My Interest in Offensive Security
Back in my high school years (1998), when my curiosity for offensive security was at its peak, I was fortunate to be in an interesting class. While others around me were debating whether Fenerbahçe or Galatasaray was the better football team, my classmates were passionately arguing whether Windows NT 4.0 or Linux was more secure. On those days, my friend who defended Windows NT would try to keep his system intact against cyberattacks from the Linux users, and the next day, there would be some playful debates in class about it.
In 1998, one of my classmates, Doğaç ŞENOL, who was very familiar with Slackware Linux, suggested that I try it out. Upon accepting his offer, I took my first steps into the world of Linux.
During those years when IRC (Internet Relay Chat) servers were quite popular, I really enjoyed connecting to IRC servers from Linux using the BitchX IRC client on a black-and-white console screen. One day, while trying to join the #Linux channel on the EFnet IRC network using the BitchX IRC client with root privileges, I was automatically kicked out of the channel because my ident was listed as “root.” When I asked why, I was told that connecting to chat servers with administrator privileges was risky for my security, as a vulnerability in the IRC client running with root privileges could be exploited remotely, potentially giving a malicious person root access to my system. Although I didn’t fully understand this at the time, over the years, I came to appreciate the significance of this advice.
The Evolution of Security in Modern Devices
Fast forward to today, smart devices running iOS or Android are designed with a layered security model, operating with restricted permissions for end users. For instance, on Android, unless you have root privileges, you can’t easily access the data of other applications, and you can only interact with the permissions and access levels granted by the app. Similarly, on iOS, there are similar restrictions. These restrictions not only limit what you can do, but they also help reduce the potential damage caused by malicious software that may somehow be installed on your device.
However, many users, perceiving these system restrictions as limitations on their freedom, often prioritize convenience over security. They may root their Android devices or jailbreak their iOS devices, which greatly facilitates the work of spyware applications.
How This Facilitates Spyware
To understand how this makes spyware easier to implement, all you need to do is visit the website of any spyware tool used in this field. For example, on the mSpy website, you can see how easily data from various apps can be collected on a jailbroken iOS device. Similarly, by visiting the website of another spyware tool, Flexispy, you can see that with root privileges on a device, it allows access to all instant messaging data, as well as enabling features like eavesdropping on the environment.
Detecting Spyware on Your Device
In an interview with Füsun NEBİL, the founder of turk.internet.com, that we conducted in March, I mentioned that the common belief that if a device gets too hot or the battery drains quickly, it must have spyware installed, is no longer accurate thanks to powerful hardware in today’s devices. In fact, mSpy developers allow tracking an iPhone without jailbreaking it, using just the target user’s iCloud password. They can download iCloud backups at regular intervals and analyze them.
mSpy
Of course, after reading this article, some of you may wonder, “How can I detect spyware if it has been installed on my device?” Since I had a similar question in mind, I decided to ask it during the Pi Hediyem Var #8 game.
For example, if we consider an Android device with the mSpy v4.18.3 spyware installed, even though the mSpy app hides its icon, it can easily be detected in the file system under android.sys.process, or in the device administrators section under the name Update Service.
mSpy Detection
In such cases, it may be useful to route the device’s HTTP traffic through a tool like Charles Proxy to monitor the traffic. For instance, when you examine the traffic of a device with mSpy v4.18.3 installed, you might see that the spyware is sending the collected data to the address https://a.thd.cc.
Of course, if the data collected from the system and sent to the command and control server is hidden (encoded), in this case, you can use static (dex2jar, JD-GUI, IDA Pro, and/or Radare2) or dynamic code analysis to decrypt the hidden data. For dynamic code analysis, you can use the IDA Pro tool.
Dynamic Code Analysis
To do this, you first need the apk installation package for the spyware app (e.g., bt.apk). Once you have it, you should open the classes.dex file from the package using IDA Pro. After that, when you start analyzing the spyware app installed on your Android Emulator (using adb install bt.apk) with IDA Pro, triggering the hidden data parameter sent to the server will be as simple as performing a registration process.
After entering “1” on the registration screen and clicking the button, you will see that the app sends a request to https://a.thd.cc/apiv4/register/registerjson, including the hidden data parameter. Based on this, if you set breakpoints on locations related to registerjson in IDA Pro, you will quickly find a code block where system-collected data, such as email and IMEI, is gathered, compressed with GZIP, and then hidden with base64 encoding.
Decoding Data with Python
Once you learn how the data in the data parameter is created, you can write a simple script like mspy_decoder in Python to decode all the data sent to the command and control center.
mSpy
In conclusion, ensuring that your mobile devices are not jailbroken or rooted will make it more difficult for malicious actors to exploit them. For Android users, it would be beneficial to regularly check the applications listed under device administrators, while iOS users should consider changing their iCloud passwords as a precaution.
I wish everyone safe days, and I look forward to seeing you in the next article.
