Hacking Team Malware Analysis Part 1/n: Da Vinci Android Chat Client Modules
Disclaimer: This article is due for a massive rewrite in the near future. I was planning on having this fixed by now, however I had a laptop graphics card failure and it looks like I will need to fix it some time after I get home from DEFCON. One of the primary flaws that was criticized was that this post looks more like a code dump than an actual analysis, I intend on fixing that when I get the opportunity. I wish I had caught that prior to release, as this is my first attempt at a malware analysis post. This article will remain up for archival purposes until I can edit it with the updated content.
This blog post will go over some of the modules for Hacking Team’s Android Malware. This will not be comprehensive, but will be a basic overview of what functionality is in Hacking Team’s malware. Also, if you have any suggestions, or anything to point out, please leave a comment. I’m still learning, and could use any assistance possible in learning how to get better at this.
First things first, this will primarily be covering the code in core-android/RCSAndroid/src/com/android/dvci/module/chat. This post is limited to that so I can focus on those modules without this getting way too long.
Judging by the folder name, dvci, combined with that Da Vinci is the Hacking Team’s malware, it’s safe to guess this is the code for Da Vinci modules on Android. First let’s look at what is in the directory:
As you can see, there are modules for BlackBerry Messenger, Facebook, Google Talk/Hangouts, Line, Skype, Telegram, Viber, WeChat, and Whatsapp. It also appears to be able to get/assign chat groups. Wickr was also discussed as to be added in Hacking Team emails. I also noticed a lack of anything for Silent Circle, Chatsecure, Textsecure, Kik, and Snapchat, but let’s focus on what’s currently here. I should also note that the commit in the Git repo on Github is Dec 16, 2014, so there is a very real possibility they changed or added functionality, especially after the leak.
Side note, Textsecure traditionally handled messaging over SMS/MMS, I don’t know enough about the internals, however it’s possible that texts could be intercepted using the standard SMS/MMS intercept code that’s in this malware, as I have personally seen text messages duplicated between Textsecure and other apps on one of my devices in the past.
Source Code Analysis
The BBM module has functions for getting the chat history, group history, BBM version, conversation history, BBM contact PINs if the BBM version is version 1, BBM contacts, and the local (current user) contact. This indicates the BBM module is capable of grabbing the current user, conversations, groups, and contacts.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatBBM.java.
Next let’s analyze the Facebook module. This module appears to grab your your contacts, your profile (including Facebook ID, first name, last name, email addresses, and phone numbers), messages, and conversations. I should note, I am not sure how this handles the Facebook Messenger app.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatFacebook.java
Next, let’s take a look at the Google module. This module appears to affect both hangouts and Google Talk. It appears to be able to fetch and read Google Talk messages. Furthermore, it can read hangouts participants, messages, and conversations. Finally, it appears to be able to read the account information stored in the Google Talk shared preferences.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatGoogle.java
Next let’s look at the Line module. The Line module appears to grab your phone number, message history, and groups.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatLine.java
Now let’s cover Skype. The Skype module appears to get message history, contacts, conversations, messages, groups, account information, and current call info. The current call info function grabs identity, display name, call duration, call creation time stamp, if it’s incoming, call beginning time stamp, as well as call members.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatSkype.java
Telegram support in the Android Da Vinci module can read the message history, read group chats, as well as standard, secure, and plain chats. It can also read your phone number and contacts list. Furthermore, it can get binary blobs sent over Telegram. It can also get your groups. Interestingly enough, there is a version of reading address contacts with the suffix “_old” which indicates support for older versions of Telegram.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatTelegram.java
The Viber module reads account data, as well as message history and current calls. The Viber module appears to save chat participants as groups in evidence.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatViber.java
The WeChat module grabs account information, including ID, Name, and phone number. It also grabs messages, chat groups, and contacts.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatWeChat.java
The Whatsapp module grabs your phone number, as well as the list of chat groups, conversations, and your messages. I should note the Whatsapp module does not appear to change any file permissions.
The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatWhatsapp.java
The common theme related to detection in most of these modules is they appear to mess with file permissions on the files they touch. In a future post I’ll go in to a more detailed forensic analysis.
There are potential countermeasures I can think of for Android to implement in the OS itself, as well as app level countermeasures. The first countermeasure I can think of is to use SQLCipher to encrypt databases and require the user to unlock the app before decrypting the databases when developing your apps. While this will not stop persistent infection, it will make it harder to get everything all at once. Another possible thing to look in to is extending the intent framework to restrict who can access what, and require fine grained permissions for accessing things. While this won’t help if the device is rooted, storing this in a root required directory will help with non-rooted devices. Allowing for users to have the option to not store chat logs would also help prevent tools like this reading your chat history. This includes both not saving the history to storage, as well as removing temporary files from storage, rather than repeating the Snapchat fiasco where Snapchat stored “expired” images in the phone’s storage after expiration. Some apps may already have this, but most don’t.
This concludes the first part of my series on dissecting the Hacking Team malware source code.