There was a news report recently by CNN-IBN stating that Pakistani malicious actors are using a malicious app to snoop on Indian military personnel. You can read the report here http://www.ibnlive.com/news/india/google-removes-smeshapp-used-by-pakistan-to-snoop-on-indian-troops-1216294.html
Initially I assumed it was just general FUD spread by the Indian media. So I decided to investigate the claims.
Reversing the application:
 |
| AndroidManifest.xml file from SmeshApp |
As you can observe it has almost all permissions to do anything on the phone.
From the libraries used, we can assume the app is acting as a SIP/VoIP client. The same can be confirmed from their GooglePlay description.
With SmeshApp, everyone in the world can connect, Freely. SmeshApp users text, make HD-quality phone call , and send photo and video messages worldwide over Wifi or 3G - for free.*
On SmeshApp, your phone number is your ID. The app syncs with your mobile contact list, automatically detecting which of your contacts have SmeshApp.
• Text with your friends
• Make free phone and video calls with HD sound quality
• Share photos, video messages, voice messages, locations, stickers and emoticons
• Create group messages with up to 100 participants
• Follow Public Chats – get on the inside with your favorite personalities; watch their conversations unfold in real-time, ‘like’ comments and share multi-media content
• Push notifications guarantee that you never miss a message or call, even when Smesh App is off
• Integration with native contact list for calls and messages
•Smesh App is completely free with no advertising. -->We value your privacy.
One interesting module to observe is com.appster. In a recent whitepaper released by Proofpoint researchers named Operation Transparent Tribe, a Pakistani company by name Appster tech was identified targeting Indian embassies in Astana and Riyadh. You can find the whitepaper here: https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe .
In the Constants class in com.mobileapps.smeshapp we can see the SIP server and the app server it is contacting.
The class SmsHandler in com.app.observers handles getting SMS from the device and saving it onto the server.
 |
| SmsHandler |
Also VideoHandler and ImageHandler upload any new videos and images on the local storage to the server.
The package com.apps.xmpp also has interesting classes such as IMMediaSender, Location Provider and SMDataManager. They are mainly used to upload files and other metadata.
There is nothing fancy or advanced that the application is doing. It requests all permissions during installation, it registers receivers for many events such as onBoot, call state, message state, network change, and then uploads the data to the server.
Investigating the server:
I found that even after 3 days the news was first reported, the server was still up. So I decided to poke into it.
Whois records show that the domain smeshapp.com is registered to an individual located in Pakistan. https://whoisology.com/archive_12/smeshapp.com
Querying historical DNS records from PassiveTotal shows smeshapp.com was hosted on 178.238.232.44 which belongs to Contabo Gmbh VPS services. This aligns with the data provided in the whitepaper by Proofpoint.
The C&C domain in the SmeshApp application is registered to a person named Sajid (also mentioned by Proofpoint)
The server was vulnerable to Heartbleed using which I got some interesting info. Later I found a file upload vulnerability on the C&C server and was able to get Apache user rights on it.
There were multiple C&Cs running on it. The SmeshApp C&C has two logins, one for admin and one for users.
The admin user interface
Checking data on an user
Call data and recordings
Settings page
There is also an option for recording audio and video on demand.
These are the files present in the admin folder
User folder
The database structure used by the application
There are two database which contain data from Indians having size of about 800 MB and 500 MB.
These are only the text logs and metadata from the devices. The images, audio and video uploaded onto the server were deleted by the time I gained access to it.
After analyzing the data it looks like the campaign started way back in 2013. There are logs of Indian phones connecting to the server starting from 2013 to even 1 day ago. Also, as stated in the news report, the people targeted are mainly Indian defence personnel. There are many text messages and other data relating to army movement and other alerts provided by security agencies. Also, there are some persons with .gov.in mail addresses in the victims.
Interestingly enough, the developer's phone was also uploading data to the server. The Contabo VPS mentioned here was registered back in 2013 and the developer also made some communication regarding development of this project during the same time.
On the C&C there were other APKs and Jar files used for infection. One of the app has the name Indian Sena news app. It looks like a news display app, but has code similar to SmeshApp. The C&C is also same in that app.
https://www.virustotal.com/en/file/5bbcd8a7856e037418c0ac1c0c987476e3210f577beffcdfe2eceebc19c5644d/analysis/1458407411/
The actors' M.O. is mainly luring people into installing a VoIP app for free calling and messaging by using fake Facebook profiles of girls. There are no infection methods in the app for spreading.
https://www.virustotal.com/en/file/5bbcd8a7856e037418c0ac1c0c987476e3210f577beffcdfe2eceebc19c5644d/analysis/1458407411/
The actors' M.O. is mainly luring people into installing a VoIP app for free calling and messaging by using fake Facebook profiles of girls. There are no infection methods in the app for spreading.
If any investigating agencies and LE authorities require the data, you can contact me at the email given in my info page.
Well explained..!!
ReplyDeleteNice analysis. Did you uploaded a shell there to get access to files?
ReplyDeleteYes, I did.
Delete