Unleash Your Potential - Namagunga Girls Coding Club
Meet the potnet - AboutAndroid | Malware Analysis Report
1. Meet the Potnet
Next generation Privacy botnet
AboutAndroid | Malware Analysis Report
Eran Goldstein
Senior Cyber Security & Malware Researcher at ZIMPERIUM
2. GENERAL NOTES:
THE FOLLOWING INFORMATION SUMMERAIZE “POTNETS AND NEXT
GENERATION BOTNET TECHNIQUES” RESEARCH PROCESS AND CONTAINS
SENSITIVE INFORMATION. THIS PAPER ANALYZES IN DETAILS THE
“ABOUTANDROID” ANDROID MALWARE AND BRINGS EVIDENCE THAT
MOBILE DEVICES WILL GET MORE AND MORE INFECTED IN A NEAR FUTURE,
LEVERAGING SYSTEMS ALREADY USED ON THE FIXED SIDE.
WARNING:
ABOUTANDROID IS A THREAT FOR BOTH USERS AND ORGANIZATIONS AS IT
EXPOSING CLIENT INTO A PRIVACY ISSUES. ALL THE TOOLS AND
APPLICATIONS THAT WILL BE DEMONSTRATE IN THIS DOCUMENT
DEVELOPED FOR RESEARCH PURPOSES ONLY, IT IS STRONGLY
RECOMMENDED THAT YOU DO NOT USE THIS TOOL FOR ILLEGAL
PURPOSES. ALL RIGHTS OF THE KEYWORDS “POTNET” AND “POTNETS” AND
THEIR DEFINITION ARE REGISTERED AND RESERVED TO THE AUTHOR OF
THIS MANUAL.
CLARIFICATION:
WE WILL NOT BE RESPONSIBLE FOR ANY DAMAGE THAT CAUSED BY USING
THE TOOLS, APPLICATION OR TECHNIQUES THAT DEMONSTRATED.
3. Table of Contents
Contents
Introduction............................................................................................................................................................4
The next generation of privacy botnet...................................................................................................................5
Suspicious Activity ..................................................................................................................................................6
Analysis ...................................................................................................................................................................7
Malware Sample.............................................................................................................................................8
Infection..........................................................................................................................................................9
Operation......................................................................................................................................................10
Command and Control (C&C) .......................................................................................................................11
Network Impact............................................................................................................................................12
Proof-of-Concept ..................................................................................................................................................13
Conclusions...........................................................................................................................................................16
4. Introduction
Cyber Security researchers discovered a new techniques and methodology of privacy botnet that
allows an attacker to gain user’s personal information, detailed location, movement and motion
surveillance, area mapping and more.
The malware found was designed to work in a stealth mode and running as a receiver behind a
system background service. Once the attacker sends an SMS message containing different message
body texts (For example: question mark or smiley) to the target device, it will cause the device to
send a private information that not required any special permission or dialog's box approval from the
victim client.
The core functionality and the real advantage of the potnet (or privacy botnet), from an attacker's
point of view, is the ability to get different type of data from the victim's device including: cellular
network information and other sensor data of the targeted victim.
The malware allows an attacker to get an information about the geolocation and the positioning of
the target device. This data is calculated on the potnet C&C server and then available to the attacker
in order to track the target device's exact motions.
Diagram 1.0: Human tracking system
5. Next generation of privacy botnet
Potnet and The Next generation of privacy's botnets are not acting as a banking Trojan or malware
and it is not designed to steal your banking credentials, log into your account or transfer your funds
to criminals, is the type of malware that’s designed to track your motion, movement and
geolocation, so that they can be used for social engineering, advanced positioning and tracking
techniques.
The Potnet's malware that found essentially doing this by grabbing the victim’s information and send
it to certain websites. These websites are pre-specified by the attackers, and they are typically
Command and Control (C&C) servers that hosted anonymously in a third-party web hosting service.
The data that is collected, then calculated on the server side in order to provide to the attacker an
accurate picture about the victim. Utilizing a short processing time on the client side of the malware,
data sent to the server minimized, thus reducing the possibility of detection by client side’s defense
mechanisms.
Using a non-conventional device data allow the attacker to track victims that located at low-
connectivity or bad-signal environments like inside buildings and even underground level (according
to the cellular data signal).
Diagram 1.1: Tracking victims in low-connectivity or bad-signal environments
6. Suspicious Activity
In the next example we are going to explain the suspicious activities of a potnet's malware by code
implementation and demonstration of the AboutAndroid.apk malware.
The AboutAndroid malware takes the advantage of perfectly legitimate data that can be read
without the need for any special permission or dialog approval from the client side, what makes the
detection process of potnet's malware to quite difficult.
The AboutAndroid malware that analyzed suspicious to the following symptoms and running
activities:
1. Ability to obtain a private data from the system without any prior information and without
the user’s approval.
2. Ability to obtain a private data from the system without any prior information and without
any special permission.
3. Responsible for high energy consumption of the battery.
One of the harmful aspects of the potnet's malware family is that when it enters into the target
mobile device, it is very difficult to be detected or to know the exact trigger that used in order to
send an information or data out from the device.
Diagram 1.2: The Cell tower (cellid), Cellphone and the signal
7. Analysis
AboutAndroid malware, logs the user’s sensors and cellular network data.
Once executed, the malware generates an incoming broadcast receiver and then waits for a specific
SMS text message that contains smiley or question mark as the message text body for example. Once
the SMS message arrived, the malware then logs all activities related to a specific sensor data and
the cellular network information include the cell id, LAC, MNC, MCC, etc.… and sending them to the
potnet C&C server.
Sending only a small amount of data to the C&C server at the backend reduces the possibility of
detection by client side’s defense mechanisms (like Anti-Viruses or other signature-based protection
techniques). This methodology and technique of calculating additional information that related to
the victim by correlating the collected data with third-party APIs and other web-services are one of
the advantages of potnets and the next generation botnets.
Despite of the fact that this kind of attack must use a strong social engineering lure in order to
convince the user to click on a malicious link or hope that the user will be tricked into installing an
app. Once this is done, the AboutAndroid malware will stay persistent on the victim device and can
be triggered via SMS message.
Diagram 1.3: Triangulation is calculated according to the signal of every base-station (cell tower)
8. Malware Sample
The diagram below shows the report of an AboutAndroid malware sample that scanned using the
VirusTotal service by 56 different antivirus engines and found as clean.
In an attempt to looks as not malicious software the AboutAndroid malware is using the namespace
of “com.google.aboutandroid”.
Diagram 1.4: VirusTotal scan report
9. Infection
Infection of AboutAndroid can be done in different ways. For example, phishing spam can be used to
lure the victim to an infected web site, where an embedded <iframe> causes the browser to
automatically download a file called AboutAndroid.apk (or any other file). The user must then install
it by clicking on the downloaded file and follow the manual installation process.
Other techniques can be implemented by using mobile application markets, 3rd party websites or
Trojan-Downloaders.
Trojan-Downloaders are often distributed as part of the payload of another malware, such as a
Trojan-Dropper. Trojan-Downloaders may also be distributed as a file attachment to spam e-mails,
you get an e-mail that seems to come from a high-profile company with an attached invoice (for
example) in the form of a .doc or a .pdf document. The invoice looks innocuous enough, but here's
the catch: It can run a PDF reader exploits or macros in Microsoft Word in order to install the
malware.
Once installed, there is no application icon on the screen or any user interface to interact with.
This is because our malware has installed itself as a background service that only start when the
screen is unlocked by the user or when the device is re-booted.
The malware service listens for the ON_BOOT or USER_PRESENT intents.
The only evidence that the malware is installed is through the “Manage Applications” section of
“Settings”. This will show that an application called “com.google.aboutandroid” is running.
You can get rid of the infection by uninstalling the application.
Diagram 2.0: Installation of AboutAndroid Malware POC
10. Operation
When the malware’s service starts, it registers a broadcast receiver in the background service and a
SensorEventListener.
Diagram 2.1: The malware register a sensor event listener
Once SMS message that contains ":-)" as body text arrived to the device, the app logs the infected
device’s sensor values and cellular network's information and then opens up a TCP connection to the
primary potnet C&C server.
Diagram 2.2: check if the SMS message contains ":-)" as body text
11. Command and Control (C&C)
Despite of the fact that a fairly simple command and control protocol is used to send data over an
HTTP connection.
The potnet C&C Server compensates and predominantly used to access different API and web
services in order to calculate additional information about the physical environment of the victim
device and perform a triangulation of the cellid and neighbors network information.
Diagram 2.3: The C&C server’s IP address
In addition, In order to translate the victim device data into an accurate motion tracking’s valuable
information, the C&C server is performing a geometric calculation that correlated with the sensor
data that collected.
Diagram 2.4: Assign the parameter values and prepare the http request to the C&C server
The sensors' data that's collected contains data from more than 7 different sensors includes
Barometer Sensor, Proximity Sensor, Linear Acceleration Sensor, Gyroscope Sensor, Temperature
Sensor, Gravity Sensor, Light Sensor and more.
12. Network Impact
In the diagram below we can see the HTTP request that arrives from the victim device and
intercepted in our burp proxy. We can observe the different parameters that the app sending, For
example:
client = the client mobile device phone number.
cid = the cell id that the mobile device connected to.
lac = Local Area Code of the cellular network provider.
mnc = Network Code of the cellular base station antenna provider.
mcc = Country Code of the cellular base station antenna.
signal = the signal of the mobile device from the cellular base station antenna (in dBm).
cell_lon = the longitude of the cellular base station antenna (Before triangulation).
cell_lat = the latitude of the cellular base station antenna (Before triangulation).
Diagram 2.5: Intercepting the request from the victim device to the C&C server
13. Proof-of-Concept
After we launched one of the malware’s hidden intent (activity - not the main one) we can see how it
looks at the diagram below. AboutAndroid Malware POC installed on the victim device and we are
ready to begin with our simple scenario.
Diagram 3.0: AboutAndroid Malware POC – an activity intent launched (not in hidden mode)
1. In order to track the victim, the attacker sends an SMS message with the text of “” to the victim
device.
Diagram 3.1: The attacker is sending the SMS message
14. 2. The victim gets the SMS message
Diagram 3.2: No suspicious activities on the victim device Diagram 3.3: The victim device getting the SMS message
3. The attacker is able now to browse to the AboutAndroid potnet C&C server GUI console and to get
all the relevant and valuable information about the victim.
Diagram 3.4 AboutAndroid potnet C&C server – part 1: basic information, indicators and the Motion Detection module
We can’t observe any
suspicious activity on
the victim device
15. In diagram 3.4 we can see that the basic information about our victim includes: Cellular network
information, Radio signal related data, the calculation of the device location, “Inside building”
indicator, Floor level indicator, etc.…
In addition, we can see the Motion Detection module (at the right bottom corner). The Motion
Detection module still showing us every exact motion of the victim device, triggered by any new
movement of our human target.
TIP: It is recommended to search on the internet for the full scenario's movie clip of this proof of
concept demonstration in order to see the full features list of this AboutAndroid malware.
In diagram 3.5 we can see the calculated data of the victim include triangulation data, base-station
measurements and the estimated location of the victim device.
Diagram 3.5 AboutAndroid potnet C&C server – part 2: calculated data of the victim
16. Conclusions
It seems that running a standard antivirus sweep will not get rid of AboutAndroid or other potnet’s
malwares and since the program doesn't really make its presence known, you may be in trouble if
you find that you're already infected with it.
If you think you may have become infected by potnet malware, YOU should uninstall any suspicious
app that you are not familiar with, otherwise wipe your device and perform a “Factory reset”.
In my opinion, potnet malware trying to get an advantage of a victim device by implementation of an
incoming broadcast receiver, sensors listeners and other non-conventional techniques’ data, what
allows the malware to run in a quite stealth mode as well to get an information from the victim
device without any user's interruption or the need for dialog's approval from the client’s side.
The AboutAndroid malware runs in the background as a service and its operation is not noticeable to
the user. However, it will likely consume considerable battery power when active, which will raise
suspicions. On the other hand, users with a capped data plan will not notice to almost any charges
changes on their bill.
Once a specific app has been detected and signed, most mobile anti-virus products will be able to
detect and remove the threat by uninstalling the malicious app.
Notes for Android Developers and Google Security Team
Giving applications direct access to hardware is dangerous. It is better if permissions will need to
address sensor access. In addition, hardware should not provide more than what applications require
and provide only an abstractions, not raw data.