Iran, secret text messages and a toy for a holiday break

So I recently tweeted about some interesting Android app sample. This app either is or pretends to be an Iranian banking app. I couldn't take a closer look at it (there is a bit of a language problem for me), however it uses the Ansar Bank name and graphics (as you can see on a screenshot below) and also uses a very interesting text messages feature that I was not aware at all.


The curious case of the SMS protocol

Text message protocol is pretty straightforward on the high level: it allows you to send a 140-byte message to the other phone. Wait, I surely meant 160 bytes, right? No, it's a 140 bytes, but it's using a plain 7-bit ASCII encoding without those fancy characters like the one at the beginning of my name. This allows you to send precisely 160 ASCII characters.

As you probably all know, we can send more than 160 characters, but it will be broken into several messages. However, mobile phones seem to be OK with that and let you create a long message and the receiver also can read a one, long message without even noticing the split. How is that possible? SMS protocol specifies something called User Data Headers (UDH for short). These headers are sometimes present at the beginning of the text message and allow to send multipart messages, ringtones or include fancy characters with their pretentious UTF-whatever encoding. There is also a flag bit to indicate whether the message contains these UDH or not.

Let's have a look at the example of multipart message header (taken from here):

05 00 03 5F 02 01

This header would be at the beginning of your text message and, if your phone wasn't so ergonomically designed, it would be rendered as a bunch of characters. First number of the UDH specifies the header length (5 bytes, excluding the length byte). Then there is a header type, in this case meaning that this is a concatenated message. Then there is another length (3 bytes). Then there is one byte message ID, shared among all of the message parts, then the number of message parts and, finally, this part identifier

Header in the given example means that this is first of 2 messages with "thread" id 5F. So, why am I explaining all of this? Because there is a little known (at least I didn't know about it) feature of the SMS protocol that allows you to specify "port" information. This is used e.g. for the WAP Push messages, which are just plain SMS messages but with a specific UDH. This UDH looks like that:

05 04 03 <destination port (2 bytes)> <originator port (2 bytes)>

The 2-byte values are called "ports" because they are meant to be used to identify a service. Some app in your phone "binds" to a port and listens for all the messages to that port. Another app "binds" to a port and sends SMS from that port to your app - directly. You can also use 00 00 as the originator port if you don't need a specific port.

How are these ports handled on Android?

This is a really good question! First of all on Android they are called "binary SMS" or "data SMS". Apps that want to use them have to have the standard SMS permissions: android.permission.RECEIVE_SMS and android.permission.SEND_SMS. Next, the Broadcast Receiver has to have somewhat different declaration, like the one in the picture below (taken from an Iranian app mentioned previously).

As you can see you have to declare a port and the scheme. Apparently there are two different addressing schemes - one which uses two byte port number and one which uses 4 byte port numbers.

So, I wanted to experiment with it. After some Googling (which is nowadays an equivalent of "Research") I found out the the Android emulator does not handle port messages very well. Or even at all. So I decided to have fun with it using my real phone. My very real phone has Android 4.3 installed and my other test phone has Android 2.3.6. I've sent a binary message to both phones and neither of them displayed it. It just went to the dark hole. No notification, nothing. However, my billing statement showed that I indeed have sent the messages. That's a covert C&C channel for you! 

 Summing up the features of a new (at least for me) SMS C&C protocol:

  • Binary text messages received to a custom port are not displayed in any way (not even in a form of notification) - that means no more abortBroadcast() nonsense and no problems with KitKat and above!
  • They are not saved in the "Sent" folder!
  • They require the same permissions as "normal" text messages.
So go and have fun with binary text messages during Christmas! If you'd like to experiment with them as I did, I suggest you use the kvarma-android-samples SMSDemo app which I also conveniently compiled and signed just for you! Usual disclaimer: I do not take any responsibility for your phone bill or any other material and non-material damage the app makes to your phone or to you.

Have fun!

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Sandroid RAT analysis: Part I - synthetic communication

Image
My first post is about Sandrorat, a fairly new RAT tool that was prominent for being a part of a Polish spam campaign . The analyzed sample hash is bed05d8eace6a7ebc5dec7141ea4b9cc559f1b2aab8848e2c79df7a79de39b9d . Sample was obtained thanks to The Honeynet Project . Everything is synthetic First part will be about a little known synthetic methods and the way Sandrorat uses them to obfuscate the code . This sample declared three different services:
Read more