Hacking Team’s Android Malware Framework

Core-Android-Market contains a framework for hacking targets via Android application. The framework allows you to deliver custom payload for each target based on their IMEI number. This project includes a proof-of-concept application called “BeNews”, which was published to Google Play store and has three main parts:

1. The news
2. News server
3. The application
4. Application itself is not malicious, but it is used as a delivery method to inject an agent into the phone.

NOTE: BeNews application is just a template.
There is a file called Benews.iml and searching Google for that provided us https://www.androidpit.com/app/org.benews

Description: “Read the latest news for beekeepers and apiarists! If you are an apiarist you may be interested in this app.”

Developer: Tiziano Piccio
Screenshots of the Application from the website:

Searching for the author on Google Play store results in two links, but one is dead, however cache still exists.

1. http://webcache.googleusercontent.com/search?q=cache:pVTA2hnC0rkJ:https://play.google.com/store/apps/details%3Fid%3Dorg.benews%26hl%3Den_GB+&cd=2&hl=en&ct=clnk&gl=us

The application was updated on “10 December 2014” according to Google Play. It also shows us that there were 10–50 downloads. We also see the email address as tiziano.piccio67@gmail.com.

Searching the email address doesn’t give much. It seems like it was only used for Google account. Searching for the name results in bunch of Android application website and the authors Google Plus account https://plus.google.com/115719436092355708726/posts. This is one the accounts in their Circle https://plus.google.com/100431491820226889362/about and the Name is “Andro Tester.”

GitHub Repository

In the github repository, under the doc folder, you can see the email and some other information in the readme.txt file. (https://github.com/hackedteam/core-android-market/tree/master/doc)

Quick Breakdown of Repository

1. Code for the application is under the src/main folder (https://github.com/hackedteam/core-android-market/tree/f860aba25c8b6c32366011a3afc06a08891764b4/src/main)
2. Code for the server is under the server folder (https://github.com/hackedteam/core-android-market/tree/f860aba25c8b6c32366011a3afc06a08891764b4/server)
3. The batch files in this folder contain the fake news articles information
4. https://github.com/hackedteam/core-android-market/blob/f860aba25c8b6c32366011a3afc06a08891764b4/server/batch2.txt
5. https://github.com/hackedteam/core-android-market/blob/f860aba25c8b6c32366011a3afc06a08891764b4/server/batch.txt

The file contains information about the fake identity created for publishing this application. It also contains information about the VPS server used. If we search for the VPS IP address in the repo we see the application is connecting to the VPS via SSL (line 457).

• https://github.com/hackedteam/core-android-market/blob/f860aba25c8b6c32366011a3afc06a08891764b4/src/main/java/org/benews/BackgroundSocket.java.

The files being sent include images from img folder, and some ELF files payload folder.

root@malware:/home/malware/ht/htandroid/core-android-market/server# file img/* payload/*img/fly.jpg: JPEG image data, JFIF standard 1.01img/fly.jpg.z: dataimg/human.jpg: JPEG image data, JFIF standard 1.01img/images.jpg: JPEG image data, JFIF standard 1.02

img/lookAtme.jpg: JPEG image data, JFIF standard 1.01

img/maia.jpg: JPEG image data, JFIF standard 1.01

img/save.jpg: JPEG image data, JFIF standard 1.01

img/who.jpg: JPEG image data, JFIF standard 1.01

payload/digest.jpg: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), BuildID[sha1]=3820d3a2219477944bd5b2259e006ac70f7bac68, stripped

payload/digest.jpg.z: data

payload/fly.jpg: JPEG image data, JFIF standard 1.01

payload/log.tmp: data

payload/log.tmp_2: Zip archive data, at least v2.0 to extract

payload/special.jpg: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), BuildID[sha1]=befc6611a9f89c7c17955278305cda99c666f81e, stripped ( https://www.virustotal.com/en/file/c3aaac9d891470971ef50275fb0bb1371401e1bd5ce5ad5e77a4cd5aa8a1d57c/analysis/ )

payload/test.apk: Java Jar file data (zip)

payload/xig.jpg.z: data

There is also a folder for logs which contains IMEI numbers, timestamp, and if the payload is downloaded. The payloads were decrypted and executed within the block of code located between line 730 and 777 within the bson.cpp file.

• Logs
• https://github.com/hackedteam/core-android-market/tree/f860aba25c8b6c32366011a3afc06a08891764b4/server/logs
• Decrypt / Execute Block
• https://github.com/hackedteam/core-android-market/blob/f860aba25c8b6c32366011a3afc06a08891764b4/src/libbson/bson.cpp#L730-L777

We found more information about this framework through the email linked below. This email contains information about the Android application and IMEI, as well as a technical manual.

1. https://wikileaks.org/hackingteam/emails/?q=Benews+Android&mfrom=&mto=&title=&notitle=&date=&nofrom=&noto=&count=50&sort=0#searchresult
2. https://wikileaks.org/hackingteam/emails/emailid/121276

[caption id=”attachment_2978" align=”alignnone” width=”1014"]

Screenshot is from the manual[/caption]

As said before, this project has three main parts: News, News Server, and the Application.

News

Information for the target (pics, html, video, other media, executable binary)

News Server

Reads batch.txt (config file), which contains date, title, headline, content, type (txt,audio,video,img,etc), filepath, imei, trial

Date: Date of news download (can be future)Title: News titleHeadline: News summaryContent: full newsType: attachment type

Filepath: (server side) path to the file

IMEI: IMEI of the destination (empty means the attachment is for all the clients)

Trial: Max # of times to resend (in case of errors)

News Application

Application is built on top of JNI (library for running C, C++ code) and can easily be tailored to match the target. News is encoded and exchanged as a bson object using SSL connection. The BSON library executes the payload if the data is executable.

1. https://github.com/hackedteam/core-android-market/blob/f860aba25c8b6c32366011a3afc06a08891764b4/src/libbson/bson.cpp#L730-L777

[caption id=”attachment_2979" align=”alignnone” width=”765"]

Screenshot is from the manual[/caption]

Stages of infection:

1. The application is installed on the target’s phone through GooglePlay store.
2. Device sends the server a request for news (with IMEI)
3. The server replies with content specific to that IMEI number.
4. To install the agent, the attacker needs root privileges.
5. To get root privileges, the application downloads special payload

• (special.jpg https://www.virustotal.com/en/file/c3aaac9d891470971ef50275fb0bb1371401e1bd5ce5ad5e77a4cd5aa8a1d57c/analysis/ )

1. The exploit (special.jpg payload) is ran and the results are sent to the server(success or failure). If they get root, the server sends the agent installation files, and then the library (bson) installs the agent.

Setup requirements

Application:

1. VPS (Virtual Private Server)
2. News Set
3. Graphics and icons that appeal to the target
4. SSL certificate.

Server:

1. Payload Encryptor
2. batch.txt (config file)

Resources:

Github repo: https://github.com/hackedteam/core-android-market