Bypassing the Android Permission Model 4: SMS Botnets Based on Malicious Rooting

Georgia Weidman explains her instructive demo about using a maliciously rooted Android phone as an SMS bot, and outlines problems with critical firmware updates.

Malicious Rooting

Now I’m going to show a demo of something you might want to do after you root somebody’s phone if you’re a malicious attacker. This is one of my old stories of evil things you can do to phones.

So, I have 3 G1 phones. Phone 1 is the attacker, Phone 2 is the victim who has been maliciously rooted, and Phone 3 is just a friend of that person who’s in their contacts list.

What I as the evil person want to do is I’m going to send an SMS message to Phone 2, to the one that has been maliciously rooted; it says “BOT”, and then it says, “SPAM”, it has a number and then it has a message that doesn’t really mean much to anyone, but it means something to the program on the other end that is now going to be able to intercept your messages and act on them, so this is actually just code of the talk to Phone 2.

So, I sent a text message to Phone 2; we know how text messages work: it shows up, they see this nonsense about bots, and they go on with their life. But what we actually saw happen is the Phone 3 being the one that actually got the message, and the message it got does not say “BOT”, “SPAM”, and blah-blah, it just says “hellohello”, and it says it came from someone named Slave Bot, which obviously is a fake name, no one would have anyone in their phone as Slave Bot. But that’s actually Phone 2, which proves that I’m not making this up.

I just sent the message “Hello”, a normal message, to Phone 2 again, and this time it shows up normally on it. So basically, what you’ve done here is Phone 2 has sent a text message that they don’t know about to Phone 3. They also received the message they don’t know about, this “BOT:SPAM” message, and because we’ve rooted their phone and gained access to system level, we were able to do that without requiring any permissions whatsoever. So, now we’ve basically made them a member of a botnet.

What would be interesting is we grab all their contacts, send them a message that does not say “hellohello”, it says something like “Look at these cool pictures from last night” with a link in it. The link pops their browser, exploits it with a known exploit and then makes them part of the botnet as well. That’s why rooting can sometimes be evil.

Attack workflow by file system layers

Attack workflow by file system layers

How this actually worked in this case is once I gained root access I had access to the entire file system, not just the application layer. This is basically what it looks like when you’re talking to the modem from the application layer (see image). You have userspace on top, which is where apps are, at the base – the kernel level; modem drivers; and then the modem itself, the hardware.

So, when you receive a message it comes up here through the modem, through the drivers, and finally hits the application. When you send one – likewise, it starts at application layer, goes to the drivers, finally hits the modem.

BOT layer added

BOT layer added

After I rooted their phone, I basically installed the BOT level scheme there at the kernel level because I have access to that now. When you get root access on somebody’s phone, you have access to everything including kernel level. So I would basically just intercept messages coming in and out.

And this would be platform dependent; you’d have to be actually able to talk to specific hardware, which at the time, as you saw it, were G1s as these were the only Android phones at the time. Now there’s a zillion of them, this is a lot harder to do. Doing stuff with the application layer is probably better for malware writers. But if you can write this for a specific platform, this sort of thing will never be detected by any antivirus because it’s too low level, it’s in the kernel. And everybody who ever roots your phone, every piece of software you ever go to that says: “Please give me your root privileges” – could do something like this.

So, basically the other caveat is that SMS and basically all of your traffic over the GSM or CDMA modem is completely unencrypted except it’s encrypted with the session key and transit based on whether you’re 2G, 3G or 4G. By the time it hits your phone, it’s not encrypted anymore, nobody whose malware on your phone has to gain access to your private keys or anything, it’s all just going to be encoded.

Values of the text messages

Values of the text messages

This is what your text messages look like (see image). You can break it down into what it actually says. You have the sender number, which is just the 2 digits flipped, like if you can very quickly flip those 2 digits back out, you can get my phone number and you can call me. Obviously, I don’t have an F at the end. And then the message here is just 7-bit GSM-encoded; there are tutorials on how to do this on the Internet, and there’s code to get it back out. I wrote one, there’s one on my website.

If you actually teach beginning programming, this would be a really cool exercise to, like, get SMS messages. You know, everybody gets the packets and they break down what the packets say. But doing GSM packets, I think, would get more computer science students, because kids today are obsessed with their phones – really, admit it, it’s true. So this would be a cool exercise. But you can tell whatever thing in this is, with no keys whatsoever; you don’t have to do any encryption, so if you’re on the phone somewhere you’ve got access to everything without encryption at all.

How SMS botnet works

How the botnet works:

Bot receives a message

Bot decodes user data

Checks for bot key

Performs functionality

So basically, how this would work is it would receive all the messages, everything that comes into the phone through the modem it will see, because that’s below application layer, so it’ll intercept it first. If it’s an SMS message, it’ll decode the user data. If it’s not an SMS message, it just sends it straight to the application layer. We want users to still get their same information, so if it is an SMS, it will decode it, it will check and see if it has the bot key. In my case that was just ‘BOT:’, not a very good key because anyone can pick you back on your botnet, and that’s the last thing you want as a malware writer – to have other people steal all your hard work and use it to do their bidding instead of yours. Nobody would want that.

But if it does indeed have the bot key, it will perform functionality for you. For instance, I told it to spam, which it knew, based on this programming, means send an SMS message to someone else with this data. It’s straight up C code, I mean, it’s down there at the bottom of the Android, you don’t have to know anything about content providers or intents, it’s just straight up C kernel. So, if you as a malware writer have written anything for Linux, you can write for this quite easily – easy transition to working on cell phones.

Mitigations for these root level attacks: users need to update their phones. We always tell the users they need to update. I never thought I would say something nice about Microsoft. First Tuesday of every month, I know that my Windows-based machines are going to update and they get the latest patches, and it’s good, and it’s restarted in the morning and I’ve lost all my data that I forgot to save, but at least I have my updates.

Not so much with my Android phone. I used to complain that Android was the best for updating, because it used to be: you had to plug your iPhone into your computer in order to get your updates; same with the BlackBerry. Now both of those push over the air as well, so they’ve caught up with Android there. But all the iPhones get the updates pretty much at the same time. You get your updates, you get your updates for BlackBerry; you don’t get your updates for Android.

Google phones get their updates, so if you have a Nexus One, Nexus S or Galaxy Nexus, when Google puts those out you’ll get them pretty fast, they’ll come over the air to you: “Will you install those updates and lose your root?” And you’ll say: “No”, because you don’t want to lose your root until somebody’s rooted the newest one. Admit it, it’s true. Nobody wants to admit it? Ok. You guys should drink more, then you’d admit it.

However, everyone else who is not a Google platform, it takes a while for you to get your updates. You might have noticed this, you see, it happened with DroidDream, it happens every time there’s an attack. We don’t have our updates yet, why don’t we have our updates? Well, they have to take the Google firmware and they have to port it to their specific platform, make sure all their default install apps still work, and finally push it out to you. This can take six months, this can take a year. In some cases this may never happen.

You are vulnerable because you didn’t update.

My Mom’s friends get this idea: “Oh, your daughter is an Android hacker, can she root my phone for, like, 50 bucks?” I just started a company, why not? Apparently, there are these websites that charge hundreds and hundreds of dollars to root your phone. Seriously, these people are making bank on this. But, you know, I get somebody’s phone, and I’m like: “Oh, it’s going to be the most up-to-date version, this is going to be hard”, and I get in and it’s like Android 2.1. Five minutes later – ok, done.

People never get their updates at all. Like the G1 never went past 1.6; any exploit after that, anybody who has a G1 – vulnerable. All their platforms, you get people who never got past 2.0, 2.1. Nobody updates to the latest version. And they’re vulnerable to everything after that, and that sucks, because we can’t really fix that.

If the updates are not available to them, we cannot shake our fingers at them and say: “You must update your phones; you are vulnerable because you didn’t update”, if the updates are not even available to these people. They have to buy another 500-dollar phone and pay a 2-year contract; I’m not sure how it is here in the EU, but in America you buy a 2-year contract and then you get the phone, so you have to be with the carrier for 2 years or else pay a fine, and you still have to pay a lot of money. So buying a new phone is a really big deal in America. And you can’t really blame people for staying with the old one, but they can’t update it. So, this needs to be fixed.

Read previous: Bypassing the Android Permission Model 3: Evil Rooting with DroidDream
Read next: Bypassing the Android Permission Model 5: Accessing Data Stored on SD Cards

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: