…and it was really badly written

So, I’m a pretty security conscious guy. I’ve worked in information and application security in the past, and I continue to make security a big part of my everyday role whilst developing software. Over the years, it’s served me well, and I’ve avoided several issues with my own personal security, including fending off identity theft as a student, and more recently limiting my own online presence by opting out of using Facebook. I have, in my time, been tasked to assess the security of several companies, and I’ve never come out empty handed - because corporate security is very nearly an actual oxymoron.

So to the recent occurrences. I like gadgets, and especially gadgets I can reverse engineer, tinker with, put to other uses, or generally fuck with. My wife bought a FitBit Ionic Watch lately, and it got me thinking that some of the features of a smart watch would be good, but, equally, I really didn’t want to pay very much for the priviledge.

I needed, in simple terms:

• The watch bit - time telling
• Notifications sent to my wrist, for quick review at-a-glance
• A vibration alarm in the morning - I share my room with a tired wife and an 11 week old baby.

So, loads of things can do the above, but most do more than that and charge for it. You can get a Sony smartwatch for about £100 that will do it, or a Samsung Gear for £200-400, Apple watches - for £NOPE, and a load of other options. What you can get though, is a cheap fitness band. You can spend on a FitBit band, and some of these do the things I said, or there are a load of gradually decreasing prices for simple copies, moving from simple undercutting competitors to uber-cheap Chinese copies, and, well, I expect you can see where this is going.

I got an cheap fitness band on Amazon for £10-15, delivered next day.

It works pretty much out of the box, and can only really be operated in any useful way once paired to the manufactuers app, of which there are a few flavours. Declining to use the apk file download on a QR code in their leaflet, I searched for it on play, and downloaded a program from a choice of 5 or so. It worked fine with the band.

Worth noting here, especially in light of what happens later, that my phone security apps didn’t notice anything out of the ordinary with the app. No alerts. It does use very broad permissions, but it is justified in basically all of them - it can read SMS, for example, but it needs to in order to send SMS notifications to the band.

A series of weird events

So, shortly after getting the app installed, a few weird things happened:

My phone crashed, 3 times

Just out of the blue, with no real warning, my phone froze, blacked out, and then the boot logo came up and it restarted. This happened 3 times when it was running Netflix, WhatsApp and some other stuff. I initially thought maybe I’d knocked something loose when I had dropped the phone that week.

My WhatsApp notified me of WhatsApp Web in use when it wasn’t

When WhatsApp is being used online, it works by connecting across the internet to the app on your phone, to preserve the end-to-end encryption of the system. A few days after I got the fitness band, and it’s app, I got a notification around 7pm from WhatsApp on two separate days, telling me it was in use on the web.

I only ever have one session open for WhatsApp Web, and it’s on my laptop - which on both of these occasions was switched off, in a bag a few meters away from me.

Both times this happened, I used the WhatsApp application to close all web sessions immediately. On the second occasion, I tweeted at WhatsApp about it, although they haven’t indicated that they’re acting on that. I have stopped using WhatsApp web for now.

My antivirus suddenly detected the app as malware

Avast Mobile Security, which I run on all my Android phones, alongside some other stuff, alerted me shortly after the second WhatsApp message that the app contained malware called Android/SmsSpy - of which there are multiple variants, all of which intercept incoming SMS messages and forward them to a rogue server somewhere.

Avast spotted this on the phone, and also when I downloaded a new apk of the file directly to my computer to take a look.

Mitnick style: Analysing the con

Upon finding that my AV had identified malware within the app, I decided to look into how true this was (AV creates false positives sometimes).

With an Android APK, this is trivial. Download the APK file, which is actually a zip file, unzip it, and locate the .dex files within it, which are what remains of the source code.

A tool like dex2jar can decompile the .dex files into .jar files, and these can be further turned into actual Java code. I used jdGUI for the decompilation of .jar to a load of .java files, but there are multiple options available. Java is not the hardest language to decompile, unless the developers take steps to make it obfuscated, or difficult to decompile.

The result was a tonne of source code which contained the info needed. First Avast identified the file classes.dex as containing ‘Android/SmsSpy’, just as mobile Avast had, then the source code turned out to be packed with questionable, suspicious code, including:

• Massive amounts of references to SMS messages, and other instant message services - it needs these for accessing messages to send to the band, but it also makes a tonne of REST calls each time this happens.
• A constants.java file containing IP addresses for several AWS instances and private servers in China. Many of these have addresses ending in a string reflective of the manufacturers’ name.
• Entries in the constants file for forum APIs - a popular way of hiding data in plain sight for people to find later.
• An apparent manipulation of the APK file itself - coupled with the fact that it has 2 set of classes in .dex files, and wasn’t initially detected by Avast, maybe it manipulates itself to be malicious later? Who knows.

Going forward

I’ve obviously raised the issue with Google Play themselves, and have marked the software as potentially doing illegal things. I intend to also write to the manufacturers of the band (who may be innocent of any wrong doing, as the app is developed by a potentially separate entity). I’ll leave due diligence time before revealing any full on forensic info - which is handy, as I’ve not had time to:

• Run the software on a clean phone, with a burner SIM, and throwaway accounts
• Run the software with a MITM proxy logging what it’s up to
• Read the source code in proper detail
• Look at the alternative apps from the same publisher, and analyse them

What this all means

It’s not yet clear exactly what different things this malware was doing, but I’ll get there when I’m not a couple of days from a major release at work. Android/SmsSpy is designed to read incoming SMS messages and bounce them to a malicious actor out in the web somewhere. This seems almost pointless, until you realise that one thing that gets sent by SMS is two factor verification codes for online services and banking etc. I’ve looked at both my accounts and my SMS activity, and fortunately, wasn’t busy logging in to much during that time - or rather I was using an OTP app, rather than SMS. With some account recovery systems using the 2FA codes as a validator to recover an account, being able to relay someone’s text messages can be very bad indeed.

Conclusion

This was an interesting example of malware that may or may not have been to do with the manufacturer, being installed as part of buying their hardware - it’s a social engineering trick almost to get someone to install an app because they bought a random gadget.

I still use the band. Its Bluetooth BLE interface means anyone can find out how far I’ve walked in a day, but it’s a nifty bit of kit - I use a different app now made by an independent developer.

I’m looking to get a Pebble watch instead. Second hand, they ain’t bad.