Stalking the Stalkers

foreign welcome back uh Welcome to our talk which is staking stalking the stalkers uh it's a talk especially from beside Sofia as this is for stalkerware some discretion is advised we're going to talk about things that are not really nice or things that are crimes so some discretionary survives this talk is dedicated to our really good friend Mike polidoro who passed out is seen his clip a couple of weeks ago uh God Rest his soul featuring me I'm against I'm the CTO at Tremor a friend startup that specializes in regulation Tech and then independent security researcher I'm mostly interested in API for iot devices and web application security I'm developing a machine learning algorithm tool as my PhD project to find API flows and you can find me as Evie stickers on Twitter uh I'm Felipe um adversary engineer at Laris and I just like to Break Stuff press the wrong buttons make things no come some smoke come out and that's pretty much it you can find him a sulfur with a hero on Twitter space current site next one no okay we went way too much Okay the third one is single quote we all know what this is the we're going to see a lot of SQL detections saying this talk we usually use it to get access to data we should not have but considering that this is data that they should also not have it's data that is free on the internet as we see it we want to give some special thanks the first one is Elva gulpering she was the leader she's the city of eff Electronic Frontier Foundation and is the person that helped us greatly on both the ethical stance and the lot of paperwork that we did from there we also want to help to thank Zach with Tacker who helped us by giving a lot of press via Tech runs on all the flows that we found and the close friend that I have George love dance who has helped us by writing go binaries that could enumerate millions of users so first of all what's talk aware it's a software that's often used to track activities of somebody without their knowledge or consent it's used to keep track of a victim's location see their call history internet history check their you know emails produce videos and audios from their devices access their files you can take screenshots you know you monitor it's like active stalking okay so for iPhone since there's no jailbreak for the latest version what they do is that they get the iCloud backup so you would log into because usually you know Partners they have access to the other signifi the significant others phone so they could just you know go there get a credentials get the access tokens and then configure the iCloud and then from there the stock aware platform would scrape the data every 24 hours and you know the abusive like partner will have access to all this data apple is actually tackling this they they introduced in January the option to encrypt uh they are called backups but it's not compulsory so it's still a problem you know and an abuser would have access to Whatsapp SMS call logs which hotspots a Wi-Fi hotspots their significant order connected to and all this kind of stuff on Android if you don't have root access you know you can see the victim's location you can get the files that are stored in external storage because they're not sandboxed you can read text messages you can read call information and if you're you have root access which is not that hard it's like game over because well you're root that's it um in most cases stock aware is installed without the victim's consent but sometimes you know the the partner can just blackmail saying things like oh do you have anything to write to to hide or if you don't love me enough why are you with me you should give me this access because I'm just doing it because I love you and the application it's usually hidden and has like some nice name like battery or notepad or calculator so it's trying to conceal it's real intent from the user and what I I never thought about before but it's really disgusting is that the infected device can actually be gifted to someone and they actually advertise it for example this [ __ ] here they oh a Christmas present your loved ones will truly appreciate and you give them like a nice Android tablet that you know has stalkerware installed on it and the other person will be able to ask you know invade up somebody else's privacy really so how do we know something is talking where first of all uh if they actively advertise as something that you can use to spy your wife we consider it stalkerware also a friendly advice if you actually have a wife don't Google this thing because then you have to explain to your wife that you're doing research and to your kids that you are doing your research and you don't have anything to spy your wife on but yeah it's if they actively spend money on advertisements on how to spy your wife their stalker wear the fine line is consent as Felipe said if it doesn't need consent it's spyware if it's it's stalkerware if it's designed to hide itself it's stalkerware knowing the password or the PIN for the for the laptop or the phone doesn't change that if someone installs something which is hidden and the person who is spied has not consent on it it's a stalkerware victim the first thing that you can see in here is cocoa spy they have actively articles how to read my wife's text messages without her knowing for free it's a two page article that says how to spy your wife they're obviously Nostalgia where the hello spy which is now defunct uh it's probably the worst case that you can see sitting by the Numbers it says how the person uh the guy who had that seated wife and beat it here you can see actively marks on her face and keep in mind hello spy is with the bitters uh side so they are even promoting fiscal violence they are off business now but it's it's just a monstrosity as you say they're genuinely bad people so we took a better look on the industry how it was how big it was we were able to find 10 companies that create applications they host their servers they massively skin their applications so we are going to see later down the road that we are a lot of applications are actually one application they sell the application with three skin rights they white label the application and also providing infrastructure for it I effectively being stalkerware as a service and we are going to call them family from there on if somebody is a family it's one of those 10 companies two of the families as we're going to see further down were sweat shops where proper support lines they had proper uh lines that escalated to level two level three and one of the big ones which was one of the scariest ones maintained personas even within the company constantly changing names and company names we infiltrated the company and even between them they didn't use Felipe or Vangelis they were doing they were using fake personas so that they cannot be spotted on what they were doing that's the initial data of the families that we have found one is the truth spy you can see that we have identified the company that they're owned by for most of them two of them Stand Out spy track and through spy uh so the two sets that we use for our research was burp Suite to do the mostly the API testing and tampering the requests and keep a history of what we're doing so we can go back and check data um jdex the compiler to reverse engineer uh the apks APK lab.io to run the apks without having to install them on your phone and do an analysis of them movad which is a VPN provider we use that so we because I don't want them to know my home IP address basically we had a small droplet on digital ocean to to host files and get reverse shells because again don't want to expose my home IP address revolut was really useful for when we had to for some reason buy an account because in some cases it was useful uh because I could just spawn a credit card they wouldn't check my name I could put any name in there any Dodge address you just say yeah whatever and I could set a limit and just freeze the credit card afterwards because some of them kept trying to charge me which wasn't ideal um Showdown was also really helpful because as you're gonna see later some companies like cloudflare were protecting these guys so we use Showdown to find their real IP addresses and bypass Cloud security and our cancerous Android phone which is we'll probably have to bin it at some point it's disgusting now it's relevant and yeah our methodology was first we're going to try see if they offered a demo account which most of them did and then from there I would see if you could just hack them from there find some secret injection access controls some of them had limitations like the API would the account would only have access to the get requests and no posts or puts so so people wouldn't be able to modify data there and that's a limitation and hard to make it harder to exploit so yeah and then if we've managed to find an APK we would download it then decompile see we've confined uh API endpoints Swagger files hard-coded credentials and then will run the APK on APK lab sandbox so we wouldn't you know let that crazy thing touch our phone and then get some data from there but if we couldn't find anything useful then we would install the APK on our Android phone prox data through burp and then interact with the API and in some cases if we thought that was really worth it we would purchase an account so we could you know further exploit their their application so uh as most of them not most all of them uh are zero days right now we had a really big discussion with a lot of people and we are not going to release the zero days we are not going to say how we accessed all the data we are going to see a view of the data we're going to explain some of the data but giving out the zero days would give access to a lot of vulnerable people the plan is we want to see that industry burn we the eff and pretty much everyone else the Coalition against uh stalker were want to destroy that industry what was the plan we need to have a better understanding of the size of the industry and as we were looking more and more we were really scared of seeing that the the size of the companies and the how many installation it has we wanted to identify what company was behind its application we were mostly successful on that we are still working on a way to help the victims this is not that easy we were thinking about removing the applications we were thinking about sending a post notification and saying that your phone is actively monitored this is not that easy and not that straightforward because a lot of those victims are in a really strange position in a bad relationship or in a way that they this could cause more harm than benefit we communicated with apple and eff the ethical stance it was really one of those researches that there was no clear way of what we were supposed to be doing there are the obvious issues of what are we going to do are we going to disclose the zero days and help the companies solve the issues and continue giving them things to work on are we just going to publicly disclose and give all the data to to everyone it's clearly a which side are you on are you with the good guys are you with the bad guys there's no sides in here we try to do no harm we try to help no one we could easily submit for everything for 15 CVS but we would be helping them to secure something we want to turn them down we need to kill everything so what we have found remote command execution and more than one servers SQL injection SQL injection broken authentication and the scale injection forgotten AWS credentials that gave us root access to a lot of infrastructure forget an Azure credential which gave us access to even more infrastructure SQL injection and another SQL injection the data that we acquired was database dumps included super sensitive data like text sms's WhatsApp messages everywhere and where they were about we got dumps of everyone's phone which is really scary if you consider what your phone has lots of way to identify owners emails home addresses pretty much everything access to administrative accounts and panels so we had access internally to support to panels to creating to financial data we had access to source code and their comments with her really funny and surprises as Felipe mentioned earlier all those companies helped enabled enabled them sorry and protected uh the bad people Alibaba Amazon and azure were hosting them we have sent numerous emails saying and they said that this is within their policy so stalkerware and actively exploring people is within their policy cloudflare was even worse they said that they're paying customers we are not paying customers so we're not going to do anything so they wanted us to pay so that they can review what we reported and Mandarin was just sending emails so it's release bad of them I'm gonna mention Google in here it made it really obvious that the malicious applications were installed and made it really difficult to continue running so it uninstalled them it so multiple uh pop-ups saying you have something which is stalking you please remove it please remove it uh Google Play Store stepped up and removed all the stalkerware and Google search since after our talk they reached out and they are not accepting ads for spyware anymore so you're not going to see any advertisements for stalker World spyware now code that we have seen SEC for formulas index starts with zero checked with F Tony why this it is needed this is directly of from the source code save this environmental because if someone finds it out he's going to f us guess what we found out we did it changing this because the hacker hacked us well you have some bad news again for you guys also I have found that in multiple locations so they were run somewhere more than once in more than one family and they were just restracted and restarted everything so their fires were exhibited more than once in more than one family the data analytics first of all the last thing we're not that analysts data is in way better hands we're running analytics in there eff is working on it we're trying to do the best thing that we can do with that data symbol is 400 000 devices from three different families location is from GPS so it's not ipt location when something says it's there it's there and the duration of installation we Define that as the first installation the last communication with the their C2 server these are the countries that we can see you can see a lot of strange things in here first of all ugada has a really really strange marriage problem they 30 000 people spider wives China is okay United Kingdom is something that we expected Bangladesh to and Nepal are crazy numbers we didn't expect that but that's what the GPS is saying as you can see 88 of the smartphones that we see was Android only 12 were iPhone and 50 percent had installed from one to three months twenty percent had only for one month and 30 percent had it more than three months with five devices going up to eight years so someone was spying on his significant other for eight years and we know we missed some of the stalker families we tried our best to cover the whole industry but some of them were not vulnerable or some of them were really expensive and it didn't make sense for us to pay 500 euros just so that we can pound something so I'm going to talk about a truth spy which is one of the guys that we compromised and it's the biggest one right no no it's the biggest one that it's still alive oh great so yeah it has been compromised multiple times it was totally examined by TechCrunch they have articles about it and during your research we uh found out that was developed and operated by one byte and it had approximately uh 200 000 users we managed to identify 12 members of this family but there's probably more than that and yeah with their platform the abusers could see call histories monitor applications uh see notification histories location access to photos and videos the key logger functionality to you know see what you're what they spouses were texting and yeah here's you can see there uh the panel that they had access to you could get like a share as well in some cases yes and yeah and when you run it on uh virus total that's what you'll get so it's not like a great identification rate really only 25 vendors saw it as malicious and well we managed to fully compromise it like root access to the server uh database access we had everything and here is uh the structure of their their company as it was reported by TechCrunch so yeah you guys can see it in our blog post later with more detail and yeah AdSense pie was um here here we can see there um the website they were marked and operated by connects um we found that they had approximately 60 000 users and only one family member which is xnspy.com um and yeah as pretty much all of them you could see call histories more into replications notifications had access to photos [Music] and again virus total only 24 vendors saw it as malicious so yeah they were not doing a great job and yeah we got full database access which is well if you consider they're really vulnerable people that's not ideal right and it's you know it's not a good feeling when you see that you you know with people's private lives there it's it's awful it's vulnerable it's access to anyone on the internet and yeah um Coco's pie they were the trickiest one to identify who was the owner and we had to do a lot of digging and we have like strong indications that they operated by 711.icu and went and fight three members in the family um that on their platform you could see how histories you could they're pretty much most of them they Supply the same um features for the abusers really so location history access to photos and videos and same crappy identification rate in virus Toto as well and then they had broken access controls we couldn't get any database access but we got uh access to all users info this one was really painful because we actually had to use they every user for some reason has an active directory account so we had enumerate via using ldap which is painful and slow so it took a lot of time for that um yeah Moby stealth these guys they're like they're just funny because you see on their website they see osc on Yahoo PC World MSN wired and then if you go there you Google it's like it's not saying good things about this company you know they're saying yo these dodgy guys are you know they're disgusting but then they are like promoting it's you know they're talking about us but they know them but they know them yeah and yeah it's been around for 10 years over 125 000 devices it was compromised in 2018 and yeah we couldn't find the owner unfortunately and yeah there's only one member of the family and they were not using an API which is awful because we had to parse poorly written HTML manually manually I had to write a script for it and it had more than a billion entries so yeah it was painful and yeah we managed to fully compromise it and became administrators of the platform but yeah we hope one day we'll figure out who's behind them uh spymaster Pro they're not really they're just another one really there's nothing really special about them they they had like 8 000 devices available it was compromised in 2018 and someone buying netsense and yeah same features that pretty much other platform again they're just they're not really like passion in in any way but yeah I mean and last one not last one second last one is spy track it's the scariest of all uh the biggest of one as it has over one million and three thousand devices and currently the more dataful because we took it down it's owned by support King support King was fined by the FTC and banned from the spyware industry it only had one members might spytrack.com it relabeled everything as spy tracked on November