Some guy on Android dev subreddit discord server asked for help with his notepad app.
He kept asking everyone to try it without explaining the actual problem.
I've decided to download a copy to decompile it and then I've noticed some stuff in it.
As I've managed to find the original of this app,
I'll show you the comparison between decompiled versions of these copies.
Just in a sec.
First of all, there are loads of permissions that don't fit the app.
Along with that, there's a package inside of application that doesn't fit the rest of application.
That's because he wasn't actually looking for help.
The app that he posted is legitimate,
but it also contains a Metasploit framework backdoor.
The backdoor from this app allows the attacker to gain access to the victims device remotely.
I'm not quite sure why he tried to deceive actual developers in discord server for Android development,
but he decided to raqequit after we warned others about it.
Therefore, I'll try to demonstrate the behavior of this backdoor... more or less.
I've decompiled and transferred malicious parts of app to a separate project.
To make this story short: These are anonymous classes that...
have some kind of behavior inside of main classes, these three.
So, I'll skip those and I'll just explain those three.
So this a broadcast receiver that starts malicious service when the system boots up.
This is a service that invokes main method of malicious code,
and finally, this is the core of malicious behavior.
We'll try to install app from the project for now, which contains fewer logs for possible details, more or less.
Yeah so, we'll launch it. It's here. So, plain and simple "hello world."
So, the cycle goes more or less, eh... like this.
First of all, it will get the path of private app data folder where it will save JAR file (Java Archive).
This file contains a remote administration tool...
or whatever else that will take the control of your device.
After that, it will try to parse the address and port of the payload listener through various parts of the code, including this part.
It's a long byte array.
So, this makes it harder to find out what's the actual address and port in some way.
When the address and port are defined, it will connect to the payload listener, or retry in few seconds if it fails.
When the connection is established, it will download the JAR file and use it to remotely control the device.
You can see that it tries to...
connect to ngrok.io, as we could be able to see it over here,
which is actually a legitimate service for exposing local servers online.
To make this thing work again again, I'll use, uh...
Kali Linux with Metasploit framework console, and use it to expose payload server through ngrok service.
So we'll go put this on background,
and then we'll run ngrok on Kali to expose specific TCP port.
Ok, so to make sure that the app is able to connect,
you'll have to replace the address and port in code with the ones that ngrok service gave.
So we'll switch that...
... find the place. This is it. We'll replace the code.
Actually, the variables. First the address just in case.
Then the port.
And then, we run the app again.
So it should relaunch.
and let's check the logs.
So this is the old port, but this is the actual one we're trying to connect, which is this. Oops.
So it's able to connect this time,
but it's not able to get any kind of data because we still didn't set up the payload, as in the payload listener.
So, we'll do this now. Let's minimize this...
...go back in here, and...
... we'll launch the Metasploit framework console,
and then we'll start the actual payload listener.
So we'll wait until it starts up.
Okay, so now the payload listener is running and *we should gibberish* we should be able to get a new session soon.
Okay, we got it.
Let's check it over here.
So I managed to download the actual file, and now it should be able to...
We are able to access the actual device from the terminal and we can do whatever the app has permissions to do so.
So, we'll check few options.
And we'll start with few of those, from the top.
Well, from the top of Android commands, so we'll start with few activities.
This is basically the URI (uri) Intent... actually, it's your string which is supposed to launch the intent for telephone number,
which is in this case for the phone...
... and then for the web...
So, this launches the Chrome browser.
And then, we'll continue with few other things.
Well, I've tried to run some other kind of activities from...
... well with... from explicit intent, but that doesn't work quite well in this case.
So, we'll continue with other stuff.
So, we can see that device is rooted...
... and then we'll try to dump all these call logs, contacts list and SMS messages.
Okay, so all those files are saved in home folder, so I can check it out over here.
So we have the call log, I'll show it over here.
It's pretty much the same thing.
So, missed call, outgoing call and the incoming call.
The contacts, which is the only one.
And then, for the SMS.
Okay, so what's next?
So, geolocation should be able to get the...
... geolocation (GPS coordinates) of the device, but that doesn't work in this case.
"Hide app icon" should hide the actual icon of the notepad from the launcher.
So, it's not kind of possible to launch it in this case,
but it should be still able to stay in the memory, and it's still listed in the apps list.
Just to make sure...
Yeah, it's still here... and still running.
Interval collect pretty much just getting the data from the...
... from, how to say...
from Wi-Fi, cellular networks and geolocation data, in a way that it tracks probably all those stations and networks
as in to check all those Wi-Fi, how to say...
...Wi-Fi access points.
The geolocations of probably nearby places, as I've tried and it doesn't work in emulator...
and for cellular... probably just cellular networks (names and signal strength) that are on, well...
... around the well, network. How else to say it... Sorry. (Couldn't think of better way to explain it.)
So, we'll skip that and we'll go to something simple.
Send SMS is basically just sending an SMS message to some... destination number.
I've already tried that before, so I'll try it again
So first, destination number...
I don't remember the actual quote from the "Wargames," but still...
I'm probably doing this wrong, but never mind.
Yeah, I'm probably doing it wrong, but the SMS is sent, either way.
So, the next thing is setting the ringer mode which is basically setting the...
...audio of the actual ringer of the device (ring volume), not the actual audio (media volume).
Just give me a sec.
Okay, so it will only change this part.
By default, it will just set it to '1', which is basically the default value.
Whoops.
We'll go to the '0'.
Oh, shoot.
We have to set first the option.
So, now it's set to '0', which is basically on mute.
If you put it to '1', it will put it to default and then if you set it to '2'...
... then it will go to maximum volume.
Well, the SQLite query is basically performing a query from databases in local storage.
So, we'll skip that because I don't know any kind of...
... database in this case and for wakelock is basically the...
wakelock management for the app.
And in this case, as much as I've managed to find out...
Just a sec.
It's able to at least turn on the screen. That's pretty much I know.
For those advanced wakelock flags, that's pretty much...
Not a thing I still know.
So I didn't... how to say, research that far.
So, I will just turn the screen on remotely in this case.
Plain simple.
And... WLAN geolocate is basically indicating the geolocation data with WLAN, but...
That's pretty much kind of broken in this case, it doesn't seem to work.
And there pretty much no how to say... arguments, even though it says there is some kind of error in this case.
Okay, so we are pretty much done with Android commands.
So, we'll take a... you can also try to take a snap of webcams, or actually camera, so we'll do that.
And there you have it.
There actual picture of the camera, because the emulator has this kind of...
...camera emulation.
And that's pretty much about the camera itself.
I've tried to do the streaming and that caused pretty much lots of lags, so I'll skip that.
Well, there's all, well..
With accessing the actual phone you should be able to access the actual how to say, sale terminal or shell...
... or the actual system itself, but for now...
Oh, shoot.
Well, that's pretty much about it.
Bye.
For more infomation >> LOREDANA LECCISO: "NON HO GRADITO ESTERNAZIONI DI ROMINA POWER" | K.N.B.T - Duration: 10:19. 
For more infomation >> Lorenzo nei guai poco prima della scelta di Sara? | M.C.G.S - Duration: 3:33. 
For more infomation >> Mazda CX-3 2.0 SkyActiv-G 120 GT-M | Automaat | Navigatie | Head-up | 1/2 leer | Xenon - Duration: 0:58. 
For more infomation >> 고민정 부대변인|K-News - Duration: 12:32. 
For more infomation >> Lightning McQueen's Biggest...
For more infomation >> VTS_01_1 - Duration: 1:38. 
For more infomation >> 日本語字幕[EPISODE] J-hope 1st mixtape MV Shooting #2 - Duration: 13:17. 
For more infomation >> Jessie J为华晨宇按摩,华晨宇感叹好贵的按摩,李维嘉表情亮了 - Duration: 4:26. 
For more infomation >> Connaissez-vous ces youtubeuses ? - Duration: 1:16. 
No comments:
Post a Comment