HaxRob Profile picture
Mar 26, 2024 19 tweets 9 min read Read on X
If you needed yet another reason not to trust VPN providers or proxy services...

Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.

storage.courtlistener.com/recap/gov.usco…
Image
Here Facebook acquired Onavo and had quite a good run before the spyware got pulled from app stores.

At a $120 million dollar price point it's clear how much value they put on having the ability to intercept user's mobile traffic.

en.wikipedia.org/wiki/Onavo
Image
Checking the archived APK listing for "Onavo Protect" from 2019, likely just before it was pulled from the Play store, the description discloses some information on what they are up to, but then proceeds to gaslight the user.

apkpure.com/onavo-protect-…Image
I think they could only pull this off by coercing user's into installing a system-level trusted CA on the handset?

Things have improved as this is not trivial to do on Android these days - requiring a filesystem to be remounted as writable - on possible on jailbroken devices.
Let’s grab a copy of Facebook’s banned VPN app from 2019 and install it to see how it manages to spy on other apps on the phone.

Note how it guides me to click invasive permissions such as allowing it to appear on top of other applications. A mobile malware technique.
Interesting, the app still manages to establish connectivity back to Facebook's servers. 😡

That said, once it's VPN tunnel comes up, all connectivity is lost on the handset - so it technically the service is down. 🥹
Image
Image
Back onto the permissions: red flags with requests to:

- display over other apps
- access "past+deleted app usage"
- setup a VPN connection
- make and manage phone calls

All under the pretext to "stay safer" ..

We know better right? But would say, your grandmother? Image
Notice that we did not see any prompt to install a user certificate - this is really required for the claims made against Facebook to be true (intercept other app's traffic).

Decompiling an earlier version of the APK and it's quite apparent the functionality is there: Image
Here we can see the file names of the certificates which get added to AndroidCAStore and also how it checks later if they were indeed added.

Fortunately this technique of using intents to install certs no longer works thanks to improvements in Android. 👌 Image
Mind you, none of this is new.. Here in Australia, last year the ACCC dished out out a net $20 million dollar fine for this shadiness.

I'm just curious on the technical mechanism the app went about spying on other apps.

accc.gov.au/media-release/…
Image
I get the impression the Australian fine was more about harvesting usage analytics from other running apps (see: android.permission.PACKAGE_USAGE_STATS)

Did the regulators consider the MITM (wiretapping) which is central to this new antitrust lawsuit in the USA? Image
More assumptions related to the $20M fine:

If we dump the schema for the sqlite database "spaceship.db" we see what statistics it was collecting.

No need for fancy traffic inspection for the app get this data. Remember this popup ?
Image
Image
So, so far we have evidence of:

- Code related to the functionality to install a certificate likely for performing MITM attacks.

- Code / internal database related to collecting other app's usage

What else can we find?

Device info (nothing special): Image
For what acceptable reason would they wanted to obtain the mobile subscriber IMSI? This is particularly sensitive data.

This actually wouldn't work with the app's manifest file. Perhaps we are seeing older code not cleaned up.

Still, not a great look. Image
A correction on the prior post, the Android documentation on the API doesn't state it but elsewhere says the permission READ_PHONE_STATE would have been enough to obtain the subscriber IMSI.

This Android API change was made in 2019. So IMSIs may have been collected?
Image
Image
If these are accurate statistics, that's some serious telemetry Facebook were collecting from this app (10 million downloads)

appbrain.com/app/onavo-prot…
Image
I have been able to find the certificates that were likely used for the MITM attacks.

There are two as first one only was valid for a year.

The second wouldn't remain in for long as some months after it was added in 2017, it (and offending code) then removed.

Wonder why? 🤔
Image
Image
One explanation why it was so short lived could be a targeted company figured out what was going on.

Imagine all those millions of requests originating from the same origin IPs and same client proxy certificates.

The MITM CA certs were in the app were out by Oct the 19th 2017.Image
Finishing this thread with a disclaimer.

This is live tweeting: discovering things as we go. We don't have the full picture as of yet, there maybe inaccuracies.

No doubt more details will come to light soon enough though.

The claims are serious. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with HaxRob

HaxRob Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @haxrob

Jul 13
A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
Let's start with the most simple example. Select a mount namespace that is not used by systemd/init.

Migrate the current shell into that process's mount namespace and mount a tmpfs file system.

Anything that writes the mounted path is concealed from users on the host. (2/7) Image
As a bonus, commands in this shell will not be written to the history file as we mounted over the user's home directory.

No need to set HISTFILE=/dev/null.
Once the shell exits, artifacts evaporate. Nothing touches the disk.

Now how to do this as an unprivileged user? (3/7)
Read 7 tweets
Jun 2
Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SKT telco breach. (1/20) Image
Perhaps it's only looking for UDP magic packets? Not so fast. Let's look at what changed.

BPF filter is used as before, but the socket is opened with type SOCK_DGRAM, but the protocol is ETH_P_IP.

What's the defined behaviour here?
(2/20) Image
man socket.7 gives some clues. It hints with AF_PACKET, the protocol may have priority over the socket type. So ETH_P_IP overrides SOCK_DGRAM. Also, the layer 2 (ethernet) frame will be removed. (3/x) Image
Read 23 tweets
May 28, 2024
When pairing your mobile phone to that Wifi / Bluetooth device and it forces you to grant it location permissions, pause for a moment to think who may be the beneficiaries of this information. Image
Case in point:

The Dyson app refuses to pair to their devices such as this fan/heater/air purifier - unless you give in and give them your location data.

This is a premium product at a high price point. Surely they are not monetising this ?

What’s the privacy policy say? … Image
Dyson disclose in the fine print that the app will continue to “collect and use data about your location in order to provide you with more relevant and personalised information.”

It’s a fan. A fan. Image
Read 15 tweets
Feb 28, 2024
I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 Image
One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.

These were uploaded 4 to 5 months ago.

(2/n)
Image
Image
As they binaries were not stripped, they contain some artifacts that give us an idea of the intended platforms they were to be run on - Very outdated Red Hat Linux machines.

Someone hasn't been keeping their systems up to date .. 🤔

(3/n)) Image
Read 19 tweets
Feb 20, 2024
The Chinese APT contractor leak contained a few interesting files; namely:

- CDRs (Call Detail Records)
- LBS (Location Based Services) db records

Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.

Some background: (1/5)🧵 Image
CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.

It's these central databases that are often targeted. Data for a subscriber is generated in many systems:

(2/5) Image
Looking at the leak data: For example, this one is from old school circuit switched 2G voice calls.

What's of value from an intelligence perspective is is who talked to who and from where. Origin of data likely from MSC CDRs.

(3/5)
Image
Image
Read 17 tweets
Feb 10, 2024
With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.

"Hi there, let's get to know each other"

Sure, let's do this. What will we learn? (1/n) 👇 Image
Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n) Image
Pulling the .apk off the device, the AndroidManifest.xml indicates a few permissions that warrant further investigation. Let's assume (for now) location perms (when granted) are only for BLE scanning on older Android releases.

Still this doesn't feel quite right. (3/n) Image
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(