1. How to pwn
a Russian Android botnet
by Dima
Odessa, Jul 18, 2015
2. The story
● Interview in a security lab of a big world-wide
known company
● Technical “homework”: reverse engineering
of Android malware. “Find out everything you
can!”, they said.
3. Steps
1. Reversing the malware
2. Analyzing the malware’s network protocol
3. Hacking the malware’s command & control
server
4. Identifying the hacker
5. Reversing the malware
The malware at first glance
● It can’t install itself without user’s help: a
user should download and install APK
manually…
● ...that’s why the APK looks like another-very-
useful-Google-service application :)
6. Reversing the malware
The malware at first glance
● It steals user’s SMS, contacts and accounts
(from Android Account Manager)
● It sends SMS/USSD from infected devices
● It DDOS websites from infected devices
● It controls infected devices as a device
admin
7. Reversing the malware
IT’S A PART OF A BOTNET AND
IT IS NOT DETECTED
BY A MOBILE/DESKTOP AV SOFTWARE
AND VIRUSTOTAL :(
8. Reversing the malware
The malware code at first glance
● written in Java, obfuscated;
● contains no native methods;
● it is full of mistakes :)
9. Reversing the malware
The malware permissions
● INTERNET and ACCESS_NETWORK_STATE – Internet access
● READ_CONTACTS and GET_ACCOUNTS – access to user accounts (in Account
Manager) and contacts
● READ_PHONE_STATE – access to internal system information: device ID, IMEI, device
vendor name etc
● SEND_SMS, RECEIVE_SMS, READ_SMS – accessing user's SMS
● CALL_PHONE – making phone calls
● SEND_RESPOND_VIA_MESSAGE – this allows the malware to send a request to other
applications to handle the respond-via-message action during incoming calls
● READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE – R/W access to
external storages
● RECEIVE_BOOT_COMPLETED and WAKE_LOCK – start the malware as soon as OS
booted (autorun) and keep the malware running even if the device goes asleep
10. Reversing the malware
The most important malicious components
● Main (Activity) - the main activity. It started each time a user tap an icon if the malicious
APK. It starts DataRegisterService and OutSms services. Then it shows a fake “Google
Service” alert to a user (just because user probably expects to see something).
● DataRegisterService (Service) - the service is started by Main activity or LoaderReceiver
receiver. It registers an infected Android device on the malware server. If the device is
already registered on the server, the service just does nothing. Also, it set alarms for
ConnectChecker and AdminBroadcast receivers.
● LoaderReceiver (Receiver) - the receiver is started after Android reboot. It starts
DataRegisterService and OutSms services. Also, it starts DeviceAdminActivity if j.u
(isAdmin) is false.
● OutSmsListner (Receiver) -- once a minute the receiver checks a list of SMS sent by a
user. If it finds any new SMS (here “new” means “new since last check”) in the list, it
sends it to the server one-by-one.
11. Reversing the malware
The most important malicious components
● ConnectChecker (Receiver) - the receiver is started periodically by the repeating 3-hours
alarm set by DataRegisterService. Every 30 seconds the receiver requests a command
from the malware server.
● AdminBroadcast (Receiver) - the receiver is started periodically by the repeating 3-hours
alarm set by DataRegisterService. The receiver starts DeviceAdminActivity activity if j.u
(isAdmin) flag is not set.
● OutSms (Service) - the service is started by Main activity and LoaderReceiver receiver. It
creates one-minute-repeating pending intent to call OutSmsListner receiver.
● DeviceAdminReceiverS (Receiver) - The receiver is started by OS after
DeviceAdminActivity has tried to cheat a user (to ask him to add the malware to device
administrators). The receiver tells the result to the malware server and change j.u
(isAdmin) flag depending on the result.
12. Reversing the malware
Malware lifecycle: first start (simplified)
● Main activity shows a fake this-is-Google-
service messagebox
● DataRegisterService service registers the
infected device on the malware’s command
& control center
13. Reversing the malware
Malware lifecycle: first start (simplified)
● OutSmsListner receiver steals user’s SMS
and does background checks (once a min)
for new SMS to steal them as well
● ConnectChecker receiver does background
checks (every 30 sec) for a new command
from the command & control center
14. Reversing the malware
Malware lifecycle: first start (simplified)
● AdminBroadcast receiver starts
DeviceAdminActivity, which uses
android.app.action.ADD_DEVICE_ADMIN
intent to ask a user for the Device Admin
permissions (possible for Android > 2.1)
15. Reversing the malware
В целях безопасности устройства Google Play
требуются привелегии администратора.
17. Analyzing the malware’s protocol
The protocol at first glance
● it is built over HTTPS
● it uses JSON for sending data / receiving
commands
● it does not encrypt / sign traffic
18. Analyzing the malware’s protocol
Posting data to malware C&C center (headers)
● Method: POST
● URL: <domain>/marry4/set/<DeviceID>/
● Custom headers: no
19. Analyzing the malware’s protocol
Posting data to malware C&C center (body)
type=<request type>
json={ "<key1>": <value1>,
"<key2>": <value2>,
...
"<keyN>": <valueN> }
20. Analyzing the malware’s protocol
Answer from the C&C center:
● {'registred':'complited'} (this means “got your
request, have no commands for you at the
moment”)...
● ...or a command for infected device (see
next slides)
21. Analyzing the malware’s protocol
Asking the C&C center for a command
● Method: GET
● URL: <domain>/marry4/get/<DeviceID>/
● Custom headers: no
22. Analyzing the malware’s protocol
Answer from the C&C center:
● {'registred':'complited'} (this means “got your
request, have no commands for you at the
moment”)...
● ...or a command for infected device (see
next slides)
23. Analyzing the malware’s protocol
A command from the C&C center (format):
{ 'type':task, 'task':
[
"<Task type>, <DeviceID>,
< ...data for the task (depends on the task) ... >
]
}
24. Analyzing the malware’s protocol
A command from the C&C center (example):
{'type':task, 'task':
["sms",359930048604909,"900","BALANCE","2
014-03-
27T15:33:00+04:00","0e205bf823a00ac9e900b
116d99f1b561b167b92"]}
Legend: DeviceID Number to send to SMS text Date Unique ID of the task
26. Hacking the C&C center
Our first move: we feed malformed links and data to the
C&C server, after several tries, we crashes it
27. Hacking the C&C center
Now we know two important things:
● The exact script URL is
<domain>/ontasks.php
● On the server, the PHP setting
display_errors allows to see script errors in
browser
28. Hacking the C&C center
Our second move: call the script directly
29. Hacking the C&C center
As result, we know that the script needs base
and imei (probably, they are script parameters).
30. Hacking the C&C center
Our third move: call the script directly with arbitrary base
parameter
31. Hacking the C&C center
We crashed the script, again, but this time we
got login/password :)
Well, OK, how to use it?
32. Hacking the C&C center
Let’s just try the most commonly used
subdomains: mail.*, ftp.* etc.
Are we lucky?
36. Hacking the C&C center
Some fact about the botnet’s frontend:
● The botnet started in Nov 2013
● The botnet is not the first try, but probably
most successful
● The botnet’s frontend is written with
PHP+MySQL
37. Hacking the C&C center
Some facts from the botnet’s database:
● Over 50 000 active infected devices, mostly
from exUSSR
● Over 1.000.000 stolen user’s SMS (including
passwords and TFA SMS)
● Traces of at least 3 massive DDOS attacks
with the botnet
38. Hacking the C&C center
SMS examples (пароли):
●
Ваш логин: 79123248600nВаш новый пароль:
92pubelunВаша заявка на восстановление доступа к
странице на сайте ВКонтакте одобрена.
●
Доступ к сайту mp3poisk.ru: логин - fkiwpxgf, пароль -
lRe4XXrj
●
Для доступа к WEB-сервисам систем самообслуживания
"МегаФон" используйте логин: 9285693647 и пароль:
XOSBHG.
39. Hacking the C&C center
SMS examples (пароли к порносайтам):
●
Доступ к сайту blontex.net: логин - j26445, пароль – 10752
●
Доступ к russiangirlsvideo.com: логин 160528 и пароль
11264
●
Доступ к сайту mobzoneoo.com: логин - upopuamd, пароль
- JL28qOJa
40. Hacking the C&C center
SMS examples (любовная переписка):
●
Я люблю тебя ты самый лучший для меня нодеюсь у нас
все будет зае... я уже не могу без тебя )*****
●
Ааа.:* любимый мой, лысое счастье ты моё, люблю
тебя;*)
●
Я не збоченец :-( я очень люблю тебя :-*
41. Hacking the C&C center
SMS examples (Крым, SMS-ки контрактника
из РФ):
●
Привет.уже в крыме,но до места не доехали ещё.войска
стягивают.мы тоже едем на границу.
●
Симфер гос дума. аэропорты. Телеграфы. Выезд в крым
на море корабли .. 160 тыс бойцов. Уралы .вертушки
ка>заки Все... На хохляедии бендеры и бандиты . Просят
нато вмешаться
42. Hacking the C&C center
SMS examples (наркотики):
●
Хотел тебе дать наркотиков но теперь точно хуй
●
Кому я должен всех прощаю:-) И по наркотикам мне
больше завязывай звонить
●
Миша, я еще с тобой поговорю на счет травки что ты
привозил и курил!!!! Ты хочешь поругаться?
43. Identifying the hacker
The last step
“Bad boys, bad boys, what you gonna do?
What you gonna do then they come for
you?” --
44. Identifying the hacker
● Male, 29 y.o., not married
● Russian, lives in Siberia
● PhD student in Computer Science
● No crime records
● Full name, phone, email, home address,
photo are KNOWN!
45. Finally, what missed?
● Details which can broke privacy of the
customer and/or the hacker (thanks for your
understanding!)
● Hacking hacker’s email, his sites in i2p
‘darknet’, and other related accounts
● ‘Economics’ of the botnet: prices, black
cashout etc.