Hacking Team Malware Analysis Part 1/n: Da Vinci Android Chat Client Modules

Disclaimer: This article is due for a massive rewrite in the near future. I was planning on having this fixed by now, however I had a laptop graphics card failure and it looks like I will need to fix it some time after I get home from DEFCON. One of the primary flaws that was criticized was that this post looks more like a code dump than an actual analysis, I intend on fixing that when I get the opportunity. I wish I had caught that prior to release, as this is my first attempt at a malware analysis post. This article will remain up for archival purposes until I can edit it with the updated content.


This blog post will go over some of the modules for Hacking Team’s Android Malware. This will not be comprehensive, but will be a basic overview of what functionality is in Hacking Team’s malware. Also, if you have any suggestions, or anything to point out, please leave a comment. I’m still learning, and could use any assistance possible in learning how to get better at this.

First things first, this will primarily be covering the code in core-android/RCSAndroid/src/com/android/dvci/module/chat. This post is limited to that so I can focus on those modules without this getting way too long.

Judging by the folder name, dvci, combined with that Da Vinci is the Hacking Team’s malware, it’s safe to guess this is the code for Da Vinci modules on Android. First let’s look at what is in the directory:

As you can see, there are modules for BlackBerry Messenger, Facebook, Google Talk/Hangouts, Line, Skype, Telegram, Viber, WeChat, and Whatsapp. It also appears to be able to get/assign chat groups. Wickr was also discussed as to be added in Hacking Team emails. I also noticed a lack of anything for Silent Circle, Chatsecure, Textsecure, Kik, and Snapchat, but let’s focus on what’s currently here. I should also note that the commit in the Git repo on Github is Dec 16, 2014, so there is a very real possibility they changed or added functionality, especially after the leak.

Side note, Textsecure traditionally handled messaging over SMS/MMS, I don’t know enough about the internals, however it’s possible that texts could be intercepted using the standard SMS/MMS intercept code that’s in this malware, as I have personally seen text messages duplicated between Textsecure and other apps on one of my devices in the past.


Source Code Analysis


BlackBerry Messenger

The BBM module has functions for getting the chat history, group history, BBM version, conversation history, BBM contact PINs if the BBM version is version 1, BBM contacts, and the local (current user) contact. This indicates the BBM module is capable of grabbing the current user, conversations, groups, and contacts.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatBBM.java.

This code in the main module code indicates that the module supports BBM v1 and v2, however defaults to v1.
This is the code that actually handles version detection. As you can see it pulls from the database and tries to detect the version by the contents of the database.
This code reads your contacts list/address book. If you are running BBM v1, it runs readAddressContactsUserPins, where BBM v2 runs readAddressContactsUsers.
This is the code that reads BBM v1 user pins
This is the code that reads BBM v2 contacts.
This is the code that actually pulls together and stores all your contacts as evidence.
This is the code that reads your chat history
This is the code that reads your BBM group history. It is unfinished and might be moved to other functionality. It has probably been finished by now however.
This code reads your BBM conversation history.

Facebook

Next let’s analyze the Facebook module. This module appears to grab your your contacts, your profile (including Facebook ID, first name, last name, email addresses, and phone numbers), messages, and conversations. I should note, I am not sure how this handles the Facebook Messenger app.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatFacebook.java

This code is used in reading your contacts list on Facebook.
This code reads your account data:
This function reads your message history:
This code gathers your messages.
This code gathers your Facebook conversations.
This code is what ultimately reads all your Facebook data using the other functions.

Google Talk/Hangouts

Next, let’s take a look at the Google module. This module appears to affect both hangouts and Google Talk. It appears to be able to fetch and read Google Talk messages. Furthermore, it can read hangouts participants, messages, and conversations. Finally, it appears to be able to read the account information stored in the Google Talk shared preferences.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatGoogle.java

This function is used to read chat messages from Google Talk.
This code reads and fetches Google Hangouts and Talk messages.
This function collects who is participating in Hangouts you are participating in.
This function gets a list of all the Hangout conversations you’re in.
This function reads account data for your Google accounts tied to the Google Talk/Hangouts app.
This function fetches and reads your Google Talk messages.
This function sets which account it is collecting from.
This code saves your Google Talk/Hangouts contacts.

Line

Next let’s look at the Line module. The Line module appears to grab your phone number, message history, and groups.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatLine.java

This function and code reads the phone number associated with the device running Line and stores it as your account
This reads your Line chat message history and saves it to evidence
This collects a list of your Line chat groups and saves them to evidence

Skype

Now let’s cover Skype. The Skype module appears to get message history, contacts, conversations, messages, groups, account information, and current call info. The current call info function grabs identity, display name, call duration, call creation time stamp, if it’s incoming, call beginning time stamp, as well as call members.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatSkype.java

This code is used to read your Skype message
This code handles the Skype SQLite database
This code grabs your Skype contacts
This code gets a list of your Skype conversations
This code handles your Skype groups
This code reads your Skype account information
This code gets information about your current Skype call

Telegram

Telegram support in the Android Da Vinci module can read the message history, read group chats, as well as standard, secure, and plain chats. It can also read your phone number and contacts list. Furthermore, it can get binary blobs sent over Telegram. It can also get your groups. Interestingly enough, there is a version of reading address contacts with the suffix “_old” which indicates support for older versions of Telegram.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatTelegram.java

A basic support class for accounts
A support class for telegram conversations
This reads your Telegram history
This opens a copy of the Telegram SQLite Database
This reads your Telegram contact list
This reads your phone number from Telegram
This function reads your Telegram chat history
This reads your plain Telegram chat history
This reads your Telegram secure chat history
This reads your Telegram group chat history
This gets a list of your Telegram groups
This reads binary blobs sent using Telegram
This is the visitor for your message grups
This is a visitor to your message records
Some support classes

Viber

The Viber module reads account data, as well as message history and current calls. The Viber module appears to save chat participants as groups in evidence.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatViber.java

This reads your Viber account info
This reads your Viber message history
This is an SQLite Helper to open the Viber SQLite DB
This gets a list of your Viber conversations
This fetches the Viber conversation participants
This fetches your Viber messages
This helps interpret Viber markup for storage as evidence
This gets your current Viber call
A class for Viber chat groups, this is probably unused/unfinished and might very well be replaced with a different implementation.

WeChat

The WeChat module grabs account information, including ID, Name, and phone number. It also grabs messages, chat groups, and contacts.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatWeChat.java

This code reads your WeChat messages
This code fetches your WeChat messages
This code saves your WeChat contacts to evidence
This code sets to read your WeChat account
This code gets your WeChat groups

Whatsapp

The Whatsapp module grabs your phone number, as well as the list of chat groups, conversations, and your messages. I should note the Whatsapp module does not appear to change any file permissions.

The source code for the module is located in core-android/RCSAndroid/src/com/android/dvci/module/chat/ChatWhatsapp.java

As you can see in these parts of the code, the module parses groups in Whatsapp:
This code reads archived messages, conversations, as well as unread messages:
\This code reads your phone number:

Detection

The common theme related to detection in most of these modules is they appear to mess with file permissions on the files they touch. In a future post I’ll go in to a more detailed forensic analysis.


Countermeasures

There are potential countermeasures I can think of for Android to implement in the OS itself, as well as app level countermeasures. The first countermeasure I can think of is to use SQLCipher to encrypt databases and require the user to unlock the app before decrypting the databases when developing your apps. While this will not stop persistent infection, it will make it harder to get everything all at once. Another possible thing to look in to is extending the intent framework to restrict who can access what, and require fine grained permissions for accessing things. While this won’t help if the device is rooted, storing this in a root required directory will help with non-rooted devices. Allowing for users to have the option to not store chat logs would also help prevent tools like this reading your chat history. This includes both not saving the history to storage, as well as removing temporary files from storage, rather than repeating the Snapchat fiasco where Snapchat stored “expired” images in the phone’s storage after expiration. Some apps may already have this, but most don’t.


This concludes the first part of my series on dissecting the Hacking Team malware source code.