I recently found two very interesting Linux binaries uploaded to Virustotal.
I call this malware 'GTPDOOR'.
GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵
One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.
These were uploaded 4 to 5 months ago.
(2/n)
Feb 20 • 17 tweets • 6 min read
The Chinese APT contractor leak contained a few interesting files; namely:
- CDRs (Call Detail Records)
- LBS (Location Based Services) db records
Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.
Some background: (1/5)🧵
CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.
It's these central databases that are often targeted. Data for a subscriber is generated in many systems:
(2/5)
Feb 10 • 22 tweets • 9 min read
With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.
"Hi there, let's get to know each other"
Sure, let's do this. What will we learn? (1/n) 👇
Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n)
Jul 23, 2023 • 48 tweets • 25 min read
This invasive Bluetooth car battery monitor was found to be sending the following location data to 🇨🇳
- GPS
- Wifi devices
- Cell phone towers
The Apple and Google app stores said no personal data was collected.
A new update has emerged. Let's see what was changed 👇(1/n)
Before we begin the investigation, a coverage map of where these devices have been found across planet earth.
Collected Bluetooth beacon data from reveals they are everywhere. There are likely hundreds of thousands of these roaming about.
A twitter user mentioned the mobile app for their “smart” wifi connected power plug was requesting their location.
The app has more then 1 million downloads.
Curious, I ordered the ‘Meross’ branded device and it’s just arrived.
What will we find? Let’s dig in ..🧵
Let's see how we can pair with the minimum amount of granted permissions.
Discover "nearby devices" with Bluetooth enabled is a mandatory. It then prompts for precise and approx. location.
Hit deny.
We have to manually connect to the device - it's turned into a wifi AP.… https://t.co/fFQzvrJtLrtwitter.com/i/web/status/1…
Jul 5, 2023 • 16 tweets • 8 min read
A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.
The Android grid connect app has 500k+ downloads.
Let’s take a quick look! 🧵
(1/n)
The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.
The app is forcing this even though we are on v31.