Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
HaxRob Profile picture
@haxrob
Mar 26 19 tweets 9 min read Read on X
Scrolly
If you needed yet another reason not to trust VPN providers or proxy services...

Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.

storage.courtlistener.com/recap/gov.usco…
Image
Here Facebook acquired Onavo and had quite a good run before the spyware got pulled from app stores.

At a $120 million dollar price point it's clear how much value they put on having the ability to intercept user's mobile traffic.

en.wikipedia.org/wiki/Onavo
Image
Checking the archived APK listing for "Onavo Protect" from 2019, likely just before it was pulled from the Play store, the description discloses some information on what they are up to, but then proceeds to gaslight the user.

apkpure.com/onavo-protect-…Image
I think they could only pull this off by coercing user's into installing a system-level trusted CA on the handset?

Things have improved as this is not trivial to do on Android these days - requiring a filesystem to be remounted as writable - on possible on jailbroken devices.
Let’s grab a copy of Facebook’s banned VPN app from 2019 and install it to see how it manages to spy on other apps on the phone.

Note how it guides me to click invasive permissions such as allowing it to appear on top of other applications. A mobile malware technique.
Interesting, the app still manages to establish connectivity back to Facebook's servers. 😡

That said, once it's VPN tunnel comes up, all connectivity is lost on the handset - so it technically the service is down. 🥹
Image
Image
Back onto the permissions: red flags with requests to:

- display over other apps
- access "past+deleted app usage"
- setup a VPN connection
- make and manage phone calls

All under the pretext to "stay safer" ..

We know better right? But would say, your grandmother? Image
Notice that we did not see any prompt to install a user certificate - this is really required for the claims made against Facebook to be true (intercept other app's traffic).

Decompiling an earlier version of the APK and it's quite apparent the functionality is there: Image
Here we can see the file names of the certificates which get added to AndroidCAStore and also how it checks later if they were indeed added.

Fortunately this technique of using intents to install certs no longer works thanks to improvements in Android. 👌 Image
Mind you, none of this is new.. Here in Australia, last year the ACCC dished out out a net $20 million dollar fine for this shadiness.

I'm just curious on the technical mechanism the app went about spying on other apps.

accc.gov.au/media-release/…
Image
I get the impression the Australian fine was more about harvesting usage analytics from other running apps (see: android.permission.PACKAGE_USAGE_STATS)

Did the regulators consider the MITM (wiretapping) which is central to this new antitrust lawsuit in the USA? Image
More assumptions related to the $20M fine:

If we dump the schema for the sqlite database "spaceship.db" we see what statistics it was collecting.

No need for fancy traffic inspection for the app get this data. Remember this popup ?
Image
Image
So, so far we have evidence of:

- Code related to the functionality to install a certificate likely for performing MITM attacks.

- Code / internal database related to collecting other app's usage

What else can we find?

Device info (nothing special): Image
For what acceptable reason would they wanted to obtain the mobile subscriber IMSI? This is particularly sensitive data.

This actually wouldn't work with the app's manifest file. Perhaps we are seeing older code not cleaned up.

Still, not a great look. Image
A correction on the prior post, the Android documentation on the API doesn't state it but elsewhere says the permission READ_PHONE_STATE would have been enough to obtain the subscriber IMSI.

This Android API change was made in 2019. So IMSIs may have been collected?
Image
Image
If these are accurate statistics, that's some serious telemetry Facebook were collecting from this app (10 million downloads)

appbrain.com/app/onavo-prot…
Image
I have been able to find the certificates that were likely used for the MITM attacks.

There are two as first one only was valid for a year.

The second wouldn't remain in for long as some months after it was added in 2017, it (and offending code) then removed.

Wonder why? 🤔
Image
Image
One explanation why it was so short lived could be a targeted company figured out what was going on.

Imagine all those millions of requests originating from the same origin IPs and same client proxy certificates.

The MITM CA certs were in the app were out by Oct the 19th 2017.Image
Finishing this thread with a disclaimer.

This is live tweeting: discovering things as we go. We don't have the full picture as of yet, there maybe inaccuracies.

No doubt more details will come to light soon enough though.

The claims are serious. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with HaxRob

HaxRob Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @haxrob

HaxRob Profile picture
Feb 28
I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 Image
One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.

These were uploaded 4 to 5 months ago.

(2/n)
Image
Image
As they binaries were not stripped, they contain some artifacts that give us an idea of the intended platforms they were to be run on - Very outdated Red Hat Linux machines.

Someone hasn't been keeping their systems up to date .. 🤔

(3/n)) Image
Read 19 tweets
HaxRob Profile picture
Feb 20
The Chinese APT contractor leak contained a few interesting files; namely:

- CDRs (Call Detail Records)
- LBS (Location Based Services) db records

Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.

Some background: (1/5)🧵 Image
CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.

It's these central databases that are often targeted. Data for a subscriber is generated in many systems:

(2/5) Image
Looking at the leak data: For example, this one is from old school circuit switched 2G voice calls.

What's of value from an intelligence perspective is is who talked to who and from where. Origin of data likely from MSC CDRs.

(3/5)
Image
Image
Read 17 tweets
HaxRob Profile picture
Feb 10
With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.

"Hi there, let's get to know each other"

Sure, let's do this. What will we learn? (1/n) 👇 Image
Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n) Image
Pulling the .apk off the device, the AndroidManifest.xml indicates a few permissions that warrant further investigation. Let's assume (for now) location perms (when granted) are only for BLE scanning on older Android releases.

Still this doesn't feel quite right. (3/n) Image
Read 22 tweets
HaxRob Profile picture
Jul 23, 2023
This invasive Bluetooth car battery monitor was found to be sending the following location data to 🇨🇳

- GPS
- Wifi devices
- Cell phone towers

The Apple and Google app stores said no personal data was collected.

A new update has emerged. Let's see what was changed 👇(1/n) Image
Before we begin the investigation, a coverage map of where these devices have been found across planet earth.

Collected Bluetooth beacon data from reveals they are everywhere. There are likely hundreds of thousands of these roaming about.

(2/n) https://t.co/uOgelr8q3s https://t.co/WWCAzaungnwigle.net
twitter.com/i/web/status/1…
Image
The first thing we notice is that the 'Data safety' on the Google Play store has been updated.

Also the Apple 'App Privacy' statement.

This was done after my blog post exposing the device was published.

Coincidence?

What else was changed ?

(3/n)

https://t.co/vl04dMDvXDdoubleagent.net/2023/05/21/a-c…
Image
Read 48 tweets
HaxRob Profile picture
Jul 9, 2023
A twitter user mentioned the mobile app for their “smart” wifi connected power plug was requesting their location.

The app has more then 1 million downloads.

Curious, I ordered the ‘Meross’ branded device and it’s just arrived.

What will we find? Let’s dig in ..🧵
Let's see how we can pair with the minimum amount of granted permissions.

Discover "nearby devices" with Bluetooth enabled is a mandatory. It then prompts for precise and approx. location.

Hit deny.

We have to manually connect to the device - it's turned into a wifi AP.… https://t.co/fFQzvrJtLrtwitter.com/i/web/status/1…




I'm impressed. It looks like it's following Google's improvements for Bluetooth scanning on Android SDK API v31+. 👏

Later we will grant location permissions which would be required on an older Android versions. Or if we wanted to auto-setup the pairing.

… https://t.co/Ji6wMdT6nP https://t.co/iBNHeE0ce9developer.android.com/guide/topics/c…
twitter.com/i/web/status/1…




Read 13 tweets
HaxRob Profile picture
Jul 5, 2023
A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.

The Android grid connect app has 500k+ downloads.

Let’s take a quick look! 🧵
(1/n)
The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.

The app is forcing this even though we are on v31.

(2/n)

Let's allow it "for science". The device is paired. We also have the option to enter our Wifi credentials. I assume this is so the light can be remotely controlled over the Internet. It's automatable too. One condition is "when location changes". Let's not touch these.

(3/n)

Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(