In the past several weeks, we have intercepted multiple samples regarding to a backdoor application – the phone beagle, which is known as a parent control tool on Android and Blackberry platform (http://www.phonebeagle.com/).
The phone beagle application contains 3 modules: a controller app, a guardian app, and a client side GUI. The first two are apk files that installed on compromised phones. Both the controller app and guardian app could hide their icons. By erasing the “android.intent.category.LAUNCHER” subject in AndroidManifest.xml. While the client side GUI is supported both on mobile and web, as is shown below:
The intercepted controller app samples are slightly different, mostly due to the versions and configurations. This article will focus on discussing the controller and guardian app’s functionalities and their implementations.
APK File Structure:
The controller apk file is consisted of 2 packages: the BeanShell Lib (http://www.beanshell.org/) and the agilebinary packet(named after the company).
Despite the purpose of the use, the phone beagle has a strong control capability, makes it a potentially dangerous backdoor application.
The app requests lots of permissions for remote control. Including phone call, SMS, contact, GPS, network connections and browsing history access.
Monitoring Over the Phone:
The app registered a set of receivers in order to monitor and control over certain behaviors. The following system broadcasts are monitored:
As commonly used in malwares, the app has registered the highest priority for its intent filters on SMS_RECEIVED and NEW_OUTGOING_CALL. So it’s able to abort the system boardcasts forehand to implement restricting the phone use:
Monitoring 3rd Party Apps
One selling point (btw, it costs $9.99/month) of phone beagle is its strong monitoring capability over 3rd party apps such as Facebook, Skype and Line. This feature is implemented by directly accessing the file system, retrieving the data file that containing the apps’ local storage. In order to do so, the app will apply for READ_EXTERNAL_STORAGE permission. The relevant packet is called com.agilebinary.mobilemonitor.device.android.device.observers.[appname].
Take Facebook as an example. Like many other apps, it used sqlite for local storage. And phone beagle simply queries it to retrieve the information it needs:
Similarly, the app applied for READ_HISTORY_BOOKMARKS for accessing user’s browsing history.
The Phone Beagle uses a guardian process for self protection. The independent package is called “com.agilebinary.mobilemonitor.watcher” (app name is “Camara Settings” for disguise). It directly actives the device administrator to implement uninstall protection, which is commonly seen on enterprise MDM system. By using it, the app don’t even need the root privilege to access sensitive systems and data. The only thing you need to do is to authorize the device administrator when installing the backdoor.
The guardian app registered a boardcast receiver “MyDeviceAdminReceiver” to monitor all the device admin state change.
If the receiver detected the device admin has been deactivated, it will send an SMS to notify the client side:
Communication with C&C Server:
The phone beagle will send the monitoring log to the command and control server in an async communication, with approximately 30 minutes interval. The log will be sent by a HTTP PUT request, and the content will be encrypted by DES:
Two of the C&C servers we have found are 220.127.116.11 and 18.104.22.168.
Be aware of it – unless you know what you are doing!