WhatsApp with FinSpy?

I think you heard about the infamous FinSpy by FinFisher. If you haven't it's basically something like a cloud one-way backup app paid by (someone's) taxes (and there's a movie really shitty render!). Anyhow, the mobile version seems old news, as it was unveiled some time ago and even one AV vendor called it nothing new in terms of features. Well, I guess it depends on how you define a feature. But enough of this rant, let's go and see what a commercially made malware looks like.

I've analyzed the newest sample that I could find and it's a couple of months old (md5: d6a3ca6e48512890d013e922307e1593). It has some usual features, like SMS reading and so on, but today let's have a look at one particular feature: WhatsApp eavesdropping. WhatsApp is a very popular messaging app. Probably it was chosen by FinFisher due to its popularity or maybe just because one of the clients requested "support" for it.

But before we begin let me state that this malware is one of the best written malwares I've seen in a long time, in terms of coding. It properly uses Intents, has a nice, commercial-grade class structure with clear responsibilities for each component. It is truly a commercially developed malware and up to the market standard. Nice to see some clean code once in a while. But I guess this is what you should expect from a malware which price starts at 200000 (that's two hundred thousand) Euros.

Decoding WhatsApp

FinSpy can only decode older, .crypt files created by WhatsApp. First, how does it have access to the message database without needing a rooted phone? It's really simple. WhatsApp performs message backups every day. This backups are saved in the /sdcard/WhatsApp/Databases directory (take a look yourself). They are of course encrypted, using AES cipher. New version uses crypt7 extension and a new key derivation algorithm (key is saved in the private app folder). Older version used crypt5 extension and key was derived from the Google account name. Even older version simply used crypt extension and was using... hardcoded key.

The hardcoded key was 4j#e*F9+Ms%|g1~5.3rH!we, and is well-known now (well, at least at some corners of the Net). FinSpy can decode those message databases and the decoding routine is in the com.android.services.WhatsApp.a class, as pictured below (hardcoded key is highlighted).


The decoded file is then saved to the FinSpy folder and analyzed. This is done each time an android.intent.action.MEDIA_SCANNER_FINISHED is received (so presumably there's been a file changed on the SD card).

Let's see whats the analysis made of. First malware creates a "tmp521" + System.currentTimeMillis() + ".dat" file where it stores temporary information and is then renamed according to the similar pattern, but without the "tmp" prefix. It saves time (and timezone information), user id and, of course, the message text itself. The format for it seems to be:

<formatted_time>[TAB]<from_id_or_number>[TAB]<to_id_or_number>[NEWLINE]
<message>

It has a nice parsing code, which remembers to add plus (+) before the number, strips the unnecessary "whatsapp.net" from the remote identifier and get user account name from local accounts (because it is not saved in the database). The part that gets the user account name is presented below, the parsing part was to big and boring to include.


So I guess that's it about the FinSpy WhatsApp "support". However, this is not the last time that I will be analyzing this app, as it is packed with interesting code and is, surprisingly, not too obfuscated. The chilling part is that they are really committed to writing malware and reversing the popular apps in order to gain advantage. Perhaps even more chilling is the fact that WhatsApp used to save our messages, almost unencrypted, on the SD card for anyone to see. Well, it has changed now, but maybe FinSpy has been updated too. Who knows...

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Sandroid RAT analysis: Part I - synthetic communication

Image
My first post is about Sandrorat, a fairly new RAT tool that was prominent for being a part of a Polish spam campaign . The analyzed sample hash is bed05d8eace6a7ebc5dec7141ea4b9cc559f1b2aab8848e2c79df7a79de39b9d . Sample was obtained thanks to The Honeynet Project . Everything is synthetic First part will be about a little known synthetic methods and the way Sandrorat uses them to obfuscate the code . This sample declared three different services:
Read more