Profile
Occasionally we are hired to carry out various work within the security and ethics sector.
This job was of special interest as we were sequestered by our friends at Cure53 in Berlin whose client, a HRW (Human Rights Watchdog), wanted to ensure that peoples rights are not being violated by these applications.
We maintain a close friendship with Berlin based cyber security company Cure53 and we carried out this work as a freelance member of their team under the direction of Cure53 CEO Dr.-Ing. Mario Heiderich.
Investigative research is a growing area for REPTILEHAUS, whether it be security or developing proof of concepts and as such we want to showcase the interesting work we do in this field but unfortunately we cannot comment on a lot of the specific details of this work for our own and any other whistleblowers safety.
Situation
We received 3 totally unknown Android APK files which were provided to us for an in depth technical investigation.
We were tasked with an investigative research project, essentially a black box penetration test whereby we would reverse engineer and analyse each of these Android applications to identify:
– What is the intent of these applications ? what do they actually do ? Where are they from ?
– Who built them ?
– Are they capable of stealing PII (personally identifiable information)
– Do they carry out any background tasks which are of concern or unknown/undesirable to the user
Action
When dealing with a project of this nature we need to ensure our own safety, so all necessary precautions were taken i.e sandbox vm environments, re-routing all TCP/UDP etc traffic and general obfuscation of anything which may be personally identifiable as well as proxying all traffic that these applications produce for further analysis and attribution. Once our lab was set up we began the forensic process.
The first step is to reverse engineer each applications binary into a more readable structured representation.
The output is not ideal to try and understand but it does allow an experienced programmer to gauge what the executable file is doing, we have to use a certain amount of imagination, experience and common sense when going through each file line by line to concede what is going on when and where as this application executes.
We concluded with reasonable certainty that all 3 applications are developed by the same team, albeit different alterations or versions retrofitted for each purpose.
Our original report was over 17 pages long and a very technical deep dive which the client was very pleased with but due to the classified nature of this job all we can state is the outcome which is that all 3 applications seem fit for the same purpose, the purpose is for identifying individuals, general civilian’s as well as staff, within a secure governmental departments and very specific to one geographic location, in fact solely tailored to one geographic area.
However, it is important that we keep an open mind with such things. After a lot of deliberation we deemed that the 3 samples were not used explicitly for any nasty abuses towards civilians or indeed trade craft purposes – although we did report that they certainly had the capability to do so.
It was our conclusion that certainly this code base, if not already used for the purpose, could be used to violate the rights of certain individuals if one wished to do so and with minimal effort.
Conclusion
These samples are benign but we would not be surprised if other similar apps cropped up created by the same development team or organisation which may be used maliciously to pinpoint or identify individuals that may be of interest to a given government or organisation.