 Thanks very much for coming to this spy versus spy presentation. My name is Michael. This is my cohort in shenanigans, Chris. And we're going to talk about spyware that's on cell phones. And we're going to start with the opening comment that I'd like to introduce you to the latest spy in spyware. That would be this green guy right up here. And we say that because it's incredibly easy for spyware to show up on mobile devices. And a lot of times that involves duping the user to installing an app. But it happens and if you believe look out secure you'll believe that it happens three times more likely on a mobile phone than it does on a desktop computer. Which is kind of a scary thought. Which means people have left their brains at home when it comes to working with mobile devices. And there's a lot of spyware malware out there. Right? The third quarter of 2011 saw a 500% increase in spyware. Okay. And this spyware exists in raw malware form but also is a commercially available product. Outstanding. You can go buy it if you want to. Right? And it started in January 2011. Soundminer came out. And it was grabbing all sorts of credit card information and whenever people were typing in their keypads and they were sending it off via stealthy text messages, which was great. As we moved to August 2011 F secure dropped this news article out there saying people are stealing pictures for blackmailing purposes. And then we had a whole host of people color the internet with beautiful pictures of all sorts of wonderful things. And that showed up everywhere and long live spyware. Nikki Bot came out in September 2011. And Nikki Bot was critically analyzed by the department of computer science down at the North Carolina State University. And they dissected the code and I gave you the link up on the screen and it's available in the presentation if you want to look at it. And we noticed that there was spyware that was responding to text messages. Where the spyware would intercept a text message and say is this for me? It is great. I won't show the user but I'll perform a certain set of functions. Okay. And this application showed up as the Android system log. So it didn't appear very stealthily but people were still duped and Nikki Bot showed up. And then we had a whole bunch of commercialization of spyware. It's everywhere. And it's primarily sold under three types of advertising venues. One, it's designed to catch your cheating spouse. You're no good, dirty lying, lousy cheater, boyfriend, girlfriend, husband, wife, dog, whatever. Children, that was for you. Employees, I mean it was designed to capture all those people but if you take a look at the screen you'll notice that it's not just for one platform. It's for just about every platform that's out there. Whether it was Android, iPhone, I mean the Blackberry, Windows Mobile, Nokia. And it was pretty popular and there was a real short list on this particular website that said hey, you don't have to buy any one particular package. We're going to list five or six right here. Well this is the short list. Turns out that there are dozens of commercially available spyware packages out there. And they're all sold as subscription services. You don't just buy the software and install it and run it. You actually buy the software, install it and then you pay to log in to the website to retrieve the data that's out there. And the subscription service is usually sold for either three months, six months or one year at a time. I couldn't be bothered to spy on someone for a year at a time but that's the way they sell it. Yeah, I do have a short, yeah it happens, short attention span. So there's a lot of commercial versions out there and you would think that most of the time it would require rooting of an Android phone. And we discovered that's not necessarily the case anymore. There are spyware packages for rooted and non-rooted phones. But in the case you will notice that there's an asterisk on the screen. In the case of iPhones they always wanted it gel broken. Every single time. Okay, so I'll play, we'll gel break it. So I don't know if you've been looking to see what this spyware does. So quick little rundown just so we're on the same page. Most of the spyware packages out there do the same thing. They will scoop up all the text messages that are bound for a phone. They will ship them off to a website. They'll grab GPS coordinates and we'll go over a point shortly that shows that that is somewhat misleading. It will scoop up all the pictures. It will grab whatever videos are on the phone. It will capture call logs, browser activity, not necessarily the cache, but the URLs that people have used. It will pull off emails and it will identify whether or not a SIM card has been changed on a particular phone. And all of this stuff just runs on a routine. And every so often it sends it right up to the website. Now some of these spyware packages operate in interactive mode. Which means if I send a specially crafted text message to the phone, the phone is going to respond. And sometimes it's going to be remotely launching the camera to take a picture. Sometimes it's going to record a video for 15 to 30 seconds and upload that to the website. Sometimes it's going to automatically engage in a phone call where it doesn't light up the phone. So essentially it's stealth mode so you can record what's happening. Sometimes it's going to wipe the phone. I think that's a great way to bug someone. You buy a cheap phone, you install the spyware, you drop it in someone's car and when you think you're about to be discovered you hit wipe. Unfortunately the wipe command here doesn't wipe the phone. It just wipes user sensitive data and leaves all the applications there. And on some of the newer spyware you actually get a chance to remotely view what the user would see on their particular phone. Which I thought was kind of crafty. And it all works the same way. All of this phone is taken, harvested up, and sent automatically across the net to the infecting website. And all that is done through an internet connection. None of it is done through audio. It's all done through the data channel. And it's fairly routine. And there's a number of examples out there. For example if you go to spy bubbles website, I mean it looks a bit like a third grader designed it. If you look at the fonts. But the list of functions are on the left hand side and then you get all sorts of call detail records that show up with the date, the time, whether it's an inbound or an outbound call with the listing of the numbers. You'll notice you can capture live pictures. You'll see one here. It's black. The phone was actually in my pocket at the time when it went off. So that's a picture of my pocket. The one next to it I was actually holding the phone at the time when it went off. And you'll notice that most of these photos are just raw camera activity. Raw flashes of the camera. The flash doesn't go off. So none of them are focused. So a lot of them are blurry and they show up. You get a listing of all the text messages that show up and this particular screen is from Moby Stealth. And then a lot of times you can grab GPS coordinates and the GPS coordinates are supposed to identify where the phone is. Well I can tell you for this particular phone that was infected with spyware you're not seeing the location of the phone. You're seeing all the cell phone towers that the signals bounced off of. So I was in part of Northern Virginia. I drove to the airport and all of a sudden you see towers all over the place. So the phone wasn't actually there. You also get recorded phone calls that you can download and play at your convenience, which is kind of nice. It'll automatically record the call and then send it up. Which I thought was a nifty feature and it worked fairly well. And a lot of times in addition to sending all of this data directly up to a website, it will also capture the information and send an alert to the spy, the guy who's watching me. And what usually happens is one of two things. The phone that's been infected will send a message, it will go out to the website, whether it's Flexi Spy or Moby Stealth, and then they will send a message directly over to the user. I feel like I've been buzzed. It's not me. The other thing is sometimes there's a text message that might go out directly from the user and go over and hit directly to the spying phone. So you have two ways of notifying people when activity happens. So if there's a certain email that's showing up or if there's a certain text message that you're watching for, the information goes out and gets relayed to you. Sending commands back to the infected phone is interesting. It's usually done one of two ways. The first way is if the spyware is designed for it, I send a specially crafted text message to the phone, it intercepts it, it actually formats a process or I can go to my particular website. I can say go retrieve the data and the infected phone will actually pull the website and say oh there's a waiting command for me, I'm going to go out, I'm going to go run the command and then send the data back up. So if I need to automatically know where someone is, I can send the command, out it goes. If I need to find out what particular email is there, please tell me right away. If I want you to take a picture right now because I think something's happening, you can go do that. And that worked for malware, the malware version of spyware and it also worked for the commercial version of spyware but there was two major differences in looking at spyware from the malware version and the commercialized version. One is the attack vector and the second was the manner of logging that takes place on commercial spyware. It's just downright scary to see how much logging takes place. So with respect to the installation of attack vector, for all of the products that we looked at, you had to be in physical possession of the phone to install the spyware. And that was for two reasons. One, you actually have to go out and download the software to install the phone. The second thing is you actually have to go out and you have to enter in the registration key that goes with your software to unlock it. So it's not enough to have the software installed, you actually have to enter a registration key. Android didn't necessarily require a routing to take place. iPhone always required jailbreaking to take place. It was always necessary to have an internet connection because that's how the data was going to be transferred. On Android phones you had to flip the switch to say, hey, allow apps to be installed from unknown sources. And in some cases, and this killed me, you had to reboot the phone after you installed the spyware. Well, that's not real stealthy especially if you don't know the password for that particular phone. And then lastly, you need the software registration key. That's a whole lot of information. So if you're planning on installing spyware on someone's phone when they run off to the bathroom, hopefully they're going to be in there for a while. I mean, because you're talking four, five, six, seven, eight minutes, it's not a real quick thing. Or you just knock them on the head and then while he's out like a light, then you go do it. And according to the websites, all this stuff is undetectable. They all make the claim. We cannot be detected by the user. Undetectable. Undetectable. Challenge accepted. Okay, we'll see if you're undetectable. So that brings us up to the big question. How can you tell if you've been phoned? All right, he's a paranoid bastard. He wants to know if someone's spying on him. I'm a paranoid bastard. I want to know if someone's spying on me. I want to know if they've installed spyware on my phone. So how do we tell if we can do that? Well, we thought about that. And here's what we did. We decided to forensically examine five phones using the same tools that the cops would use. Nothing special. We would want to know what the feds or local law enforcement would do. And we used five different phones, five different spyware packages. And here's what we came up with. We grabbed an HTC Wildfire S, an LG Optimus Elite, an LG Optimus 5, a Samsung Galaxy, no, it's not, I'm going to say 5. Think Roman. Samsung, but I don't care if you're Greek. Can the goons remove him? Samsung Galaxy Provell and an Apple iPhone 4S. And we picked a different packages. We grabbed a copy of Flexi Spy because they advertised really well. And it's a UK company and we thought they spoke neat with funny accents. We grabbed a copy of Spy Bubble. We grabbed a copy of Moby Stealth. We grabbed a copy of Mobile Spy. And lastly, we grabbed a copy of Spira. That company is based out of Hong Kong. We picked them all up. We listed the individual versions of Android that were on the phones. We didn't do anything special to the phones. We literally walked in the Best Buy. I'd like to buy some phones. Okay. What kind of phones do you want? Here are the five phones I want. They're like, you want five? Yeah. I want five. Really? Do you want to sell me the phones or not? Okay. Do you want really long plans? We'll set you up. No. One month, please. We got a month to do this. We kept the version of Android that was on those phones. We didn't upgrade them. So we played the dumb user. So the dumb user, so we just, no upgrade. We grabbed it. We took it home. We registered. We activated it. We picked up, hey, dude, cut it out. We picked up T-Mobile. We picked up Virgin, Sprint and Boost. And we also picked up our iPhone, which was unlocked on T-Mobile as well. Now, I'm not an attorney. He's not an attorney. And if there's an attorney here, I don't know and I don't want to know. But they had some legal text on all their websites. So we thought we'd share that with you just to make sure everyone here was informed before we got into our shenanigans. Flexi Spy came out and said, we will never release your private information or your account information, except under the threat of legal action or court order. Okay. So they're up front about it. They're like, they threaten us. We're coughing up all your data. Don't do anything you shouldn't. Right. If you ask nicely, we'll give it to them. You had all sorts of people list the computer fraud and abuse act. This was Moby Stealth's particular web page. They literally just copied the text and pasted it there and said, we're going to make sure you adhere to that. Spy Bubble comes out and says, we're basically designed for monitoring your spouse, children or employees having smart phone. Either you should own the phone or you should have permission to monitor the user. Really? I'm going to go up to my kid and say, hey, Junior, I'm going to spy on you. I need your permission. What do you say? No, dad, screw you. And then we have Mobile Spy. Mobile Spy came out and said, you have to own the device or you have to have the expressed written consent of the owner. Written consent. Right. Hi, employee, I'm going to spy on you here. I need written consent from you to, you know, let me do that. And then we have Spy Era and I love this one. This one was great. They came out and said, it's the responsibility of the user to ascertain and obey all applicable laws to use Spy Era for sneaky purposes. Standing. At least they know. I mean, they're being honest. They're like, hey, we know what you're going to do. But they give all this legal text. Actually, if you read their disclaimer statement, they are more concerned about you stealing their intellectual property than going out and, you know, getting caught. And a number of the user agreements come out and say, look, we know you're going to spy on someone, but we don't want you reverse engineering our software. That would be wrong. So I'm just going to say, okay, I'll be more than happy not to reverse engineer your software. It doesn't mean I can't do a forensic examination with these three tools. So we went out and we picked up a copy of UFED Physical Analyzer. We grabbed a copy of Paribans Device Seizure and we picked up Microsystemations X-ray. Here we go. So we pick up FlexiSpy. Now, FlexiSpy is owned by the company called FlexiSpy, but it sold through a third party called Gate to Shop Online Solutions. And that's an interesting point. All of these packages you don't buy directly from the software maker. You actually have to buy it through a third party source. A lot of times those third party sources are based in the U.S. So while FlexiSpy might be based in the U.K., if this software company is based in the U.S. and you sell it, where do you think the feds are going to go to try to find out who purchased the software? Are they going to try to fight the battle overseas or are they going to try to fight the battle overseas? That's what I thought. So let's talk about FlexiSpy. And we're going to do all these presentations in the exact same way. We're going to show some history or evidence of download. We're going to talk about some of the operational activity and then we're going to start diving underneath the covers to find out what's going on. FlexiSpy. I'm going to stay out of your covers. Don't worry. I don't want to be in there. Dude, and I'd be so sorely disappointed. So FlexiSpy sits there and you can download stuff directly from that website. They give you the registration key so you can download it. And according to their instructions they have you delete the cache and delete all sorts of information to show that you never download this stuff from the browser. Even after we did that with the forensic tools, we still found the particular URL from where we downloaded the spyware. And this particular URL had the registration key unique to that installation right there. That's our first piece of attributable information. We can tie it back to a particular purchase. Okay. Doesn't sound like it's too invisible. If we yank the SD card we were able to find stuff in the download directly, specifically the APK that was used for the installation. That doesn't sound too stealthy to me. I'm smelling something that's detectable. So I start looking around and I dive in the cache. And this is kind of cool. I dug down into the bookmark thumbnail cache for this particular software and there was this neat picture there. It was the installation page for the software with the registration key as part of the picture. Really? Along with the support address, support at FlexiSpy.com. Now I don't have to wonder about what type of spyware got installed. I now have a name. It's right there. I thought that particular piece of attribution was interesting. So we now have evidence that, yeah, it was downloaded and we tied it to a particular purchase, particular registration key. Then we noticed some glitches in the software itself. Yeah, I don't know if you can hear them. They all had glitches. They had lots of glitches. They were all buggy in one way or another and some of them was pretty darn obvious. In FlexiSpy every 10 to 15 minutes a little message would pop up at the top of the screen that says unknown just obtained super user access. Really? And now sometimes the software, you know, occasionally I'd reboot the phone because I was looking at it and the software would just stop working. So I called support or I emailed them and they said, oh yeah, we're having a glitch. We need you to wipe the phone and reinstall the spyware. Really? I'm spying on the guy. You want me to completely wipe the phone? Yes. All right. Okay, so the question up front in the front row, which was in a very polite fashion was, was this a rooted phone? HTC Wildfire S was a rooted phone. The other phones were not. So this one was rooted and it still had issues. The message appeared on this phone running this spyware. We didn't cross-contaminate them because if we cross-contaminated and did a 5 by 5 matrix, well then all of a sudden we'd have issues and we would start seeing artifacts from different phones. So one phone to one spyware. It wouldn't always work so they had me reinstall it. The next thing is, I picked up a CDMA phone, an HTC Wildfire S, CDMA. I install the software, I send my first Delphi text command to the phone and the phone shows up in the clear. I'm like, what the hell? So I'm like, I must have done something wrong. I must have mistyped the big long registration ID. So I do it again. And it still shows up in the clear. I'm like, son of a gun. So I send them another support message and said, hey, I'm a stupid user. I must be doing something wrong. What's the deal? And they're like, oh, we forgot to tell you. We don't really work well on CDMA phones. You should make sure that your user, flip them over to GSM. Hold it. You had me wipe their phone. Now I got to go up to the person and say, you're not going to notice that I'm changing the logo from Verizon to AT&T, are you? And change the billing. And they're like, it only works with GSM. We're sorry, goodbye. So I took that phone, I ditched it, I went out and bought another phone. Go back to the best buy. You're back. I need another phone. So then I go out and I pick up an HTC Wildfire S, GSM version. And I go to root that. Has anyone here tried to root an HTC Wildfire S, GSM it's a pain in the ass. So now we had to go order an HTC clip from England, have that shipped over. We finally get into the phone. We unlock it and then we root it and we're good to go. I go through all this. Two months later the company released a new version of the software. Son of a bitch. That's okay. I'm just going to stick with my current plan. We noticed when we run this through one of the tools that 152 running apps showed up for our Android phone. We didn't do anything. We installed the root checker just to see if we root things correctly and we installed this particular spyware. And wouldn't you know that super user shows up as one of the running applications? Hmm. Interesting. Nowhere in their description of trying to hide applications and icons did they even mention trying to get rid of super user. The next thing that shows up. We dug down under data slash system slash usage data slash blah, blah, blah, and we found a reference to an application. It didn't show up on the application list but com.android.m security. Bingo. We just found our spyware. We actually pulled that out. And then we noticed this big large directory structure. Data slash miss slash dm. That's a lot of files for something that's supposed to be undetectable. It was cool. So we started rifling through that. Handed some of the files to him, hand some of the files to me, start digging, and then all of a sudden we hit this little file called fx.log. Holy crap. This thing is journaling all the activity that the spyware does on the phone. Everything. We have confirmation that we've connected to the remote website. We have the registration key. We have the name of the product, the software version, Pro X. We have all the little hidden commands so if I want to start sending more stealthy commands to it, you know it shows up. For all you guys who are sitting there trying to text me right now, the phones are off and they're not here. They're dead. Interesting that it all showed up. We kept going down and now all of a sudden we start to see attribution. We now start to see the phone number that's doing the spying. So as I send text messages to the phone that's infected, all of a sudden there's a record saying, hey, the guy who's spying on you, this is his phone number. Really? We've seen debug logs that aren't this thorough. It was rather impressive. Uh-huh. The GSM, so the question up front was, did it, did going to GSM actually start to hide it? It did. However, there was a little glitch. So I activated the remote spying feature. And I flip it in and I start listening on the phone call. And I have the other phones sitting across the room. And all of a sudden I coughed. They heard the cough on the other end. See what actually happens is it establishes a phone call directly to the infected phone. Phone calls are bidirectional. Bidirectional. You have to hit mute on your phone. Otherwise they hear you. It is a British company. Yeah, it does, doesn't it? No kidding. So foiled. So it did a better job of hiding the actual text messages that are being received. But then they go and keep a log of everything that happens. So the user doesn't necessarily see this, but it didn't take much to peel back the layers and find this. Right. So as we move in, we find another file called Logcat. And Logcat starts to confirm outbound connections from the phone. And it tells me where it's going. It tells me when it's making the connection. Now, to their credit, the software vendor actually starts to show up. No problem. We actually have a record of it cleaning up the database itself and running through that. We also notice that this particular spyware was starting to watch other services on the phone. I don't know why the spyware would watch and be concerned whether or not the phone was charging or not. But it looked. It also made references to slacker radio, including all the process ID numbers. Thank you for making our life easier. We do appreciate that. We wish that. We start to go through Logcat some more and we see the database maintenance routines. Well, this is a dirty database. I need to do maintenance. I have to call it out. And now I have a listing of all the demons that get used. Outstanding. Now I know what's actually running my spyware. Now, we also picked up one of the tools, the Celebrite UFED was kind of outstanding in this regard in doing a physical dump from the phone. And we started looking through the raw files. And we found data that was supposedly deleted from the phone during the purging of this database in these log files. And we found records that went all the way back to the very first moment that the spyware was installed. So it's not like, you know, they would keep only 100 records in their file. It was actually several 100 records. But when they would delete it, we would still find it on other portions of the phone. And some of the stuff we found just to look like this. We were able to identify when the SIM card was changed. Which means this spyware wasn't tied to information on the SIM card. We still had the spyware number and we still had instructions being sent back and forth to the command. We also saw the controlling phone number. The phone number that was spying on you in the deleted data. So even after this particular piece of spyware was uninstalled and we deleted those records, we still found it. And with that, we're going to move over to spy bubble. Well, you can keep your clicker thing. You're really good at it. Thank you. I'm trying to make you feel better. So spy bubbles, different company, different set of rules. They are I already forgot. California based company. California based company that they were in Mexico. Yeah, California based company. Actually, they sold their software through a company called FBI. So very easy for law enforcement to go after them if you want to install one of them. This is the one that I would go with because it makes the FBI's job much easier. The URL history, we had a download link from where we downloaded the actual file that still showed up in the history file. The downloads database still showed a registry of the APK file coming in. Your downloads backup, the database has time stamps on every one of those files. So we knew exactly when the spyware was downloaded onto the phone. This was the only phone that didn't come with an SD card so we had to supply an SD card with it. And that actually changed some things. Because this was an external SD card that was getting the spyware installed onto it because it was downloading to that SD card. It was externally mounted media. That actually caused this piece of spyware to log some things that weren't logged on the other phones. Which actually gave us even more artifacts to look at later. To turn on the spyware once it was installed, you were supposed to go into the dialer like you're making a phone call and kind of like with standard GSM calls you dial a pound 9999 was the default ID number and then a star and that's supposed to activate the user interface for the spyware. Now I'm sure their intention was to hook the dialer and make this a special function but it did nothing but open this up but it actually tried to call this phone number. So back to how stealthy they were you now have this in the call logs anytime the user hits the recent button and looks to see what else they've been calling this was there. Which meant they were going to dial it out of curiosity and see this interface that's on the screen. Brilliant design plan. So that six digit number is something that you can figure if you wanted to change it to something else. We but we can figure out what it was pretty easily. When we looked through the raw dump of what was on the device we came across the actual executables in this particular screen shot we're showing that the text message that gets delivered to the person that's spying on you to tell you that it's installed successfully is on disk in about 30 different languages. Multicultural. I thought it was nice of them. It is. So we were able to find that which led us back to the actual executable which led us back to all of its partner apps and everything that went with it. Not well hidden at all it was merely hidden from normal user activity. Just like any other app it had a data partition for all of its user data in here we found a whole host of log files and settings files that told us everything about how this piece of spiral was going to operate. Most of that was you're fingering at me like you were going to say something. In the advanced settings text file there was everything we needed to know about how the settings were working. This relates back to that screen shot where it shows us turning all the settings on and off. This is where they're actually saved. We could see what those settings were going through the device and not going through the user interface to find it. Their user intervals that are listed on the bottom of that tells us how often the spiral is going to look at our phone and then how often is it going to call me to tell me what you're doing on this piece of phone. Anything useful in that one? It's basically the same thing. GPS was enabled on this one. It would actually send us back the locations of where the device was. Every 15 minutes we would get an update sent out to a website and then we could log into the website and follow this phone as it was moving around. The next file down from that was buddy.txt. This is the phone number of the person who is spying on you. I love the name. Buddy. Hi, buddy. Really? Really. So very small text file just had a phone number in it. It gave us attribution. So now we not only know what's installed we can actually go find it. By finding the executable that had the name embedded into it so we know what website to go to we know what company to subpoena for records but now we actually have which bag guy do I want to go after because we've got his phone number of the phone he's using to control our spy don phone. There was a secret.txt file that contained just the pin number of six nines. We could change that number to whatever we wanted to that got saved in this text file then we were able to see what that was. This is especially helpful if the user has changed it and we don't know how to bring up that interface we can image the phone dig through all these files now we know how to pull the interface up and we can go back to the phone and show the user that they've been getting spied on. They like that. There was also a serial text file the number that was used to license this piece of software this gave us our third piece of attribution because now we've got this registration ties to a purchase database back at the company which tells us whose credit card paid for this piece of software to be on this device and then what was the name of this one I remember the name of this one spyperf.xml this is more preferences this gave us every single piece of activity that was going on on the phone so the spyware is logging all the different things that it's done and giving us a time of when was the last time the user made a phone call when was the last time he sent a text message and we were able to track a lot of activity about the device and about the spyware activating on the device through this file we sent this one one of the features that it had we could via text message or the website send off the request I forget now either one so we would send a text message to his phone and that would tell his phone take a picture of whatever you see now there was a small lag in getting the text message onto his phone and then getting the spyware to activate so the first one that we tried to do this with it actually went off in his pocket which is why the picture is just a black square so we tried it again with him taking the phone out and leaving it up on a counter and what we ended up with was a blurry mess that you can't tell what's going on because it's not using the actual camera app to take the photo it's just doing a raw dump of whatever the camera can see which means it doesn't focus didn't make it terribly useful in any of the photos we tried to grab with this thing one last thing those particular photos we didn't find on the phone we didn't find those file names on the phone or those time date stamps anywhere which was interesting we pulled up some of the photos and grabbed some of the raw code and tried to do a heck search for it and still didn't find the pictures what we did find though was if we started looking through the android logs not related to the spyware itself but android itself kept it was throwing fatal exceptions so the spyware was causing errors in android and a lot of the errors were related back to the spyware executing or in this particular camera app so it appears what the spyware does to get the picture is causes an error in the camera app which gives us a log of every time we tried to take a picture so even though we couldn't find the actual pictures on the device we were able to go through the event logs that are tied to android and find events tied with every one of those pictures being taken you're doing the finger thing again I did the next thing come on there's another exception that was thrown that was related to which one was this related to live picture service so it's still related to the pictures, next one we've already moved on from that when we get into the app history this is another android file this isn't related to the spyware itself but this tells us all of the installed apps that android is tracking and this one here which actually shows the spyware being installed this also gives us a date time stamp this was installed this one actually works out to be a couple minutes after it was downloaded which works well on our timeline of what's going on we're also able to pull up a bunch of recent activity this is another android thing where it's tracking all the recent things that happened inside the phone and gives us date time stamps and activities and if you just search for the radio app because that's what they actually named their app was radioadv if you just search for that in all of those event logs date time stamp and a list of activities of everything the spyware was doing on the phone that was infected we also since the phone was on and live when we did the image on here we've got the list of running processes it did nothing to try and hide itself from the list of running processes since normal users can't see that anyway they didn't care I thought it was a great coincidence though that it happened to be process ID 666 and that moves us off they use it they sell their software through Plymouth as well we found a history of that software same way we did before it's in the URL history it showed up and they were very creative in what they called their application Moe stealth v2 so we actually dug through the list of apps and this is what we thought interesting they actually called the application from the user's point of view Look Out Secure I wonder if Look Out's aware that they're using that name now this is a picture of what you see on the website and the website allows you to send particular commands directly to the phone it also allows you to configure the phone remotely so here where we have particular arrows pointed we add a key word and we add a phone number and as spyware says if I receive a text message with that word from that phone number I'll do whatever you say I will report the location information great so I added my phone number I added the word location and then I went and looked at the phone and wouldn't you know that I found a database with the word location and with my phone number a SQLite database I now know who's doing the spying of me on the phone I also went down and I found another debug log these guys love debug logs I've never seen someone do this so much but we found a debug log down here and we were able to identify a lot of the services and the GPS information and the coordinates and they carried out something like 12-15 digits if you go directly to the website you'll see the exact same numbers and the GPS coordinates report it correctly but all of that information shows that you have a time history of when this particular software was running now this particular piece of spyware also grabbed all the photos off the phone and when it grabbed the photos off the phone it used a time stamp in the name and we found that in the log file pictures.ser we found three pictures that were taken directly from the phone they were loaded directly to the website I've highlighted one here and all of a sudden it goes up and you'll notice that the names are the same so we took the picture from the phone and we took the picture directly from the website and downloaded it and we hashed it they were identical so we can trace the activity directly to that particular user account now this is the part that kills me though this soup don't tell anyone this super secret stealthy software uses FTP to send all its data all of it the website name the credentials all of that is listed in an XML file directly on the phone all fully readable outstanding I think that's great so if we were worried about attribution before when it got installed when it was running I think we've taken care of that with this product Mobile Spy Mobile Spy is based out of Jacksonville, Florida but they just like all the others they're using somebody else to do all their credit card transactions these came through a Dutch company it was one of the few that went outside the US to do their credit card purchases but it's a legit company it's the same one you go to Tuxera to buy your NTFS drivers and such with they showed up in the downloads history the one thing they did different website that they're you're downloading the APK from so that it almost doesn't attribute back to them except for the fact that it does say MS for Mobile Spy right in the URL this one did have a couple of problems with how it executed we were you're supposed to be getting emails sent to the person that's monitoring you and sometimes we would receive an email that told us a certain action had occurred and we would log into the website to see the full log of activity so sometimes the logs weren't being updated correctly the other problem we have with this particular piece of spyware is the battery life on the phone got cut into a little less than half as soon as we installed it we had to keep this phone plugged in for the rest of the day every time we played with it after that oh this is good oh yeah I almost forgot about this one this one actually pissed both of us off the spyware after a few days with 60 days it was 60 days it threw us out an email telling us that we needed to go log back into their website and change our username and password and we were like so happy that they were actually employing decent security policy so we logged in we changed our username and password and then we stopped receiving alerts from the phone because you also have to go to the phone and change the username and password there otherwise it doesn't know how to log into the service and upload its data so I'm still baffled as to how they think that's supposed to work especially on an enterprise level this one we had the same kind of thing where any application you install is going to have its own user data section full of files this one just like all the others had a whole host of log files and settings files we were able to go through for this particular piece of software they called the application retina so once we figured that out googling or not googling searching for that name throughout the device brought us back a whole bunch of extra files we had a packages XML file this is part of Android not part of the spyware and in there we were able to see all of the installed packages on the device so we were able to find it even though it was attempting to hide from the user we found a bunch of information about it being installed there was a shared preferences section which gave us all of the different preferences for the spyware which when we started digging through what all those different preferences settings were it gave us the website information the username information associated with the person who's doing the spying on us great I always wanted to email address to the person who's spying on me if you're going to have a stalker that's the best way to have one literally there's the email address we also got a time stamp in here every time it was updating back to us so we know how long it's been doing it and this friendly number this one was the other one that pushed me over the edge this is the phone number of the person that's spying on me so now I have his email address and his phone number and we've got all the other information about the serial and licensing from before that we can go subpoena and prove he paid for it it's only fair so that brings us that was four right that brings us up four we got them do you have a question on four or do you want to do five first short on time okay well we're going to talk about the iPhone in just a minute so I'm going to ask you to hold off on that we'll get that Q&A for just a second we're going to hit our last one which is Spiara which is based out of Hong Kong although they're selling their software through a California based firm I had him include this one because we were beating up on Android so much I wanted to be fair and beat up on Apple as well as soon as we popped it up on our forensic tools they all came back and said hey this phone's been jailbroken okay that's going to be a problem we noticed a couple of funny listed applications on the phone hmm city it shows up as well as own spy dot demon okay that's that's fine so we took a look at the phone and we grabbed a copy of the screen interface to show you that we didn't have any applications there so we didn't find any apps there alright so hey maybe there's no software there so we pulled up the icon state P list to identify all the applications were good but then we compared it directly to the desired icon state and we noticed that there were two applications at the bottom that are being hidden when we compared the two files we identified the fact that one it has been jailbroken and the second one we have spyware running on our phone now when we go in and we pick up this particular file here you'll notice that we have a very unique key this is the one that takes us back to the spyware software company and also takes us back to the company that sold it to us so if the Hong Kong company doesn't want to play ball and we notice that they rounded their traffic to a whole bunch of different websites before sending it back home we can always go back to Plimas and just say hey you're the ones who sold it just like the way a gun dealer would sell a particular gun you don't go back to the manufacturer they can track that information we also have a whole bunch of preference information that shows up to let us know what's running on this particular spy phone so yeah it had to be jailbroken and yes this information runs in the background good news this guy decided to create logging as well called ownspy.log and in there we have a whole bunch of information the very first time that the spyware has been run I know what it's been installed and as soon as it's installed it goes out and checks are you registered are you registered are you registered Bueller Bueller and then boom it's registered and now all of a sudden we start to see activity there's even a thank you note in there in the logs thank you for registering the user never sees it I didn't see it when I installed it but I was thanked you know you're welcome coming along we also found that unique information we also dig the fact that this particular piece of spyware gave an idea of the device itself uniquely identified that particular phone we also have a listing of the demon that runs it we have check information we can also see that it goes through and it checks the SMS log and says I found something I'm going to go upload it I'm going to give you the date and time I'm also going to tell you how fast your phones moving and then we found a whole bunch of cached images do any of those logos look familiar to you huh interesting I cleared out two but these cached files still show up I also have the date and time when this was installed on the phone now the your company for all you app developers out there yeah that's the official your company he never changed the default and then I have a whole bunch of files that show up tons of them that come up on this particular list I also have other information that identifies the particular application in library and a big long list and x-ray and the u-fed we're able to identify both of those so that with 90 seconds to go brings us to the bottom line because there is a bottom line there's always a bottom line how can you tell if you've been polled pretty easy check the SD card check the history see what's been downloaded and still on the phone then go check to see what other databases are running there because chances are there's going to be configuration information sitting there in the clear lastly you're going to find all sorts of logging great go read the logs but you can go pick them up you can also check to see if there are new services running on the phone so while an application might be withheld from the screen interface you're still going to see certain processes and then you can go look for signs of routing and jailbreaking one last note this particular presentation has been updated since the DVD there's a little more information we gave you an email address at the bottom of the screen give me the presentation at gmail.com email address we'll send you back it's a big file like 18 to 20 megs in size because it has pretty pictures we'll be happy to share that with you that takes us to 50 minutes we're going to the Q&A room we'd love to see you there probably all fit unless we drive a clown car but we could try it anyway enjoy the rest of the com