How to pwna Russian Android botnet
by DimaOdessa, Jul 18, 2015
The story
● Interview in a security lab of a big world-wide known company
● Technical “homework”: reverse engineering of Android malware. “Find out everything you can!”, they said.
Steps
1. Reversing the malware2. Analyzing the malware’s network protocol3. Hacking the malware’s command & control
server4. Identifying the hacker
Reversing the malwareStep number uno :)
Reversing the malware
The malware at first glance● It can’t install itself without user’s help: a
user should download and install APK manually…
● ...that’s why the APK looks like another-very-useful-Google-service application :)
Reversing the malware
The malware at first glance● It steals user’s SMS, contacts and accounts
(from Android Account Manager)● It sends SMS/USSD from infected devices● It DDOS websites from infected devices● It controls infected devices as a device
admin
Reversing the malware
IT’S A PART OF A BOTNET ANDIT IS NOT DETECTED
BY A MOBILE/DESKTOP AV SOFTWAREAND VIRUSTOTAL :(
Reversing the malware
The malware code at first glance● written in Java, obfuscated;● contains no native methods;● it is full of mistakes :)
Reversing the malware
The malware permissions● INTERNET and ACCESS_NETWORK_STATE – Internet access● READ_CONTACTS and GET_ACCOUNTS – access to user accounts (in Account
Manager) and contacts● READ_PHONE_STATE – access to internal system information: device ID, IMEI, device
vendor name etc● SEND_SMS, RECEIVE_SMS, READ_SMS – accessing user's SMS● CALL_PHONE – making phone calls● SEND_RESPOND_VIA_MESSAGE – this allows the malware to send a request to other
applications to handle the respond-via-message action during incoming calls● READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE – R/W access to
external storages● RECEIVE_BOOT_COMPLETED and WAKE_LOCK – start the malware as soon as OS
booted (autorun) and keep the malware running even if the device goes asleep
Reversing the malware
The most important malicious components● Main (Activity) - the main activity. It started each time a user tap an icon if the malicious
APK. It starts DataRegisterService and OutSms services. Then it shows a fake “Google Service” alert to a user (just because user probably expects to see something).
● DataRegisterService (Service) - the service is started by Main activity or LoaderReceiver receiver. It registers an infected Android device on the malware server. If the device is already registered on the server, the service just does nothing. Also, it set alarms for ConnectChecker and AdminBroadcast receivers.
● LoaderReceiver (Receiver) - the receiver is started after Android reboot. It starts DataRegisterService and OutSms services. Also, it starts DeviceAdminActivity if j.u (isAdmin) is false.
● OutSmsListner (Receiver) -- once a minute the receiver checks a list of SMS sent by a user. If it finds any new SMS (here “new” means “new since last check”) in the list, it sends it to the server one-by-one.
Reversing the malware
The most important malicious components● ConnectChecker (Receiver) - the receiver is started periodically by the repeating 3-hours
alarm set by DataRegisterService. Every 30 seconds the receiver requests a command from the malware server.
● AdminBroadcast (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. The receiver starts DeviceAdminActivity activity if j.u (isAdmin) flag is not set.
● OutSms (Service) - the service is started by Main activity and LoaderReceiver receiver. It creates one-minute-repeating pending intent to call OutSmsListner receiver.
● DeviceAdminReceiverS (Receiver) - The receiver is started by OS after DeviceAdminActivity has tried to cheat a user (to ask him to add the malware to device administrators). The receiver tells the result to the malware server and change j.u (isAdmin) flag depending on the result.
Reversing the malware
Malware lifecycle: first start (simplified)● Main activity shows a fake this-is-Google-
service messagebox● DataRegisterService service registers the
infected device on the malware’s command & control center
Reversing the malware
Malware lifecycle: first start (simplified)● OutSmsListner receiver steals user’s SMS
and does background checks (once a min) for new SMS to steal them as well
● ConnectChecker receiver does background checks (every 30 sec) for a new command from the command & control center
Reversing the malware
Malware lifecycle: first start (simplified)● AdminBroadcast receiver starts
DeviceAdminActivity, which uses android.app.action.ADD_DEVICE_ADMIN intent to ask a user for the Device Admin permissions (possible for Android > 2.1)
Reversing the malware
В целях безопасности устройства Google Play требуются привелегии администратора.
Analyzing the malware’s network protocol
Step number zwei
Analyzing the malware’s protocol
The protocol at first glance● it is built over HTTPS● it uses JSON for sending data / receiving
commands● it does not encrypt / sign traffic
Analyzing the malware’s protocol
Posting data to malware C&C center (headers)● Method: POST● URL: <domain>/marry4/set/<DeviceID>/● Custom headers: no
Analyzing the malware’s protocol
Posting data to malware C&C center (body)type=<request type>json={ "<key1>": <value1>,
"<key2>": <value2>,..."<keyN>": <valueN> }
Analyzing the malware’s protocol
Answer from the C&C center:● {'registred':'complited'} (this means “got your
request, have no commands for you at the moment”)...
● ...or a command for infected device (see next slides)
Analyzing the malware’s protocol
Asking the C&C center for a command● Method: GET● URL: <domain>/marry4/get/<DeviceID>/● Custom headers: no
Analyzing the malware’s protocol
Answer from the C&C center:● {'registred':'complited'} (this means “got your
request, have no commands for you at the moment”)...
● ...or a command for infected device (see next slides)
Analyzing the malware’s protocol
A command from the C&C center (format):{ 'type':task, 'task':[ "<Task type>, <DeviceID>,< ...data for the task (depends on the task) ... > ]}
Analyzing the malware’s protocol
A command from the C&C center (example):{'type':task, 'task':["sms",359930048604909,"900","BALANCE","2014-03-27T15:33:00+04:00","0e205bf823a00ac9e900b116d99f1b561b167b92"]}Legend: DeviceID Number to send to SMS text Date Unique ID of the task
Hacking the malware’s command & control
serverStep number 3 ;-)
Hacking the C&C center
Our first move: we feed malformed links and data to the C&C server, after several tries, we crashes it
Hacking the C&C center
Now we know two important things:● The exact script URL is
<domain>/ontasks.php● On the server, the PHP setting
display_errors allows to see script errors in browser
Hacking the C&C center
Our second move: call the script directly
Hacking the C&C center
As result, we know that the script needs base and imei (probably, they are script parameters).
Hacking the C&C center
Our third move: call the script directly with arbitrary base parameter
Hacking the C&C center
We crashed the script, again, but this time we got login/password :)
Well, OK, how to use it?
Hacking the C&C center
Let’s just try the most commonly used subdomains: mail.*, ftp.* etc.
Are we lucky?
Hacking the C&C center
YES, WE ARE!:)))))))))))
Hacking the C&C centerWith the login/password we enter the C&C control panel...
Hacking the C&C center...and the C&C center database
Hacking the C&C center
Some fact about the botnet’s frontend:● The botnet started in Nov 2013● The botnet is not the first try, but probably
most successful● The botnet’s frontend is written with
PHP+MySQL
Hacking the C&C center
Some facts from the botnet’s database:● Over 50 000 active infected devices, mostly
from exUSSR● Over 1.000.000 stolen user’s SMS (including
passwords and TFA SMS)● Traces of at least 3 massive DDOS attacks
with the botnet
Hacking the C&C centerSMS examples (пароли):
● Ваш логин: 79123248600\nВаш новый пароль: 92pubelu\nВаша заявка на восстановление доступа к странице на сайте ВКонтакте одобрена.
● Доступ к сайту mp3poisk.ru: логин - fkiwpxgf, пароль - lRe4XXrj
● Для доступа к WEB-сервисам систем самообслуживания "МегаФон" используйте логин: 9285693647 и пароль: XOSBHG.
Hacking the C&C center
SMS examples (пароли к порносайтам):● Доступ к сайту blontex.net: логин - j26445, пароль – 10752
● Доступ к russiangirlsvideo.com: логин 160528 и пароль 11264
● Доступ к сайту mobzoneoo.com: логин - upopuamd, пароль - JL28qOJa
Hacking the C&C center
SMS examples (любовная переписка):● Я люблю тебя ты самый лучший для меня нодеюсь у нас
все будет зае... я уже не могу без тебя )*****
● Ааа.:* любимый мой, лысое счастье ты моё, люблю тебя;*)
● Я не збоченец :-( я очень люблю тебя :-*
Hacking the C&C center
SMS examples (Крым, SMS-ки контрактника из РФ):
● Привет.уже в крыме,но до места не доехали ещё.войска стягивают.мы тоже едем на границу.
● Симфер гос дума. аэропорты. Телеграфы. Выезд в крым на море корабли .. 160 тыс бойцов. Уралы .вертушки ка>заки Все... На хохляедии бендеры и бандиты . Просят нато вмешаться
Hacking the C&C center
SMS examples (наркотики):● Хотел тебе дать наркотиков но теперь точно хуй
● Кому я должен всех прощаю:-) И по наркотикам мне больше завязывай звонить
● Миша, я еще с тобой поговорю на счет травки что ты привозил и курил!!!! Ты хочешь поругаться?
Identifying the hackerThe last step
“Bad boys, bad boys, what you gonna do?What you gonna do then they come for you?” --
Identifying the hacker
● Male, 29 y.o., not married● Russian, lives in Siberia● PhD student in Computer Science● No crime records● Full name, phone, email, home address,
photo are KNOWN!
Finally, what missed?
● Details which can broke privacy of the customer and/or the hacker (thanks for your understanding!)
● Hacking hacker’s email, his sites in i2p ‘darknet’, and other related accounts
● ‘Economics’ of the botnet: prices, black cashout etc.
P.S.
AT THE BEGINNING OF APRIL 2014 THE BOTNET WAS DESTROYED ;)