BSidesTO2017 Adam Bauer and Christoph T Hebeisen

Hey and good morning yeah so both Adam and I work on the app security intelligence team at lookout Mobile Security so if you wanted to find out everything about a person would you really still want to skim data off of their PC or their Mac I mean in all seriousness your phone has two cameras two or more microphones it has a GPS receiver it comes to you into every business meeting and it's sitting by your bedside when you go to sleep as far as I'm concerned that's the juiciest target that there is maybe I'll switch to the next slide or there we go so I think we are all aware that we are making some privacy trade-offs for in

return for free apps or free information so this is a probably somewhat incomplete list of all of the information on your phone I try to sort it in in order of increasing intrusiveness but that's somewhat subjective I I suppose and we all have some kind of threshold where we don't want an advertiser or any app developer to know about that data so take a second or two and think about where you would draw the line here for yourself we'll get back to this slide later but for the moment let me switch gears and talk about how personal data is accessed on on mobile devices thank you so I'll talk about Android because it's a system I'm

most familiar with as most of you know Android uses the Linux kernel and with some extensions and it also uses its security model but it kind of turns it upside down you IDs are usually associated with with a user on a on a Linux system on Android they are associated with map as you can see here every every app on the device I hope this readable has its own private directory that is under its own UID and other apps can't read what's in there by default so for some reason pesky app developers actually want access to some personal data I'm not sure why but they want to offer location-based services they want to actually do things like

help you edit your pictures or any such thing so Google built a number of ways to do stuff like that into the Android system so there there are some api's for photos some things are done via the file system again this probably is somewhat incomplete list up there so these things are controlled by our permissions which are mostly implemented as UNIX groups on on Android and you can see here a listing of some files in the def file system on a nexus 5x and you can see how the groups determine access to them so obviously every one of you checks every permission of every app you install on your device cause yes I think the vast

majority of people does not so thus far I've been talking about access as intended what happens if the device actually gets compromised so as you might have expected all of those nice restrictions go out the window we can directly read all of the SQLite databases if a device is rooted and just to show that point I demonstrated how not complicated would be to to read say what's up data the whatsapp database and look at all of the messages in there so all of the end-to-end encryption in the world is not gonna save you if your device is compromised and again I'm sure all of your phones get updates directly from Google the day after they come out

I'll I'll I'll leave that one for you to figure out so where do we stand on the exposure of personal data at this point so without root access just due to permissions all of the things in bold can be accessed and I think this really drives home the point that that we need to be very very careful about what permissions allow on on devices and what capabilities there are and in each app and also if you remember the line that you drew earlier I'm pretty sure there are some that are beyond the line here once the device is rooted as expected absolutely everything as is opened a whole bunch of things that are not even

on this list such as Wi-Fi passwords authentication tokens and so on so on that note let's look at our first example of an app that is just a little bit too curious so it Jackson is an add SDK that was present in literally hundreds of apps on Google Play a cumulative download was over a hundred million times and in February Adam was investigating an app for completely unrelated reasons noticed some suspicious activity so here's our sort of suspicious activity this is something I saw in a packet capture and it's some type of binary payload getting downloaded over HTTP it's an unknown file format it's likely an encrypted file so we see this sort of traffic from malware obfuscating

malicious payloads but it doesn't necessarily mean much the main question here is what's the app doing with these files and here's what I found when I looked there gerrae files and what's generating the requests is an SDK it's bundled in tens of thousands of apps what's on display there is instantiation of the dex class loader not pictured here the jars are xor encrypted and the multibyte key is included with the download URL which is sent from a REST API that the SDK communicates with so you can see from the code sample that decrypted copies get deleted from the disk after load the next step in looking at this was to decrypt payloads and see if they had

anything interesting in them there's lots of ways to do this here's the one that I used and that I often tend to use I like for a place Dex toad on a newer Android system with a shell script and this just dumps any loaded jar apk files to external storage I wouldn't necessarily recommend this approach there are generally cleaner ways to do this but it does work and I got quite a few jar files to look at here's what I'd consider to be the payload of special interest and what this does is it registers a phone state listener that logs all incoming calls duration and phone number and then this call log data gets uploaded through a REST API call

so we can see sort of malicious behavior at this point that this SDK is and doesn't disclose that it does this sort of thing let's step back for a moment and take a look at the network traffic with a couple of goals in mind one would be to confirm traffic with phone numbers is actually going back to the c2 that the numbers are actually able to be read and also we'd like to be able to view the traffic from the API and make sure that our understanding of the plug and mode process is actually accurate so in terms of how the plugin load process works the SDK sends out SDK config requests the server responds with

responses that will have encrypted jar file URLs and a our XOR keys for decryption plugins get downloaded the plugin code gets loaded there's a time delay then business intelligence data gets uploaded that's call logs but also location information list of installed apps things like that so fortunately the API traffic is mostly pretty easy to deal with traffic's base64 encoded and then when it's decoded the first 16 bytes are an md5 checksum for the message body and then the message body is just gzip compressed Jason so it's fairly straightforward to write a pcap parser to to process those and there's the plain text on the slide there here's a look at the call log uploads payloads

base64 encoded pipe separated data the I type 22 is call logs and base64 decoded that looks like this it is field 5 that contains the phone number and that's again base64 encoded and IRC for encrypted half the key is in the message in one of the fields and the other half is just hard coded into the app so this is enough to actually decrypt phone numbers and actually view them so that's what a key looks like and we can see that we can take a phone number now and decrypt it so that covers maybe two-thirds of the apps newer SDK versions encryption is altered to be quite a bit more sophisticated all the code was moved out

into a native library and payloads are aes encrypted using a randomly generated key and then in the HTTP header the key is said but it's RSA encrypted with a public key that gets bundled with the app so the way to deal with these payloads is that we need to dump them from memory and you can see an example of that on the slide as well it's probably good to keep in mind that it's it's difficult for an app keep secrets from another privileged app on a device and we'll come back to that a bit more when we talk about targeted surveillance where so ultimately we were able to work with Google and some of the other

vendors and get hundreds of apps either removed or updated in the Play Store for what it's worth the SDK vendor has made some statements after that started getting press coverage that they weren't actively using the decrypted data whether you believe this or not what the vendor is doing at the moment is probably not the only privacy concern okay so from here we're going to talk about purpose-built surveillance where so the motivation of advertisers for spying on you is usually to sell you more stuff so the next set of apps we are going to look at is usually installed with a much less benign intent to actually purposely spy on you and find out interesting information so

these are the screenshots of the web pages of some vendors of commercial surveillance where if you will the bucket of deplorable x' and as you can see there's absolutely no shortage of these apps they tend to be used by jealous romantic partners maybe people who want to blackmail you are very overly curious employers the creators of these apps are usually fully aware of the unsavory nature of what they are doing so they kind of try to hide the intent somewhat and or some of them do anyway try to sell the apps as theft protection apps or backup I'm not sure how exactly they they managed to swing that or child protection apps so here we've got an

example of this type of app it's called mobile recorder and discovering these apps is quite a bit easier than something like misbehaving at SDK because they have websites like this they advertise very publicly so this says it's the best app for tracking spouse child or employees that's probably not true it's not particularly well implemented but it does do what it says it does let's take a short look at the apps capabilities and we'll see how it's structured so this type of surveillance we're pretty much always requires physical access to a device to deploy this one doesn't use any capabilities which need route which is fairly typical some of the apps will provide sort of expanded functionality

if they're installed on a rooted device but usually this sort of thing is never bundled with exploits this particular app is fairly small and easy to understand on launch it sets up some content observers to monitor call logs and SMS messages and that it creates a number of services which gets that broadcast messages either on a schedule or in response to to certain events so here's a rundown of some of the services where the core features are implemented you can see on the slide there they all use standard Android and here's the listing of some of the other more interesting capabilities one thing that sort of of note is that this app does try to intercept notifications

which is a reasonable way to get data to third-party apps without actually having root another thing that might be interesting is mobile data or Wi-Fi toggle it's probably offered because it might be required to upload data back to a situ so this is just the SMS content observer on the screen one thing I've noted also parses inbound commands typically these types apps will only offer hiding functionality to hide their icons so there's going to be places in a device UI where the app is still visible but the user is just less likely to notice that it's on a device this app offers two control channels SMS and HTTP SMS commands just get identified through a

magic string and HTTP commands that receive just rolling an endpoint data upload doesn't use any special encoding it's just either seria either a serialized hash map serialize to Jason or file uploads like images are uploaded as multi-part form data so standard file upload this app does offer configuration to limit data usage so we got a couple of apps taken down from the Play Store and you can see that now the Devender has been caught their websites been updated wrote them as a backup app which I think Christophe said is a pretty common strategy and you'll see them advertised elsewhere so so people are clued into there the real purpose

so in summer 2016 citizen lab from the University of Toronto approached us with a surveillance where that had been used to target a high-profile activist in the United Arab Emirates the malware was aimed at iOS and it used three zero day exploits one on mobile safari 2 on the iOS kernel to remotely jailbreak the device and then install the actual surveillance where the malware had been created by a company called the NSL group and they refer to it as Pegasus so NSO's business is what is generally called lawful intercept their customers are police forces other law enforcement agencies secret services and so on we know that UAE Mexico and Panama are among their customers but there are

there are certainly more the target market appears to be countries that are rich enough to afford the price tag of such a commercial professional surveillance where but not develop their own the licensing cost per individual target of this is $25,000 as we know from some information that has leaked out so citizen lab members have actually written an excellent series of of articles on all of the known targets of Pegasus and how they how they were being targeted so as soon as we had that in our hands we knew there is probably an Android version of this and so we went out hunting for it we also figured given the price tag this is probably not very common this is not

a mass phenomenon this is not gonna be on millions of phones but we have visibility into over a hundred million devices and 50 million apps and we did actually find some traces of of this some some evidence if you will so we decided to get Google involved because they certainly have better visibility into the Android ecosystem then we did and lo and behold a couple months later Google got back to us with an actual 2014 version of of Pegasus on Android so we published a joint technical report with Google in April of this year on on the surveillance where handy for Google Pegasus has a twin brother in Greek mythology who is called Chris or both of

them were born from the Gorgon Medusa as Perseus chopped off her head that's why she doesn't have a head in the middle there the problem is nobody can pronounce that so a Google called it Chris or we call it Pegasus on Android but frankly and as Oh had had the best name for this thing I think they very conveniently left in their login class when they when they shipped the app and right there you can see they refer to it as jigglypuff what on earth is a Jigglypuff I didn't know but I from the laughs I can tell that probably some of you know so I think rather than talk about Pegasus implementation we should

probably just show you it in operation yeah I think that's a good idea so is this on the crisis or network you sure oh no okay go off that one it's your laptop so you can so I'll talk a little bit about what you're gonna see will Christoph goes to that so we had a Pegasus app sample we did not have a sample of the c2 and we're very unlikely to get one because and it's only sells to governments so I wrote one to actually exercise the app we've put a UI on it for for demonstration purposes and that's what you're going to see now we're making an effort here to show the phone screen well I think we're going to

say your your own luck with showing the phone and I got it so what Christoph is doing is he's visiting a browser URL in the phone so typically how Pegasus is configured as its configured out of browser history what it does on initial launch is it goes through browser history parses out URLs looking for a magic string and then it parses the parameters in this URL with a magic string that's where it reads its configuration from so and those like which c2 to beacon out to which SMS number to receive commands from and it looks like he's got it deployed yeah so we should see the phone connect here in a second and then we'll

see it start to send data yeah there we go it's too small though that's not good

that is it yeah that's right it's just off the screen here hang on I can actually I think that looks worse this isn't good yeah there we go this looks kind of bad but I guess we'll make do okay so here's some data we've exfiltrated and I'm gonna kick off a screenshot capture as well here this looks a lot better not on a projector a funny resolution so here we can see we're getting data from third-party apps and that's because Pegasus does routing it bundled C Fram a root exploit kit at least a sample we have so we can look at say some email data here while we wait for a screenshot to come in

this is Gmail data and what it's doing is it chmod 777s the Gmail database and then just selects date out of it so that's what your mails look like when Pegasus uploads them data is encrypted when it's sent to the c2 but the plain text is XML and each data type is structured in a different way like we can see calendar data here that's what that looks like and we'll probably have a screen shot very shortly here we'll take a look at Twitter - or whatsapp so there's a whatsapp message

yeah we're we were hoping to show a screenshot of the device which takes about two minutes Pegasus doesn't deal very well with the lower polling interval than that there we go so here's what a screenshot looks like that's a Christoph's device Thanks [Applause]