BSidesBCN21 - The Spy in Your Mobile (Swaroop Yermalkar)

with so many years like more than eight years uh on his back he has reported more than 120 critical vulnerabilities he has uh other more than 200 pen tests and also feature it alfred two books one on ios fan testing and another one on uh wi-fi hacking and security so without further ado the floor yours yeah thanks thanks for the introduction and hi everyone uh good morning good afternoon good evening wherever you are in the world uh so my name is swaru and welcome to my talk uh this pioneer mobile so uh let's begin uh a quick disclaimer all the views and opinions uh are my own and doesn't represent of the employer so today what we are talking

about we have very short time uh and but i'm going to present you something very uh interesting facts and interesting studies um which i'm doing from last couple of months so first of all we will quickly summarize the mobile hacking case studies how the famous mobile famous celebrities or people or the professionals your phone got hacked and the couple of uh like spyware analysis i had done comparison i had an analysis of several spywares and out of that we will be presenting couple of uh spyware's analysis at this point uh in this presentation i'm not not going to display disclose any name of the spyware we will just refer them as five over one square by

two spyware three okay we are we we have uh uh obstructed all the vendor names and overall uh how was the the comparison between the different spywares based on different factors and then the conclusion there was already introduction but i'll quickly summarize i had the uh red teaming uh for the hacker you india and previously i have worked in phillips healthcare lithium travel account as a security engineer or lead secret engineer i hold couple of certifications i have given talks in more than 10 countries in more than 10 security conferences uh yeah author of book lead of os by good project which is dedicated for ios application security okay this is a free and open source project as this is a

relevant talk to the spyware i just want to say i have i'm also lead for the os project basis which is dedicated for the uh ios application level security okay um so if we um if you summarize my background my background is not much into the malware analysis or uh not much into the next five years if you see my all my career all my industry experience work experience that includes application security cloud security or offensive security or i mean when i talk about the mobile security or the author of the book which the book which i authored they all talks about the application level vulnerabilities like what is application sandboxing the permission levels the uh like the security issues

during the transit dynamic analysis or changing the application behavior you know everything about more more specifically about the application security okay and frankly it's not related with the malware root kids or i mean analysis of that of course i have uh the knowledge of it but it's not in terms of professionalism but until one incident okay when the i mean the pandemics started right uh it's been two years uh it's two years everything has been changed and one year back almost one year back uh in the midnight i got a call from frame it was 2 30 a.m around and he was really frightened and he said that he's uh his his father's phone has been hyped

okay he was using the iphone and he said that his phone has been hyped and he uh he's i mean the private photos are already uh with that person the the they are blackmailing and the blackmailing is happening and the passcode is also changed okay and he asked me what to do right it was middle in the middle of the night and i never had such experience in my life before that because you know i was i was not into sock team or something where you will get the incidents in the midnight i was mostly in application i mean more of the you know broad security team so it was very unusual for me and he asked

me what to do right so at that moment i was not sure i i mean how his phone could have been hiked right i just suggested like what you can do with the at the best is you can switch off the internet in the phone and you can stop the uh data transfer from the phone right i mean if the data is being transferred because when this when your phone is hacked or if the spyware is installed what it will do is it will transfer the data from uh from your phone to command and control center right so what i suggested just to you know at that moment i just started to switch off the internet or

maybe even switch off the phone until we get time to look at look into that and that basically started my curiosity you know everything everything uh actually changed like how i look at the things because and then i started analyzing the different cases of how the famous people phone got hacked how the journal is once getting spy uh spied on and most of the things about that i then started doing the case studies like i i started uh experiments on different spywares i purchased couple of phones and it was really shocking for me this is a whole new industry active in the market and somehow i was not much connected to that and then i started looking at that uh

looking at those spywares and today in today's talk i'm going to present the ongoing research it's not still that completed uh it's still in the progress and it's based on whatever things we found and they were really uh i'm surprising first i will quickly discuss about the gif of beijing's iphone was hacked right it was a international espionage case i'm sure most of you might have heard that his phone was hacked he's he got even blackmailing emails and he has explained he has basically described this in the medium blog and everything on the online okay so if you see how the j business phone was hacked it was not like uh one is it and it was happened over the couple of

years so in 2017 it's based on the uh again the news the initial case studies i'm presenting based on the news uh so in 2017 the saudi uh regime buys a pegasus history uh it's a it's a spyware and in 2018 uh jeff bezos was invited for a dinner and the basically phone numbers got exchanged again in 2018 he got the for uh he got the video on the whatsapp and from that his phone was hacked and in 2019 he basically announced that he was getting he was being blackmailed his private photo photos was uh with the uh whoever has done the attacks right so uh i mean it's pegasus is it came into news uh you can say uh recently or in in

specifically in india and many other countries the countries it got highlighted in i would say one year or two year but it's not the latest uh spyware it's it's a bit old i mean it's uh the news came uh the numbers which were being spied on came into the uh news recently but uh it's not really uh your spyware okay so just like how it was working i mean it was really one of the sofi sophisticated one of the you can say best of engineering um uh on how this spyware was developed basically if you understand which i'm going to present the analysis on most of the survivors which will uh which you'll see that you need to basically you know

install that you need to change the permissions uh you need to do some tricks at least you need some access you need access for phone for at least a couple of minutes in that case you can make some changes and this private stickers but in this case this was one of you can say brilliant in terms of the piece of code if you what it was it was a trident vulnerabilities it was exploiting but how it was working is very interesting if you see an iphone or any i mean android or iphone uh all the applications works in the sandboxing right what is sandboxing is one application cannot access the data of other application unless uh explicitly explicit permission

has been granted right but this pegasus was you know doing the jailbreak uh jailbreak is like rooting your phone and uh it was basically once you root your phone it basically bypass all the security protections provided by apple or your vendor and you can basically do anything i mean you can check the messages and whatsapp and whatnot so uh it was basically uh trident when it used the trident for laboratories uh the webkit memory correction kernel information leak and kernel use after free and this eventually lead to the you know jailbreak of the phone and that was with persistence uh access it was a remote jailbreak okay and ultimately it basically leads to the routing of the phone i have just show

you a quick uh you know screenshot of how the rooting actually looks like if you see i have basically locked into uh iphone uh with the root level access and you can see almost uh everything here all the files folders same like linux or uh unique space operating system so i mean uh it was very interesting you might get one imessage sms whatsapp you can click on some video and ultimately it can do everything like it can record your calls um access your calendars contact book gps location microphone emails whatsapp chats everything i mean it was uh i mean i will not uh discuss more about the political agendas or how the journalists phones were being hacked

or other things like uh yeah so i will discuss more about the technical things in this talk so yeah once you uh uh once you uh based on the proof of concepts once you uh click on the link and it was basically giving access to all of your device it was basically rooting your phone and then giving access to everything but there were also some zero click attacks where you don't really have to click on the link uh again one of the very famous skype free powerful android uh spyware it was mostly uh in on the italian uh websites okay these are again uh some of the uh news uh from the news or snapshots

uh you can see that users are told that they should update the device configuration it was mostly on the you know italian uh websites and then it basically um uh it can add itself to protected apps list on the uh ui devices and uh again it can do pretty much everything okay it can again check your wi-fi uh i mean it can track you your locations whatsapp messages key logging everything uh and i have seen this industry has grown you can say exponentially from last couple of years and since the pandemic okay and there are so many so many vendors out there which are having such products okay so i wanted to start somewhere like uh

because this is definitely a different line of uh research it's it's a huge uh huge list of spywares out there but but i started with couple of spywares like 10 15. most of them you have to purchase like they have the premium so i basically created lab and we had the couple of phones i also involved couple of my colleagues to experiment this and we started playing around this 5s and what i'm going to show you uh of the couple of uh the screenshots like uh what exactly you can do i mean it was it was not very costly the spirals which we tested uh they were not very costly but they've had a very uh you could say very

powerful in terms of uses and we also tested on different antivirus software uh like play protect or we installed a couple of antivirus softwares and we also checked that how many antivirus were basically able to detect detect this firewall and uh again the results were surprising not all antivirus uh able to virus softwares or the play protect you were able to detect all the uh spywares okay and i have in the end of this talk i will also uh discuss it like comparison okay like uh what is the statistics and all so you can see uh as as i said in the uh in the initial time of the talk we will not talk about the vendors we will just

refer them as spyware one two three like in that way uh you can see uh one of the spyware was very interesting it was showing the wi-fi on right i'm sure that the non-techie or even those who use day-to-day you uh you know uh day-to-day use they use this phone for calling or messaging they can easily click on this icon okay this just shows a wi-fi uh and once you click on that all those basically you know all these spywares are a very sophisticated client and server so from the server side or command and control uh server we we are able to see everything like the phone calls the messages this is the dashboard or from the spyware like uh

the gps locations uh call recordings uh social media right and you can see everything like imei number device model hardware id uh it's all about controlling the phone uh from remotely so you can see the top calling numbers uh in in like top 10 calling numbers then which are the numbers they have called on uh all the messages you know i i many times get so many calls like i work in like mobile security industry that uh their bank account got hacked or i mean the bank the money got stolen and stuff like that and they said they had the otp yes because if your phone is infected with the spyware right even if you are getting the otp's

two-factor authentication it can still give get those otps right so all the locations you can just track the uh locations of that particular user uh you can insert find that coordinates where exactly that person is you can record all the calls on on beyond behalf of that person and what not you can enable the camera silently you can check the whatsapp messages everything instagram messages okay so it was not just for one spyware and couple of i mean i'm just not i'm not going to show you the 50s 5s in the stock but i'm going to show you two or three but more or like they have you know one of the way is like how to get

infect how to infect the target phone and and they had some different different ways and techniques to interfere but once it infect more or less most of the spywares had the you know similar uh dashboards like to control those devices uh again one of the this was android auto name and you can see the call frequency uh like uh everything like records around remote control call history text message logs right uh whatsapp messages everything i mean the calendar also like what are the different meetings um and i i'm sure that this is could be uh one of the way of industrial espionage uh on checking things on the uh your opponents conversion threads uh apps installed on

the device we can also uninstall those apps for example if some antivirus softwares are installed uh we can actually also uh uninstall those apps screen time right so basically we can study everything about that person without knowing uh then how how it's happening if you see in case of iphone if the phone is rooted in in syria there are hooks like if you can go to the once your phone is jailbroken you have the syria and then you can install the hooks again in that hooks using hooks also you can check what is that application is doing i mean we can easily use those hooks and attach to the applications and then also we can check

the application activity in the uh ios of our iphones uh the photo gallery of course you can download all the photos you can clean the photos from the target system uh you can keep the passcode so i mean we found very very creative ways um on how this uh this fibers uh are designed okay and again the keylogger also you can do you can also type the message on someone's behalf you can record almost all the calls right uh you can record the surrounding and you can also export the data you can import it so some other device right i mean pretty much you can do everything and you know how much it costs like if you see the cost

of this these these softwares or spywares i would say this is really really nice i mean anyone can just go and use this and it's it's really scary um yeah again one of the uh one of these spiders also right i mean similar dashboards to have them uh all the messages and many of these fibers you know what they advertise themselves as they are the uh the child monitoring softwares or something like you know it it can help you to protect trail but i didn't see that it actually verifies that i mean nobody checks that if you're using for child or if you're using for some espionage purpose right and yeah you can of course uh download

the photos uh most of the subscribers also give the messages or from instagram tinder uh facebook twitter i mean they have the access to almost all the apps on the phone and i just as i said come on control you can turn on the bluetooth you can turn on the location you can turn off the wi-fi uh keel recorder uh i mean what not so and this is a comparison okay uh we checked with many antivirus softwares uh i mean um and we checked it's as i said the research is still in the progress um uh you can say just uh some of the part uh which is about uh to happen and many of the spyware doesn't

require root access because they use uh exclusive access permissions on the phone but it just you need a couple of minutes and couple of survivors were smart enough they were they exploited a couple of zero-day vulnerabilities to get them into the approved list of the apps right uh as you can see uh i i just presented the uh comparison of five spywares and you can say that uh as of now whatever i checked on it's mostly uh for the android and for research for the ios is also in progress and you can see that couple of uh antivirus we are not able to reject certain piece of uh piece of these spywares uh there are also other servers which

i'm working on which are completely you can say um i mean they were launched they would they were not detected by most of these five antivirus softwares uh which are available for the phones okay which i might present in the upcoming talks so yeah that was i mean uh that that is bit uh uh you can say this is one of the uh very growing industry and a bit lost so they are making lots of easy to infect mostly they advertise themselves as a child monitoring but nobody cares if you are using it for child and if you're using for you know for uh spirit purpose uh right so yeah these were the uh references for

my talk i think yeah almost uh done with the uh timing so these are the references uh citizen lab uh this sort of canada is uh they are doing a lot of research in this mostly uh with the journalists like the phones whose generalist phones which are being hacked or even into the uh the politicians right so they have very good resources and these are the a couple of resources i used uh thank you for uh everyone for uh inviting me and this is my website and you can just contact me for any questions you have about the ongoing research uh you can just visit the service file.com contact and you can ask me any question so i

guess yeah that was all for this very short talk uh i hope it was very useful it was introductory and useful for the audience yeah i'm if we have time i can take questions as well yes let's give people a couple of minutes thanks swarov let's give them a couple of minutes uh if you want to come up with some questions um i just have one curiosity when you show the dashboards like of the spywares were you trying to spywares like on your mobile like on your network or this is something outside from some you know lab in the internet or something no so basically we uh i have purchased like three four phones like the brand

new phones and we have created this lab i have given this to my phone and we are to my friends and we are basically experimenting this like it's all the i mean we're not trying on the people but uh it's all the brand new phones we are acting that we are a normal people who clicks on the whatsapp youtube links and stuff like that yeah that's cool that's cool yeah so yeah i don't see there is any questions so far so if you have any question if you want perhaps you know later you can write in the channel the second familiar slack channel and you know i'm sure screw up and he will be there to answer

so again thank you very much again