Threat Research
We have recently stumbled on several active samples of an Android spyware. They belong to a family we have named BondPath (also known as PathCall or Dingwe), which was first reported in May 2016. While our customers have been protected against that malware since 2016, in July 2018 we discovered that some samples are still in the wild and continue to be a threat to unprotected smartphones.
This malware poses as a Google Play Store Services application. The fact that it is signed by the unknown developer hola should be the first clue to raise an alert.
However, it won't raise an alert if your smartphone is unlocked and a spy installs the malware for you. In that case, the malware is well hidden: the application icon is not displayed (it is removed after the first launch), and there is no particular indication that someone is spying on your device. The list of applications, however, reveals two applications:
The list of running process can also show that the malware is active:
u0_a79 3951 73 939736 38424 sys_epoll_ 00000000 S com.path.call
u0_a79 3977 73 934496 34116 sys_epoll_ 00000000 S com.path.call:system
The malware implements an extensive set of spy features including,:
Collected information is sent to a remote server via HTTP. These packets contain:
These procedures indicate that the malware author(s) have a weak knowledge of cryptography (poor choice of block chaining, padding, no authenticity.) As a malware analyst, however, I am very happy with it as it is easy to decrypt their packets. :)
Less frequently, the malware also reports on the infected smartphone's battery status:
hashtable = h.makeAppConfigHashtable(this.service.getApplicationContext());
hashtable.put("level", String.valueOf(MessageSenderService.getBatteryReceiver(this.service).level));
hashtable.put("temp", String.valueOf(MessageSenderService.getBatteryReceiver(this.service).temperature));
Packet.addPairPost("battreport", hashtable);
Decompiled code of Android/BondPath posting battery status report
The infected smartphone can also be controlled remotely to retrieve even more data. In particular, it will retrieve chats from WhatsApp, Skype, Viber, Line, Facebook, and BBM. To accomplish this, the spy sends the remote command PULLREQUEST_xxxx to the malware. For example, PULLREQUEST_skypelog or PULLREQUEST_fbmessenger etc.
For each device it spies on, the malware registers a new 'account' on its remote administration panel. The account's username is based on the current timestamp, and the password is randomly generated. Fortunately, by decrypting its communications using our emulators we were able to login to its remote administration panel.
The affected web hosting platform has been notified of this abuse.
This spyware does not exhibit any particular novel technique (no exploit, minimal obfuscation), but it demonstrates a good level of maturity with regards to implementation and features. Ten years ago, malware used to be limited to a few main features like reading incoming/outgoing SMS messages or phone calls (recall Spy/MobileSpy!WinCE or Spy/Spyiolan!SymbOS). This time is well past, and spyware now embeds many feature and is quite reliable – and therefore, a significant threat to end-users.
If your smartphone is not yet protected, think about it twice, because criminals are waiting to take advantage of you.
FortiGuard Protections:
Fortinet customers are protected against this threat with the AV signature Android/BondPath.A!tr.spy
IOCs:
0918c205c6867e24080f8950ce82f48c56822187429c35cde3f37f36554bff57
2ff501b0a0607000262de40e6a84da8adc3b91a4f943b97976ec5dd09376d223
5e0cbe1e6ab99cbb274e18b00d49c4b160fedd2e25c79a45531908a92a3cf790
-- the Crypto Girl