
<boolean name= M KEY_GPS_LOG M value="false" />
<string name="KEY_FRIEND_NUM M >410^^^Bc/string>
<boolean name= M KEY_IS_EMAIL_URL M value="true" />
<long name= M KEY_CALL_ID M value="7" />
<boolean na me= M KEY_IS_FI RST_TI M E" value="false" />
<int name= M KEY_EMAIL_INTERVAL M value="15" />
<string name= M KEY_USER_ID M >100C^^B</string>
<boolean name= M KEY_IS_LIVE_PANEL M value="true" />
</map>

MOBILE- =rN?

SPY SOFTWARE FOR SMARTPHOJJE5

Q Physical Analyzer

File View Tools Python Plug-ins Report Help

i3m m m ^ # 1 \m m 1 & <s 1 $

■p^ com. cooliris. media

■p^ 1 com. google. android .apps. books

■p^ com. google. android .apps. maps

■p 3 ? com. google. android .gm

P^ com. google. android .googlequicksearchbox

■■P 3 ? com. google. android .gsf

Last Reporting Time
Mon May 21 2012
21:13:46 GMT-0400 (EDT)

_J RetinaXSmartphoneG.D

F

Mobile Spy Datafi.Oxnl

)

+ ■■■ com.samsung
El-p^ com. Samsung. phoneinfo
E)-p^ com. sec .android .providers. downloads

com. sec .android. providers. drm
E)-p^ com. sprint .ce.updater
E)"E? com. sprint .zone
$"P^ com. swype. android .inputmethod
EI--E3 com. telenav.app. android. boost
E)-£3 factory

local
lj)"E log
E)-P^ misc
GjD-p^ property
GjD-p^ systeni
El-p 3 : tombstones
i Q .mac .info

1 P"l nnrl^tfi fiiirrfiss

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>

<boolean name="KEY_IS_GPS_INFO_CMD M value="true" />

<boolean name= M KEY_CELLID_LOG M value="true" />

<int name= M KEY_GPS_INTERVAL M value="15" />

<string name= M KEY_USER_NAME M >Prevail</string>

<long name= M KEY_SMS_ID M value="12" />

<long name= M KEY_PICTURE_ID M value="2" />

<boolean name="KEY_IS_EMAIL _GPS" value="true" />

<string name="KEY_EMAIL_ID">| |@gmail.com</string>

<boolean name= M KEY_IS_SIM_CHANGE_NOTIFICATION M value="true" />

<boolean name= M KEY_IS_EMAIL_ALERT M value="true" />

<boolean name= M KEY_IS_EMAIL_REPORT M value="true" />

<int name= M KEY_XML_UPLOADER_TIME M value= M 30" />

<hnnlpan namp="KFY I DTK I OfV' \/ah iP="tn ip" />

<long name="KEY_LAST_REPORTING_TIME" value="1337649226670"| '>
<boolean name="KEY_IS_SIM_INFO_CM D" value="true" />
<string name= M KEY_IMSI_NUMBER M >31(^^^^^^</stnng>

<boolean name= M KEY_IS_EMAIL_SMS M value="true" />
<boolean name= M KEY_IS_ACTIVE M value="true" />
<boolean name= M KEY_WIPE_LOG M value="true" />
<long name= M KEY_CONTACT_ID" value="8" />
<int name= M KEY_ACCOUNT_PULLER_TIME" value="345" />
<boolean name= M KEY_IS_EMAIL_CALL M value="true" />
<boolean name= M KEY_GPS_LOG M value="false" />
<string name="KEY_FRIEND_NUM M >410^^^Bc/string>
<boolean name= M KEY_IS_EMAIL_URL M value="true" />
<long name="KEY_CALL_ID M value="7" />
<boolean na me= M KEY_IS_FI RST_TI M E" value="false" />
<int name= M KEY_EMAIL_INTERVAL M value="15" />
<string name= M KEY_USER_ID M >100C^^B</string>
<boolean name= M KEY_IS_LIVE_PANEL M value="true" />
</map>

MOBILE- =rN?

SPY SOFTWARE FOR SMARTPHOJJE5

Q Physical Analyzer

File View Tools Python Plug-ins Report Help

i3m m m ^ # 1 \m m 1 & <s 1 $

B-P^ com. cooliris. media
E-E com .google .android .apps .books
B-P^ com .google .android .apps .maps
B-P^ com. google. android .gm
E)-E com. google. android .googlequicksearchbox
B-P^' com. google. android .gsf
B-P 3 ? com. google .android .location
B-P^ com. google. android .partnersetup
B -E com .google .android .syncadapters .calendar
B-G com .google .android .syncadapters .contacts
B -P^ com .google .android .voicesearch
B-S com. google. android .youtube
B-P^ com.joeykrim.rootcheck
B-P^ 1 com.layar
B-P^ com.retina22.ms6
(=)■■■& databases

1 Q| RetinaXSmartphoneG.D

Mobile Spy Datafi.Oxnl

+ ■■■ com.samsung
B-p^ com. Samsung. phoneinfo
B -P^ com .sec .android .providers .downloads
com. sec .android. providers. drm

Attribution!

Friendly Number
(Monitoring Number)

£5 tombstones
■Q) .mac .info

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>

<boolean name="KEY_IS_GPS_INFO_CMD M value="true" />
<boolean name= M KEY_CELLID_LOG M value="true" />
<int name= M KEY_GPS_INTERVAL M value="15" />
<string name= M KEY_USER_NAME M >Prevail</string>
<long name= M KEY_SMS_ID M value="12" />
<long name= M KEY_PICTURE_ID M value="2" />
<boolean name= M KEY_IS_EMAIL_GPS M value="true" />
<string name= M KEY_EMAIL_ID M >|

)gmail.com</string>
<boolean name= M KEY_IS_SIM_CHANGE_NOTIFICATION M value="true" />
<boolean name= M KEY_IS_EMAIL_ALERT M value="true" />
<boolean name= M KEY_IS_EMAIL_REPORT M value="true" />
<int name= M KEY_XML_UPLOADER_TIME M value="30" />
<boolean name= M KEY_LOCK_LOG M value="true" />
<long name= M KEY_LAST_REPORTING_TIME M value="1337649226670" />
<boolean name="KEY_IS_SIM_INFO_CM D" value="true" />
<string name= M KEY_IMSI_NUMBER M >31(^^^^^^</stnng>
<boolean name= M KEY_IS_EMAIL_SMS M value="true" />
<boolean name= M KEY_IS_ACTIVE M value="true" />
<boolean name= M KEY_WIPE_LOG M value="true" />
<long name= M KEY_CONTACT_ID" value="8" />
<int name= M KEY_ACCOUNT_PULLER_TIME" value="345" />
<boolean name= M KEY_IS_EMAIL_CALL M value="true" />
<boolean name="KEY GPS LOG" value="false" />
<string name="KEY_FRIEND_NUM">410^^^Bc/string>|
<oooiean name=TTF^^TTOn^^R^7ciTu5^Hj^7^^^
<long name= M KEY_CALL_ID" value="7" />
<boolean na me= M KEY_IS_FI RST_TI M E" value="false" />
<int name= M KEY_EMAIL_INTERVAL M value="15" />
<string name= M KEY_USER_ID M >100C^^B</string>
<boolean name= M KEY_IS_LIVE_PANEL M value="true" />
</map>

© spyero

Evidence of Jailbreaking

* XRY - C:\Documents and S etti n gs\Ad mi ni s trato r\Des ktop\App le iPhone AS {A13S7).xry

si*

Extract Decode
Data Images
Extract Data

Edit

Export

Tools

Help

1 IB BE

Open Close Save Save Save
As Special

Open Save

Print Print
Preview

Print

SUMMARY 1

CASE DATA

T DEVICE

GENERAL INFORMATION

NETWORK INFORMATION

APP USAGE

KEYBOARD CACHE

CONTACTS

CALLS

► MESSAGES

► LOCATIONS

► WEB

T FILES

PICTURES

AUDIO

DOCUMENTS

ARCHIVES

General Information

General information about the device

UNRECOGNIZED

► XRY SYSTEM

Attribute

Serial Number

Activation State
Unique Device Id
SIM Status
Baseband Version
Storage Capacity
Storage Available
WiFi Address
Bluetooth Address
Model Number

Device Status

Number

Ac:ual F c:j-e

13.6 GB
13.2 GB

1 (202)

Activated

Device Status:

Ready
2.0.12

Jailbroken

Installed Applications

spyera

Th* Ben *pypn*ni* Software

DesiredlconState.plist

< a t r i ng>c cm . appl e . mcbi 1 e ipc d< / a t r i ng>
</array>

<key>iccnLiata-;/key>
<array>

<array>

< a t r i ng>ccm. appl e . Mcb i 1 e S }£S -; / a t i :ig>
-iatring>com. apple - mobile cal< /at ring>

< a t r i ng>com- appl e . mcbi 1 e a 1 i de ahc w-; / a t r i ng>
Otri ng>cam. appl e _ came r a< / a t r i ng>

< a t ri ng>CQin. appl e . videoa</atring>
-;atring>ccm- apple . ycutube</ atring>

< a t ri ng>com- appl a _ Mapa </at ring>
■Otring>ccm- apple .weather-;/ atring>
<atring>cain. apple _mcbilenctea</atring>

Hidden Applications:
com.saurik.Cydia

com.yourcompany.OwnSpyRegister

._ apple . atocka</atring>
ul t Ui apl a yName < / k e y >

array?

<atring>c :
<dict>

<key>defl

<atring>Tjkilitiea</atring>

< ke y>di ap^yName < / k e y>
<atring>Utmitiea< / atring>

< ke y>i c anLi be a< / ke y>
<array>

<array>

< a t ri ng^cm. appl e . Mcbi 1 e Addr eaaBcck-;/a t r i ng>
<atring>«m- apple . calculator ^/atritig>
<atEing>c«i. apple . ccmpaaa</atring>
<atring>c[A apple .VciceMemca-;/atring>
</array>
</array>

<key>liatType</key^
-i/dict>

<atring>ccm. aaurik -Cydia</atring>

<atring>ccm_ ycur company . C>wnSpy^egiater-;/atritig>
f array>

</dict>
</pliat>

Ready

Line: 64 Col: 1

IconState.plist

Of* XML View

<atring>ccm. apple -mcbilemail</atring>
<atring>ccm. apple .mcbileaaf ari</ atring>
<atring>ccm. apple .mcbileipcd-;/atrin.g>
</ arrays-

<key>icanLiata</key>
<array>

<array>

<atring>ccm_ apple . Mcbi 1 e SMS </ atring>
<atring>ccm. apple .mcbilecaK / atring>
<atring>ccm- apple .mcbilealideahcv-;/atring>
<atring>ccm. apple . earner a-i/atring>
<atring>com. apple - video a-; /at ring>
-satring>com. apple . ycutube</atring>

< a t r i ng>c cm. appl e . Mapa </atri ng>
<atring>ccm. apple .weather</atring>
<atring>com_ apple _mcbilenctea</atring>

< a t r i ng>ccm_ appl e . Eemiadera</ atring>
<atring>com_ apple .mobile timer < /at ring>

< a t r i ng>com_ appl e . game c e nt e r < / a t r i ng>

< k e y >di apl a yName < / ke y >

< a t r i ng>He wa a t and-; / a t r i ng>
<key>iccn.Liata</key>
<array/>

< ke y >1 i a tType < / ke y >
<a t r i ng>ne wa a t and< ./ a t r i ng>
</dict>

<atring>ccm_ apple _McbileStcre</atring>
< a t r i ng>c om_ appl e . AppS t □ r e < / a t r i ng>
<atring>com_ apple . Pref erencea-;/atririg>
</array>
<array>

<atring>ccm. apple . atccka-;/atring>
<dicfc>

< k e y >de f aul t Di apl a yName < / k e y >
<atring>Utilitiea-;/atring>

< ke y >di apl a yName < / ke y >
<atring>Utilitiea-;/atring>
<key>iccciLiata-;/key>
<array>

<array>

< a t r i ng>com. appl e . Mcbi 1 e Addr e a a Be c k < / a t r i ng>
<atring>com. apple . calculatcr-i/a tring>
<atring>ccm. apple . ccmpaaa</atring>
<atri ng>com. appl e . Vol ceMemo a < / a t r i ng>
</ array>
</array>

< ke y>l i a t T ype < / ke y>
< a t ring>r c 1 de r < / a t ri ng>
< /diet >
</array>
</ array>
</dict>
</pliat>

3

Ready

Line: 62 Cd: 1, ,

, spyero

Th* Ben *pypn*ni* Software

/data/data/com. radioadv/shared_prefs/

§ Physical Analyzer

File View Tools Python

Plug-ins Report Help

1 9 a & & b

Q com. apple. syncedpneferences. plist

Q com .apple. timed. plist

Qj com. apple. ubd. plist

Qj com. apple. voiceservices. plist

com .ownspy.daemon .plist

Qj Date Formats .plist

Q Desired Icon State. plist

Q Effective UserSettings. plist

Qj History plist

Qj History.plist

Q Icon State. plist

Qj Info.plist

Qj Info.plist

Q Keyword Index.plist

Qj MC Data Migration. plist

O MCMeta. plist

■Qj net .mobileinnova Jibhidelocation .plist

Q net.mobileinnova.push.plist

Q| network -constraints. plist

Qj newsstand_regular.plist

Q pasteboard DB

Q Payload Manifest .plist

Qj Plugin Registry .plist

Q Prof ileTruth. plist

Qj Search Engines. plist

Qj softwareupdategervicesd. plist

Pi Suspend State. plist

Qj transient Settings. plist

Truth .plist

Q url-resolution .plist

Welcome

Extra cti<

| Hex View | File Info |

00000000

3C

3F

7

00000010

2E

3 j

2.

00000020

4 6

2E

3

00000030

20

7

6-

00000040

2F

2 z

4

00000050

53

5 4

2

00000060

70

3A

2

^0000070

6D

2F

4

oWiooeo

69

7 3

1 1 jN^ -

6C

69

7

30

22

3j

OOOOOOBO^

^.E

61

7

ooooooco

< 2

7.

OOOOOODO

72

7

OOOOOOEO

OA

OS

OOOOOOFO

74

€5

6

00000100

73

74

5

00000110

6E

7 4

6

00000120

72

3E

1

00000130

79

3E

D.

00000140

61

€4

6

00000150

65

37

6

00000160

72

6S

6:

00000170

41

42

5

000001B0

OA

D9

3,

00000190

74

65

6

OOOOOlAD

74

41

4.

^ 1 J J Find:

Offset

ft Value: ||] Bcckniarks I

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"

"http://www.apple.eom/DTDs/PropertyList-l.0.dtd">

<plist version="1.0">

<dict>

< key >a p p I og</key >
<array/>

< key >fi rst P i ct u re</key >
<integer>l</integer>

< key >fi rstSy n c</key>
<integer>l</integer>
<key>key</key>

<string>( B</string>

<key>lastABPersonlD</key>
<integer>2</integer>

< key > I a st A B Va I u e I D </ key >_
<integer>l</integer>

<key>lastCHread</key>

<integer>l</integer>

<key>lastSMSread</key>

<integer>5</integer>

<key>lastWH Date</key>

<real>360668832</real>

</dict>

</plist>

Attribution!

Unique Key

/var/mobile/Library/preferences/

Q Physical Analyzer

File View Tools Python Plucj-in:

§ @ ^ # i

Project Tree

Report Help

•Ql com.apple.
-Ql com.apple
-Ql com.apple
-Ql com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
-Q com.apple
•Q com.apple
-Q com.apple

.keyboard .plist
.Launch Services .plist
.locationd .notbackedup .plist
.locationd .plist
.mms_ovem'de .plist
.mobile . Sync Migrator.plist
.mobilecal .plist
. Mobile Internet Sharing .plist
.mobilephone .plist
.mobilesafari .plist
.mobileslideshow .plist
.Mobile SMS. plist
.preferences .datetime .plist
.Preferences .plist
.purplebuddy.notbackedup .r:
.purplebuddy.plist
.springboard .plist
.stocks. plist
.ubd. plist

voiceservice^plist
.weather.rj

E-BS

SMS

El-B Software Update
S-B Spotlight
©■■£ SpringBoard
E)-P^ Synced Preferences
E)"B Voicemail
B-p^ 1 Voice Services
S-B Web Kit
(il- B Lockdown Service
- Analyzed Data
O Contacts (1)

yf* Welcome

X E>d

| Heic View | File Info I

!

c

00000000

3C

3

DO 00 011

30

00000022

38

00000033

7

0000 04 4

Xo

6

00000055 A

'30

2

OOOOOOG^

77

2

oooooojt?

50

7

oooojfees

54

7

ODOiODSS

69

6

OfffO OAA

OA

JTOOOOOBB

2E

6

rOOOOOOCC

7 2

7

OOOOOODD

6C

5

net. mobileinnova.libhidelocation. plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN'
http://www.apple.eom/DTDs/PropertyList-l.0.dtd>
<plist version="1.0">
<dict>

<key>com.ownspy.daemon</key>

<true/>

</dict>

</plist>

73 7 4 3E DA

Highlights

a a a a r ™* [

# Offset

H Values | |F| Bookma

net. mobileinnova. push. plist

<?xml version= ,, 1.0" encoding= n UTF-8 n ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN*
http://www.apple.eom/DTDs/PropertyList-l.0.dtd>
<plist version="1.0">
<dict>

<key>services</key>
<array>

<string>com.ownspy.daemon</string>

</array>

</dict>

</plist>

spyero

i „ | (hi i—

II trial

Report
...

Help

®

| All Projects

Welcome

X y Extraction Summary

X j^ FileDump X,K ownspy.log X |

▼ X

| Hex View | File Info I

R-isi Rle Systems

1 m

- mm Pimim s&

BHJ=I ApplejPhone 4S.zip
G-D-B AFC Serviceprivate

00000000

32 30 31 32 2D

30 36 2D 30 36 20 30 35 3A 32 35 3A 31 35

2012-06-06 05:25:15

^^^^^^^^

B-B var

B- B mobile
B-B Ubrary

B-B Address Book
B-B Aggregate Dictionar/
B-B Application Support
B B Assets
B B Assistant
SB Bulletin Board
B-B 1 Caches
B B Calendar
S"B com .apple .itunesstored
S"B Configuration Profiles
S-B Cookies
B B Keyboard
B B Logs

B-B Apple Support
EjOB Mobile Installation
■Q| liblocation.log
■Q| libpush.log

-DBS

■Q| Siri.log
B B Mail
B-B Maps
B-B Notes
B- B Preferences
B B Safari
B-B SMS
B-B Software Update
B B Spotlight
S B Spring Board
B-B Synced Preferences

/AFC Serviceprivate/var/mobile/Library/Logs/ownspy.lo

< L

J

00 DDI

31

3-b

2E

35

36

3U

2

5F

6B

65

12

^5

6C

5B

34

39

31

3A

15.5 63 _kernel [491:

000000E4

37

3 :

37

5D

2

54

72

^9

60

6E

^0

74

61

2

60

6E

73

74

707] Trying to inst

000000F7

61

6C

6C

2

61

6 4

64

6?

6E>

2E

2E

2E

OA

72

6E

3A

2

63

all addons .... rm: c

0000010A

61

6E

6E

6r

74

2

72

^D

6?

76

65

2

6:

2?

74

6E

7

2F

annot remove "Vtmp/

0000011D

6C

69

62

7

75

7

2E

64

6 5

62

27

OA

2

4E

6F

2

7 3

75

libpush. deb T : No su

00000130

63

6B

2

66

69>

65

2

61

72

2

64

60

72

65

63

74

61

72

ch file or director

00000143

79

OA

64

^E

67

OA

2

^3

74

61

74

75

7 3

2

64

61

^4

61

y.dpkg: status data

00000156

62

61

65

2

61

72

65

61

2

60

7 3

2

60

6F

63

6E

65

64

base area is locked

oooooies

7

2

61

6E

6F

74

63

6 5

72

2

70

72

6F

63

6 5

73

73

by another process

0000017^

*t)A

44

6F

77

6E

6C

6?

61

64

6

6E

67

2

6C

60

62

7

75

73

. Downl o a di ng 1 ibp us

68

2

6C

60

62

72

61

72

7

2

66

72

6?

6E

2

4E

6T

62

69

h library from Mobi

*§fTO0DlA2

6C

65

2

40

6E

6E

6?

76

61

74

60

6E

6E

7 3

2E

2E

2E

OA

49

le Innovations. . . .1

000001B5

6E

73

^4

61

6C

GC

60

6E

67

2E

2E

2E

OA

72

6E

OA

2

63

61

nstalling . . . . rm: ca

000001CB

6E

6E

6?

74

2

72

65

6E

61

^6

65

2

6

2T

74

6E

^0

2?

6C

nnot remove * / ~mp/ 1

000001DB

€9

62

6£

60

64

65

60

6F

63

61

74

60

6?

6E

2E

64

6 5

62

27

ibhidelocation . deb T

000001EE

3A

2

4E

6T

2

7

75

63

63

2

66

60

6C

65

2

61

72

2

64

: No such file or d

00000201

69

^2

65

63

74

6?

72

^9

OA

6 4

7

6E

6^

3A

2

^3

^4

61

74

irectory . dpkg : stat

00000214

75

7 3

2

64

61

74

61

62

61

7 3

65

2

61

72

65

61

2

60

73

"j.s database area is

Highlights

B S [3 H Find: Q

Length

£2 Values IE Bookmarks] 4 Highlights [

Length: 0x10 OFF Offset: 0x0 Selection: 0x0

First run time

■2012-06-06 05:25:15.562 _ker nel [491 : 707] OwnSpy Daemon v!389 started!

12012-06-06 05:25:15.565 _kernel [491 : 707J Checking log size...

12012-06-06 05:25:15.567 _kernel [491 : 707] Log size is: 134

12012-06-06 05:25:15.568 _kernel [491 : 707] Trying to install addons...

Irm: cannot remove \/tmp/l i bpush. deb ' : No such file or directoryd

Ipkg: status database area is locked by another process

I Downloading libpush library from Mobile innovati ons. .. instal 1 i ng. . .

Irm: cannot remove \/tmp/l i bhi del ocati on. deb ' : no such file or directoryd

Ipkg: status database area is locked by another processDownl oadi ng libl ocati on library from Mobile innovati ons. .. instal 1 i ng. . .

1 2012-06-06 05:25:18,316 _kernel [491

12012-06-06 05:25:18.515 _kernel [491

1 2012-06-06 05:25:18.519 _kernel [491

|2012-Q6-06 05:25:18.529 _kernel [491

707] CRITICAL I I I It seems libLocation does not exists [

707] Checking battery level...

707] battery:

707] checking for reseller

|2012-06-06 05:25:19.507 _ker nel [491 : 707] resp = {"status": 1, "appname": "spyera", "appser verurl " : " ifl H " < "appserver protocol " : "ht^://"
"debname": "spyera", "i nstal Itext " : "Thank you for installing spyera. Please use the following code tc^omp^t^yoTirreT^stra^TCnon the website:" }

12012-06-06 05:25:19.511 _ker nel [491 : 707] object: { appname = Spyera;
I spyera; instal Itext = "Thank you for installing spyera. Please use the

appserver protocol = "http : //" ; appser
foil 1

owing code to complete your regi strati
2012-06-06 05:25:19. 526 Jcernel [491:707] MD5_Devi celd : A76FA303 50952CE1EBEC2CA48923741 2

J2012-06-06 05:25:19. 529 .kernel [491:707] htt p : //-^■M^^^^^^M^^^^^^^H I

|resel 1 er =68a66eb8ee27524824elb7743c89dblb&i d=A76F^ B sr ?g&osver = 5. 1

|2012-06-06 05:25:20.664 _kernel [491
1 2012-06-06 05:25:20.666 _kernel
|20^^^6^6^5^25^20^ 67 Ja^fnelU r!

URL and Reseller ID

: TO^^Fesp = ("registered"

:707] registered =

:707l Not regi stered I code:

GNORED

"code": "r09607a8">

12012-06-06

I 2012-06-06

I 2012-06-06

I 2012-06-06
I di rectori e:
I Innovati on:
I previ ously
I /tmp/1 i bhi
I Downl oadi n

I 2012-06-06

I 2012-06-06

I 2012-06-06

I 2012-06-06

I 2012-06-06

I 2012-06-06
"debname" :

I 2012-06-06
I spyera;

05:25:41.041 _kernel [567
05:25:41.045 _kernel [567
05:25:41.047 _kernel [567

s not registered' Trying again in 5 minutes.,
eceived

707] ownspy Daemon V1389 started —
707] checking log size...
707] Log size is: 2438

— 1 JBQJ.j-H

debname

Application Name
App Serve URL
Thank you note

05:25:41.048 _ker nel [567 : 707] Trying to install addons. .. sel ecti ng previously deselected package net . mobi 1 ei nnova. 1 i bpush. (Readi ng database ... 830 files and
s currently i nstal 1 ed. )unpacki ng net. mobi 1 ei nnova. 1 i bpush (from /tmp/1 i bpush. deb) ...setting up net. mobi 1 ei nnova. 1 i bpush (1.3) ...installing libpush from Mobile
Activating 1 i bpush. .. checki ng i nstal 1 ati on. .. Li bpush installed successful lyl Downl oadi ng libpush 1 i brary from Mobi 1 e innovati ons. .. install i ng. .. sel ecti ng

de5elected package net . mobi 1 ei nnova. 1 i bl ocati on. (Readi ng database
del ocati on. deb) ...setting up net . mobi 1 ei nnova. 1 i bl ocati on (1.0) ..
g liblocation 1 i brary from Mobi 1 e innovati ons. .. instal 1 i ng. . .

834 files and directories currently i nstal 1 ed. )unpacki ng net. mobi 1 ei nnova. 1 i bl ocati on (from|
installing 1 i bl ocati on. . . No matching processes were f oundMobi 1 elnnova - libLocation vO.l

05

25:49. 075

05

2 5

49. 077

05

2 5

59. 244

05

2 5

59. 251

05

2 5

59. 270

05

25

00. 184

"i nstal Itext"

{"status"

appname

"spyera", "appser verurl " :

. „ -i-U-. 4=,-.! 1 -.l..-! ^^.xJ.

spyera

05:26:00.187 _ker nel [567 : 707] object: { appname = spyera; appser verprotocol = "http://"; appser verurl

instal Itext = "Thank you for installing spyera. Please use the following code to complete your registration on the website

appserver protocol T

Thank you for installing spyera. Please use the fol lowing code to complete your registration on the website

!

"http://",
I/"; debname =

, spyero

(A Th* Ben ^pyp+iM* Sofi**re

12012-06-06 05:25:15.562 _ker nel [491 : 707] QwnSpy Daemon V1389 started —

12012-06-06 05:25:15.565 _ker nel [491 : 707] Checking log size...

12012-06-06 05:25:15.567 _kernel [491 : 707] Log size is: 134

12012-06-06 05:25:15.568 _kernel [491 : 707] Trying to install addons...
Irm: cannot remove \/tmp/l i bpush. deb ' : No such file or directoryd
Ipkg: status database area is locked by another process
I Downloading libpush library from Mobile innovati ons. .. instal 1 i ng. . .
Irm: cannot remove \/tmp/l i bhi del ocati on. deb ' : no such file or directoryd

Ipkg: status database area is locked by another processDownl oadi ng libl ocati on library from Mobile innovati ons. .. instal 1 i ng. . .

1 2012-06-06 05:25:18,316 _kernel [491

12012-06-06 05:25:18.515 _kernel [491

1 2012-06-06 05:25:18.519 _kernel [491

1 2012-06-06 05:25:18.529 _kernel [491

|2012-06-06 05:25:19.507 _kernel [491

"debname": "spyera", "i nstal Itext" :

MD5 Device ID

707] CRITICAL I I I It seems libLocation does not exists

707] Checking battery level...

707] battery:

707] checking for reseller

707] resp = {'"status": 1, "appname": "spyera", "appser verurl " : "ifl H " < "appserver protocol '

"Thank you for installing spyera. Please use the following code t^comp^t^your^^g^st^t^non the website:" }

707] object: {

12012-06-06 05:25:19.529 _ker nel [491 : 707] http://-
I resel 1 er =68a66eb8ee27524824elb7743c89dblb&i d=A76l

12012-06-06 05:25:20.664 _ker nel [491 : 707] resp = ("registered

1 2012-06-06 05:25:20.666 _ker nel [491 : 707] registered =

12012-06-06 05:25:20.667 _kernel [49l|707] Not registeredl Code:

12012-06-06 05:25:20.668 _kernel [491

1 2012-06-06 05:25:20.669 _kernel [491

1 2012-06-06 05:25:40.747 _kernel [491

12012-06-06 05:25:41.041 _kernel [567

1 2012-06-06 05:25:41.045 _kernel [567

I2O12-06-06 05:25:41.047 _kernel [567

12012-06-06 05:25:49.075 _kernel [567
1 2012-06-06 05:25:49.077 _kernel [567
|2012-06-06 05:25: 59. 244 -- ^i*rlTeT[567

New App on Device:
com.ownspy.daemon

707] ALERTS IGNORED

707] Device is not registered I Trying again in 5 mi nu

707] Reboot received

707] ownspy Daemon V1389 started

707] checking log size...

707] Log size is: 2438

707] Trying to install addons. .. sel ecti ng previously deselected package net . mobi 1 ei nnova. 1 i bpush. (Readi ng database ... 830 files and

12012-06-06 05:25:41. 048 _kernel [567

Idirectories currently i nstal 1 ed. )unpacki ng net. mobi 1 ei nnova. 1 i bpush (from /tmp/l i bpush. deb) ...setting up net. mobi 1 ei nnova. 1 i bpush (1.3) ...installing libpush from Mobile
I innovati ons. .. Acti vati ng 1 i bpush. .. checki ng i nstal 1 ati on. .. Li bpush installed successful lyl Downl oadi ng libpush 1 i brary from Mobi 1 e innovati ons. .. install i ng. .. sel ecti ng
I previously deselected package net . mobi 1 ei nnova. 1 i bl ocati on. (Readi ng database ... 834 files and directories currently i nstal 1 ed. )unpacki ng net. mobi 1 ei nnova. 1 i bl ocati on (from|
I /tmp/l i bhi del ocati on. deb) ...setting up net . mobi 1 ei nnova. 1 i bl ocati on (1.0) ...installing 1 i bl ocati on. . . No matching processes were f oundMobi 1 elnnova - libLocation vO.l
(Downloading liblocation library from Mobile innovati ons. .. instal 1 i ng. . .

707] Registering app to libLocation

libLocation: registering new app com.ownspy.daemon
7 07] checking battery level...

:ery:

king for reseller

= {"status": 1, "appname": "spyera", "appser verurl " : "HI "appserverprotocol '
du for installing spyera. Please use the following code to complete your registration on the website:" }

ct: { appname = spyera; appserverprotocol = "http://"; appser verurl

illing spyera. Please use the following code to complete your registration on the website:

^ spyero

ta^ Th^ Beit Spyohon* Sofi^are

s y

2012-

06

-06

05

53

55

447

_kernel

;245:

2012-

06

-06

5

53

55

448

_kernel

[24 5:

2012-

06

-05

05

53

5 9

034

_kernel

[245:

2012-

06

-05

05

53

59

035

_kernel

[245:

2012-

06

-05

05

53

59

038

_kernel

[245:

2012-

06

-05

10

13

57

+0000Cancel

i ng

2012-

06

-05

05

53

59

195

_kernel

[245:

2012-

06

-05

05

5 3

59

195

_kernel

[245:

2012-

05

-05

5

53

59

195

_kernel

[24 5:

2012-

06

-05

05

53

59

200

_kernel

[245:

2012-

05

-05

05

53

59

200

_kernel

[245:

2012-

05

-05

05

53

59

201

_kernel

[245:

2012-

05

-05

5

53

59

202

_kernel

[24 5:

2012-

06

-05

05

53

59

203

_kernel

[245:

2012-

05

-05

05

53

59

208

_kernel

[245:

2012-

05

-05

5

53

59

211

_kernel

[24 5:

Location
Speed
Time/Date

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

2012-06-06 05:53:

59. 381
59. 383
59. 384
59. 388
59. 390
59. 399
59.413
59.415
59.416

.kernel
.kernel
.kernel
.kernel
.kernel
.kernel
.kernel
.kernel
.kernel

3 : 7(w] registered OK

5 : .■' Or j tiiuy en ivr its.L l

24 5 : 4 52j^^Te^e^Lre^Te^^M^^^^ad^ng^h^

245:452f] SMSAPI : getPendi ngSMS : opening SMS db
245:452fl lastRow: 5

245:452fl smsapi : del eteSMStoiD: opening sms db
24 5 : 4 52^^flafiMflttflfiMUflflafl^^MfiH*l^flfl^t

- <+38. 80132575,-77. 16092010> +/- 81.64m (speed -1.00 mps / course -1.00) @ 6/6/12 5:53:59 AM Eastern Daylight Time
24 5 : 707^^me^famp^oc^^on^^CTW??^^^^^^^^^^^^

245:452fl lastRow: 02012-06-06 05:53:59.347 _kernel [245 :452f 1 Checking last WH read
245:452fl WHAPP_API : i ni t : Open database

245:707] - <+38. 80132575 , -77. 16092010> +/- 81.64m (speed -1.00 mps / course -1.00) & 6/6/12 5:53:59 AM Eastern Daylight Time
245:707] timestamp location: -0.092763
245:452f] whatsApp is not installed on the device
245:452f] Checking last CH read
245:452f] CALLAPI : i nit : Open database
245:452f] CALLAPI : i nit : Database ready
245:452f] CALLAPI : getLastcal 1 id : opening call Hi story db
245:452f] ABAPl:init: Open database

24 5 : 4 52f^ABAPI^n^t^Databas^^eadv^^^^^^^^^^^^^^

245:452|] checking AddressBook changes
245:452|] ABAPI : getLastPer sonld : opening AddressBook db

New address book entries
found and uploaded.

^ spyero

l^^' Th* Ben ^p^^Mie Soft*

| * XRY - C:\Documents and S etti n gs\Ad mi n\ strator\Des ktop\App le iPhon

Home

Edit View Export Tools Help

[si m

Extract Decode
Data Images
Extract Data

■

Open Close Save Save Save
As Special

Open Save

& SI

Print Print
Preview

Print

Importance Thumbnail Name

logo.png
minilogo.png

%

ownspy_icon.png Png

c 3 s ooxjl o nly_. png Png (i Phone) 78 3 Byte 3

empty@2x.png

fi lec@2x.png

Png (i Phone) 3.11KB

Png (iPhone) 2.92 KB

Creation Date:
1/10/2012 8:30:23 PM UTC

1 Items: 3967 Sel

acted Items: 1

Ready 1

spyero

v " XRY - C:\Documents and Setti ngslAdmi nistratorADesktofAAppLe iPhone 4S (A1387).xry

Edit

Export

Tools

Help

Extract Decode
Data Images

Extract Data

i H B B

Open Close Save Save Save

As Special

Open Save

Print Print
Preview

Print

Date and Time:
6/6/2012 UTC

X

Importance Application

Time

| Access Coi A pp Usage

SUMMARY

CASE DATA

T DEVICE

GENERAL INFORMATION

NETWORK INFORMATION

APP USAGE

KEYBOARD CACHE

CONTACTS

CALLS

► MESSAGES

► LOCATIONS

>■ WEB

c om. ap pi e . p urplebudd y
com.apple.mobilemail
com.apple.mobilephone
c om. ap pi e . M o bi leS MS
com.ap pie. Preferences
com.apple.mobilephone
com.apple.purplebuddy
com. apple. Mobiles MS
com.ap pie. Preferences
coni.app e.cane'3
com.apple.mobilephone
c om. ap pi e . mo bi lesafari

c om. you rcompa ny.OwnSpy Reg iste r

5/1 8/2012 UTC (Device) 2

5/18/2012 UTC (Device) 1

5/1 8/2012 UTC (Device) 2

6/5/2012 UTC (Device) 1

6/5/2012 UTC (Device) 5

6/5/2012 UTC (Device) 1

6/5/2012 UTC (Device) 2

6/6/2012 UTC (Device) 4

6/6/2012 UTC (Device) 3

':-'i:.'20-2 o _ C [Device) 1

6/6/2012 UTC (Device) 1

6/6/2012 UTC (Device) 2

6/6/2012 UTC (Device) 2
6/6/2012 UTC (Device)
6/6/2012 UTC (Device)

com.yourcompany.OwnSpyRegister

* XRY SYSTEM

Time 6/6/2012 UTC (Device)

Items: 15 Selected Hems: 1

Ready

spyero

t^^' Th* Ben ^p^-EHie Soft*

^ XRY - C:\Documents and S etti ngs \Ad mi ni s trato r\Des ktop\App le iPhone 4S (A13S7).xry

Home

Edit

Export

Tools

Help

Extract Decode
Data Images
Extract Data

Open Close Save Save Save
As Spedal

Open Save

w at

Print Print
Preview

Print

Importance A File Name

File Path

SUMMARY

CASE DATA

T DEVICE

GENERAL INFORMATION

NETWORK INFORMATION

O

APP USAGE

KEYBOARD CACHE

CONTACTS

CALLS

MESSAGES

>■ LOCATIONS

► WEB

T FILES

PICTURES

AUDIO

ARCHIVES

UNRECOGNIZED

► XRY SYSTEM

Custo m Rec u rren c e . stri ngs
Rem inderEditi ng.strings

Search. stri ngs
General. strings

GeneraLstrings
Search .stri ngs
Invitations. stri ngs

com. ownspy. reload . p li st

OwnSpyTool.pl ist

com. ownspy. process, p ist

ResourceRules.plist

._OwnSpyTool.pl ist

Info.plist

MainWindow.nib

O wnSpy Reg is:s r V ewCo ntraller. nib

._reseller.plist

CodeResources

Info.plist

Info.plist

nesel er.pl st

ResourceRules.plist

Installation.plist

CodeResources

ResourceRules.plist

CodeResources

/System/Libra ry/F
/System/Libra ry/F

/System/Libra ry/F
/System/Li brary/F

/System/Libra ry/F
/System/Libra ry/F
/System/Libra ry/F
/System/Libra r//F
/System/Libra ry/L
/Library/MobileSt
/System/Libra ry/J
/Library/OwnSfJy.
/Library/MoBileSt
/Librar^OwnSpy
/Lib*wy/OwnSpy
iporary/CwnSpy.
r /Library /OwnSpy.
/Library/OwnSpy.
/Library/OwnSpy
/private/var/stash
/Library/OwnSpy.
/private/var/stash
/private/var/stash
/Library/OwnSpy.
/Library/OwnSpy.
/Library/OwnSpy.

Items: 15623 Selected Items: 1

Files related to OwnSpy:

com.ownspy.reload.plist

OwnSpyTool.list

com. ownspy.process. list

ResourceRules.plist

_OwnspyTool.plist

Info.plist

MainWindow.nib

OwnSpyRegiserViewController

_reseller.plist

CodeResources

reseller.plist

ResourceRules.plist

Installation.plist

CodeResources. plist

spyero

t^^' Th* Ben ^p^-EHie Soft*

^ XRY - C:\Documents and Settings\Administratnr\IlMktnn\Annl*i iPhnne 4S (MIRJI xrv

1 lnl vl

Extract Decode
Data Images
Extract Data

Open Close Save Save
As

Open Save

Importance

SUMMARY

CASE DATA

T DEVICE

GENERAL INFORMATION

NETWORK INFORMATION

APP USAGE

KEYBOARD CACHE

CONTACTS

CALLS

MESSAGES

>■ LOCATIONS

► WEB

T FILES

PICTURES

AUDIO

ARCHIVES

UNRECOGNIZED

► XRY SYSTEM

Locations:

/Library/ModuleSubstrate/DynamicLibraries/
/Library/OwnSpy.app/

/private/var/stash/Applications.pOVE5x/SystemService.app/
/System/Library/LaunchDaemons/

Search. strings
Invitations. strings
Rem inderEditi ng.strings
c om. ownspy. reload . p li st
OwnSpyTool.pl ist
com. ownspy. process, p ist
ResourceRules.plist
._OwnSpyTool.pl ist
Info.plist
MainWirtdow.nib

/Syste rn/Libra rv/Frameworks/EventWffu I . f ramework/G e rn a
/Syste rn/Libra ry/Frameworks/EyjfntKitU I . f ramework/G e rn a - .

O wnSpy Reg is:s r V ewCo ntroller. nib

._reseller.plist

CodeResources

Info.plist

Info.plist

-esel er.pl st

ResourceRules.plist

Installation.plist

CodeResources

ResourceRules.plist

^TSyste rn/Libra ry/Frameworks/EventKitU I . f ramework/G e rrnan .
/System/Libra ry/Lau nc h Daemons/
/Li b rary/Mobi leSu bstrate/Dyn a m ic Li braries/
/System/Libra ry/Lau nc h Daemons/
/Library /OwnSpy.app/CwnSpyReg iste r. a p pf
/Li b rary/Mobi leSu bstrate/Dyn a m ic Li braries/
/Library/OwnSpy .app/CwnSpyReg iste r. a p p/
/Li b rary /OwnSpy. ap p/CwnSpyReg iste r. a p p/
/Library/OwnSpy .app/OwnSpyReg iste r. a p p/
/Li b rary /OwnSpy . ap p/
/Library /OwnSpy. app/
/Li b rary /OwnSpy. ap p/

/pri vate/va r/stash/Ap pi ications . pOVE5x/Sy ste rnServi c e . a pp7
/Library/OwnSpy.app/

/pri vate/va r/stash/Ap pi ications . pOVE5x/Sy ste rnServi c e . a pp7
/pri vate/va r/stash/Ap pi ications . pOVE5x/Sy ste rnServi c e . a pp7
/Li b rary /OwnSpy . ap p/OwnSpyReg iste r. a p p _C odeS ign atu re.
/Lib rary /OwnSpy. app/

* CodeResources

\/Li b rary /OwnSpy . ap p/_CodeSign atu re/

<

i

>

Data <No conversion

available>

Created 6/5/2012 5:10:39 PM
UTC (Device)

Modified 6/5/2012 5:10:39 PM
UTC {Device)

Items: 15623 Selected Items: 1

Bottom line:

Indicators:

• History of:

• Downloads (cache,thumbnails & cookies)

• Installations

• .apk file on the SD card

• New databases within /data/data/
(configuration and log files)

• New services running on the device

• Monitoring number/website

• Rooting/jailbreaking of the phone

spy vs. spy

examining spyware on mobile devices
michael robinson | Christopher taylor

GimmeThePresentation@gmail.com