FortiGuard Labs Threat Research

A Wrap Up of ToorCon 19 at San Diego

By Kai Lu | September 18, 2017

ToorCon 19 San Diego was held Monday August 28th to Sunday September 3rd, 2017 at The Westin San Diego. It included three parts. The first was training workshops focused on various aspects of computer security. These took place on Aug 28-31. The second was a Seminar held on Sep 1. The third part was the formal Conference that ran from Sep 1-3.

I was honored to be able to present my research, Dig Deep into FlexiSpy for Android at ToorCon 19. FlexiSpy for Android is a spy app with full IM tracking, VoIP call recording, and live call interception. It also can spy on messages, GPS, multimedia, Internet, applications, etc. In short, FlexiSpy can take full control of an Android mobile phone or tablet and spy on all of its communications and activities from any computer with a web browser. At the end of April 2017, Flexidie released the old version source code along with binaries of the FlexiSpy Android spy app. I reviewed the leaked data and finished my deep analysis and reverse engineering of the app around the middle of May. My talk covered the following five points.

  1. First, I looked into the first installation of the spy app. During this process, the spy app could request a root privilege, create a specific folder to store data related to its daemon process and the startup script named maind, as well as set up reboot hook scripts. These scripts could be executed when the device is booted. Then I showed the workflow of the first installation of the spy app.
  2. Second, I took a deeper look into the startup script. When the device is booted, the spy app starts five daemon processes (maind, pmond, callmond, callmgrd, psysd) from the startup script. In the process maind, it starts the app engine as well as two remote servers: “com.vvt.rmtctrl.server:12512” and “vvt.polymorphic.server port:12514”. The server “com.vvt.rmtctrl.server:12512” is a remote control server that processes remote commands. By rebooting the device after the first installation of the app and then launching the spy app on the home launcher you can see an activation view. At this point you need to input a license key to activate the product before it can start spying. Unfortunately, I couldn’t find the license key for the spy app in the leaked data.
  3. Third, I showed the workflow of the product activation and how to bypass the license check. After fully understanding the workflow of the product activation, it is possible to bypass the license check by patching six parts of the smali codes. Each different configuration ID had its corresponding spying features.
  4. Fourthly, I analyzed two IM spy cases of FlexiSpy for Android. One was for spying on Skype for Android, and the other was for spying on WeChat for Android. We can see that the IM apps being spied on include Facebook, Hangouts, Hike, Instagram, Line, QQ, Skype, Snapchat, Telegram, Tinder, Viber, WhatsApp, WeChat. In addition, FlexiSpy for Android can spy on the device camera, email, calendar, audio, chrome, yahoo, browser, etc.
  5. Finally, I gave a summary of FlexiSpy for Android. Through my deep analysis we can see FlexiSpy for Android is an all-in-one spyware tool with a sophisticated and complicated design. In order to support all spy features, it requires that the Android device be rooted. The spy app sets up the startup script. When the device is rebooted, the startup script can be executed to start some daemon processes. FlexiSpy used FileObserver to monitor the database and shared preferences files stored in the private folder of the IM apps. Generally, the IM apps on a mobile device store chat messages in a database file.  Some database files might not be encrypted, such as the Skype app, so it’s easy to execute some SQL statements to gain access to any sensitive chat messages after rooting the Android device. Other database files might be encrypted, like the WeChat app. It looks more secure, but the private key can still be calculated by reversing engineering the IM app. Even if I uninstall FlexiSpy for the Android app (package: com.Android.systemupdate), its spy activity remains ongoing.  I tested Skype and WeChat apps after uninstalling the spy app “com.Android.systemupdate” and found that it could still successfully monitor the chat messages of Skype and WeChat. For normal users, if you find the file fx.log in the folder /data/misc/adn/, it can confirm your Android device is being spied on by FlexiSpy for Android. I then provided the steps necessary to remove FlexiSpy thoroughly.

In this blog post, I also want to share my review of other talks that I enjoyed the most.

With the popularity of Apple iOS devices, more security researchers have been focusing on iOS devices. One of my favorite talks was DirtyTooth: Put music & lose your contacts by Chema Alonso, the Chief Data Officer at Telefónica. Bluetooth communications are on the increase. Millions of users use the technology to connect to peripherals in order to simplify their use as well as provide greater comfort and an enhanced experience. Chem showed us a trick (or hack) for iOS 10.3.2 and earlier that takes advantage of the management of the profiles, thereby causing great impact on the privacy of millions of users who use Bluetooth technology daily. From the iOS device information leak caused by the incorrect management of profiles, a lot of information about the user and their background may be obtained. More interesting, he invited Kevin Mitnick as a co-speaker. They also delivered a live demo regarding this interesting research.

The keynote was by Lance James, who wrote From Hacker to Home. His talk explored the evolution of the hacker both technically and socially, with highlights of today’s problems with IoT, malware, and the merger of traditional intelligence as information security defensive and offensive disciplines.

I also attended the Friday Night Reception party and met up with other security researchers, thanks for the free drinks and snacks provided by sponsors.  You could also make your own badge with some toolsets provided. It was cool! The following is my badge and the schedule for my presentation.

In a word, it was a great experience for me to be able to attend this cyber security conference, deliver my presentation, and meet with other security researchers working in various research fields. You can check out ToorCon 19’s official webpage for the full list of talks if you are interested. The full presentation slides should be released this week.

My presentation slides can be downloaded here. The white paper of this talk includes the full detailed technical analysis, and is available here.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.