Android/BondPath: a Mature Spyware

We have recently stumbled on several active samples of an Android spyware. They belong to a family we have named BondPath (also known as PathCall or Dingwe), which was first reported in May 2016. While our customers have been protected against that malware since 2016, in July 2018 we discovered that some samples are still in the wild and continue to be a threat to unprotected smartphones.

This malware poses as a Google Play Store Services application. The fact that it is signed by the unknown developer hola should be the first clue to raise an alert.

However, it won't raise an alert if your smartphone is unlocked and a spy installs the malware for you. In that case, the malware is well hidden: the application icon is not displayed (it is removed after the first launch), and there is no particular indication that someone is spying on your device. The list of applications, however, reveals two applications:

• One is named Google Play service (legitimate)
• And the other is Google Play Store Services (malware), but this will be difficult to spot. 

The list of running process can also show that the malware is active:

The malware implements an extensive set of spy features including,:

• Audio recording
• Browser history
• Calendar
• Call logs
• Contacts
• Device information
• Emails
• Files on the phone
• Installed applications
• SMS: incoming and outgoing

Collected information is sent to a remote server via HTTP. These packets contain:

• Type: (e.g reguser, deviceinfo, appconfig)
• Data: this is the payload of the packet. It is encrypted with AES-ECB using PKCS5 Padding and a hard coded key. It is then encoded with Base64 and then URL-encoded.
• Hash: an MD5 hash of the payload

These procedures indicate that the malware author(s) have a weak knowledge of cryptography (poor choice of block chaining, padding, no authenticity.) As a malware analyst, however, I am very happy with it as it is easy to decrypt their packets.  :)

Less frequently, the malware also reports on the infected smartphone's battery status:

Decompiled code of Android/BondPath posting battery status report

The infected smartphone can also be controlled remotely to retrieve even more data. In particular, it will retrieve chats from WhatsApp, Skype, Viber, Line, Facebook, and BBM. To accomplish this, the spy sends the remote command PULLREQUEST_xxxx to the malware. For example, PULLREQUEST_skypelog or PULLREQUEST_fbmessenger etc.

For each device it spies on, the malware registers a new 'account' on its remote administration panel. The account's username is based on the current timestamp, and the password is randomly generated. Fortunately, by decrypting its communications using our emulators we were able to login to its remote administration panel.

The affected web hosting platform has been notified of this abuse.

This spyware does not exhibit any particular novel technique (no exploit, minimal obfuscation), but it demonstrates a good level of maturity with regards to implementation and features. Ten years ago, malware used to be limited to a few main features like reading incoming/outgoing SMS messages or phone calls (recall Spy/MobileSpy!WinCE or Spy/Spyiolan!SymbOS). This time is well past, and spyware now embeds many feature and is quite reliable – and therefore, a significant threat to end-users.

If your smartphone is not yet protected, think about it twice, because criminals are waiting to take advantage of you.

FortiGuard Protections:

Fortinet customers are protected against this threat with the AV signature Android/BondPath.A!tr.spy

IOCs:

0918c205c6867e24080f8950ce82f48c56822187429c35cde3f37f36554bff57

2ff501b0a0607000262de40e6a84da8adc3b91a4f943b97976ec5dd09376d223

5e0cbe1e6ab99cbb274e18b00d49c4b160fedd2e25c79a45531908a92a3cf790

-- the Crypto Girl