The Double-edged Sword: Analysis of PhoneBeagle

 

In the past several weeks, we have intercepted multiple samples regarding to a backdoor application – the phone beagle, which is known as a parent control tool on Android and Blackberry platform (http://www.phonebeagle.com/).

Screen Shot 2013-09-19 at 12.20.39 AM

The phone beagle application contains 3 modules: a controller app, a guardian app, and a client side GUI. The first two are apk files that installed on compromised phones. Both the controller app and guardian app could hide their icons. By erasing the “android.intent.category.LAUNCHER” subject in AndroidManifest.xml. While the client side GUI is supported both on mobile and web, as is shown below:

Screen Shot 2013-09-25 at 9.50.28 PM

The intercepted controller app samples are slightly different, mostly due to the versions and configurations. This article will focus on discussing the controller and guardian app’s functionalities and their implementations.

Screen Shot 2013-09-19 at 1.34.55 AM

 

APK File Structure:

The controller apk file is consisted of 2 packages: the BeanShell Lib (http://www.beanshell.org/) and the agilebinary packet(named after the company).

Screen Shot 2013-09-19 at 1.39.35 AM

Beanshell is a Java library that provides embeddable Java source interpreter with object scripting language features, allowing some common scripting conveniences such as loose types, commands, and method closures in Java code, just like those in Perl and JavaScript. This lib could make the Java code flexible and extremely difficult for static analysis.

 

Permissions Requested:

Despite the purpose of the use, the phone beagle has a strong control capability, makes it a potentially dangerous backdoor application.

The app requests lots of permissions for remote control. Including phone call, SMS, contact, GPS, network connections and browsing history access.

Screen Shot 2013-09-19 at 12.21.01 AM

 

Monitoring Over the Phone:

The app registered a set of receivers in order to monitor and control over certain behaviors. The following system broadcasts are monitored:

Screen Shot 2013-09-19 at 2.23.24 AM

As commonly used in malwares, the app has registered the highest priority for its intent filters on SMS_RECEIVED and NEW_OUTGOING_CALL. So it’s able to abort the system boardcasts forehand to implement restricting the phone use:

Screen Shot 2013-09-18 at 11.13.08 PM

Screen Shot 2013-09-18 at 11.17.45 PM

 

Monitoring 3rd Party Apps

One selling point (btw, it costs $9.99/month) of phone beagle is its strong monitoring capability over 3rd party apps such as Facebook, Skype and Line. This feature is implemented by directly accessing the file system, retrieving the data file that containing the apps’ local storage. In order to do so, the app will apply for READ_EXTERNAL_STORAGE permission. The relevant packet is called com.agilebinary.mobilemonitor.device.android.device.observers.[appname].

Take Facebook as an example. Like many other apps, it used sqlite for local storage. And phone beagle simply queries it to retrieve the information it needs:

Screen Shot 2013-09-27 at 12.56.30 AM

Similarly, the app applied for READ_HISTORY_BOOKMARKS for accessing user’s browsing history.

 

Self Protection

The Phone Beagle uses a guardian process for self protection. The independent package is called “com.agilebinary.mobilemonitor.watcher” (app name is “Camara Settings” for disguise). It directly actives the device administrator to implement uninstall protection, which is commonly seen on enterprise MDM system. By using it, the app don’t even need the root privilege to access sensitive systems and data. The only thing you need to do is to authorize the device administrator when installing the backdoor.

1278079_389129884548904_1313542289_o

The guardian app registered a boardcast receiver “MyDeviceAdminReceiver” to monitor all the device admin state change.

Screen Shot 2013-09-27 at 2.19.35 AM

If the receiver detected the device admin has been deactivated, it will send an SMS to notify the client side:

Screen Shot 2013-09-27 at 2.18.16 AM

Communication with C&C Server:

The phone beagle will send the monitoring log to the command and control server in an async communication, with approximately 30 minutes interval. The log will be sent by a HTTP PUT request, and the content will be encrypted by DES:

6a829327495dea1b219c7b6b4352bdf7

Two of the C&C servers we have found are 195.59.54.118 and 77.67.10.158.

 

Conclusion?

Be aware of it – unless you know what you are doing!

Alert: Android WebView addJavascriptInterface Code execution Vulnerability

 Update: Trustlook has released a solution to detect this vulnerability within 12 hours of this vulnerability is reported. During the long night, we had to patch android system, changing scheduling code, re-fresh ROM system of all production devices and of course had many beers. This is fun.

A Chinese hacker, livers, from wooyun.org has reported a android remote code execution vulnerability for addJavascriptInterface method in WebView control.  In more detail addJavascriptInterface is used for interface between JS code and local Java. If your browser or other applications has implemented code like below, then you might be vulnerable. Hackers can remote run code on your android device. And they can get remote shell or even to install backdoor application on your device.

Screen Shot 2013-09-04 at 8.24.49 PM

According to this report, many android applications are confirmed vulnerable:

– QQ browser HD

Baidu browser

Qvod player

 

Following is the Javascript code allows hacker to run command on your vulnerable application.

 

Screen Shot 2013-09-04 at 8.24.39 PM

 

Here is the real exploit code that allows hacker to remotely control your device. It separates the exploit the APK file into four parts and merge them into one APK file, writing it to the sdcard on target device. Then run adb command to install the backdoor application.

 

Screen Shot 2013-09-04 at 8.20.29 PM

 

The following pictures showed you the backdoor application, androrat, has been installed in the vulnerable device.

Screen Shot 2013-09-04 at 8.20.50 PM

 

Last part is to do remote control the exploited device.

 

Screen Shot 2013-09-04 at 8.20.59 PM

 

 

During the past 12 hours, Trustlook has released a solution to detect this high risk vulnerability. Here is the POC sample try to make a bridge to call Java function from Javascript in a HTML page.

Here is the risk summary alert for application impacted by this vulnerability.

Screen Shot 2013-09-05 at 3.03.30 PM

Here is detail log that the sample try to make a Javascript to Java bridge and load the the HTML file located at android_asset/www/index.html which contains the malicious Javascript.

 

Screen Shot 2013-09-05 at 3.03.38 PM