I have looked into this, and have found nothing at all except articles. No how to's, No removal techniques. Which leads me to believe that it must be a low level program installed somewhere on a "hidden" rom that we can't access normally. You would think if it was in winmo, someone would have found it by now, and it is in phones that don't even have winmo, hence the program installed on a "hidden" rom laying dormant until activated by remote signal that must be a generic signal identifier for the phones. Just my guess, but it's the only thing i can figure.
EDIT: Ok, so it looks like you have to have a phone that can do Over the Air updates for this to work.
For the mobile phone as eavesdropping tool the OTA update function is not used to transfer firmware or other official software but rather "special" software which can offer one of the following features:
- The standard software user interface is manipulated or overwritten in a way that phone calls which are done over the infiltrated program are not shown.
- This special software is able to accept an incoming connection (e.g. a call from a certain number) without showing this on the mobile phones user interface. This is possible as long as no connection is existing at the same time.
- If the phone gets switched off the software only pretends this (e.g. turning off the display). Incoming or outgoing connections are still possible.
- Even though the mobile phone gets switched off it is in a standby comparable status. The "special" software is operating in the background like the alarm clock function. Connection establishment or answering a call in this status is already possible.
For all mentioned points not only connection establishment of the telephone lines needs to be considered. Also multi media functions like bluetooth can be used for data transfer.
The person carrying the phone will not know that the phone is transmitting his conversation, but an observant owner may notice that the battery is being depleted sooner than expected.