UPDATE: [11/10/2019]; I have seen that both the iOS and Play Store app have been reemoved and banned. It's about time.! This is a very good outcome since it appeared any copies from original stil contained the hard-coded pwn | backdoor | c2c. I have updated some thing and added others during this refresh as well.

UPDATE: [11/9/2019]; [13:47]: POSTING: The analysis is now in completed status. The offending file that proved the RHost autoroot via superuser.apk has been found and uploaded to the scrapes located on the bottom of the page. My sincere apologies to whomever has installed the app, your device has been severely compromised and have been PwN3d


Successful analysis and recovery by:
|  xX 0bN0xSuZ Xx   | φ

****************************

BACKSTORY

I wasn't quite sure how I was going to complete this write-up at first. I had so much data to go through, code to walk and try to put their complex maze of relations, associations back together. It certainly took some ninja skillz to put that together. Unless Smali performed some re-writes on decompile, which is possible. It took me a while to weigh the options. I have successfully reverse-engineered dozens of malz over the past few years, all of them live and in the wild. This one was a bit different though. I didn't have not much of a story to tell. No glorious sandbox report to peruse, other than to share some screenshots, rely on the code I see in front of me and hope that any readers have a good imagination. But you don't want to listen to me rant so I'll continue. I figured this was the best place for this, a quick virtual host with a mildly functional IDE. Enough for me to code without and tag errors or escaping special chars, where I could brush up on my HTML5/CSS3, put some images and text samples from my dumps, and hopefully, you will not fall asleep. Well, that's my goal anyway. Enough, lets go diving...

It was only a few days ago that I caught a fellow Redditor's post. He was concerned about an suspicious apk that he had come across on a well known site, [ Play Store ]. He was wondering how to go about submitting a report and what steps to take to notify both Android and iOS platforms regarding this this mischeivous app. . The app was available for iOS on [ App Store ] as well. The offending app, Ghosty. Self described as an app that allows you to view hidden profiles on Instagram, sounds kind of cool at first plus it's FREE ? So what's the big deal? This is where the years of being a Security Researcher provides, the right perpective. I knew I would find some mischievous processes, without a debugger. The first thing in CIRT or threat response is to get a sample of the code. Since I didn't have access to download the raw APK's from either store. I had to go elsewhere. I immediately hit two reputable and autonomous sites that are well known APK redistributors. I downloaded a copy of the Ghosty1.4.4.apk file from each site. After working with malcode for so long, you get more sensitized to malcode and the flags get tripped much easier. Call it paranoia if you wish. The fact remains that this app tripped a whole lot of flags. The methods of exploitation, persitance along with the a gobal attack surface, I needed to tear apart this psuedo-tool and get a look inside. It was time to start breaking some stuff, so I got work, and I did some serious beaking. Both apps came tumbling down instantly and without error, decompiling faster than my term could  return '0' . So, what did I find in there ... ?

I am going to begin with the quoted text from the Play Store download page. This should provide us with a resonable expectation of it's performance. But then again, it's not necessarily a guarantee of merchantability or warrantee of service. It also does not cover the functionality behind scenes. This is the actual description written on the Play Store:

" You can view all the profiles you want to view including hidden profiles on instagram. You can download or share photos or videos from your Instagram profiles to your gallery.

Key Features
- View hidden Instagram profiles
- Who follows the profile
- Who is followed by profile
- Photo or video downloads
- Profile enlarge photo
- Save whole profile
- More…

In addition, you will soon be able to access many new features related to your instagram account.

Ghosty does not give you 100% guarantee to view profiles. "

It turns out the DEV isn't as transparent about his app funtionality. The minimal effort disclosure aat the bottom of the quoted text. Is little solace compared to the load of various suprises I was to discover. Before I get into some . It's important to disclose that the two samples I collected were from trusted third party sites. What is disturbing is both apk's are diffferent. I have not had the time to run  $ diff  using char by char comparison or  $ bindiff   for a byte by byte compare of the two directories. This doesn't matter all too much as they are very similar for the most part. Enough so that I can identify what is part of the actual original app code. I haven't used it, I do not have an appropriate emulator set up. However, I don't care much about the user functionality, I'm more concerned with it's background routines. In the client UI, while things seem normal, it's the processes that run quietly in the background that I am after. I'm calling this a massive Social Engineering scheme, involving many players. Here is where we begin our analysis and reversal. After a thorough investigation and analysis of the decompiled source. and comparing against other resources. I can now give a more detailed explanation of what it actually does.

I am not sure where to start, so I will just pick a spot and begin. Listed below are some of the more interesting and nefarious features and the associated code reference(s) from the deompiled  .smaili  files. I would like to give credits and a special thanks to [ JesusFreke ] for the development and maintainer of the official Smali/Baksmali repo on Github. Here are some interesting behaviors.

When you login/sign-up using Facebook, it opens the Instagram Sign Up page, essentiallyting an Instagram with your FB credentials. The user never sees this, they are still required to create or enter their Instagram user:pass.

The app appears to autoroot devices using the apk referenced in the code tag below, possiblly to extended the exploitation capabilities. And underneath that block is some more extracted lines that support the notion that an autoroot has in fact been performed.

 CrashlyticsController$LogFileDirectoryProvider.smali:.field public final rootFileStore:Ldoa; 
 CrashlyticsController$LogFileDirectoryProvider;->rootFileStore:Ldoa; 
 CrashlyticsController$22$1.smali: const-string p1, "is_rooted" 

I found several .jpg, .png images and a .ttf (true-type font file) were identified as binaries. See below:

 Binary file res/drawable/ic_ifollowerapp.png matches 
 Binary file res/drawable/russia.png matches 
 Binary file res/drawable/bg_ghost.jpg matches 
 Binary file res/drawable/repost_story.jpg matches 
 Binary file assets/fonts/Billabong.ttf matches 
 Binary file res/drawable/app_icon.png matches 
 Binary file res/drawable/ic_reports.png matches 

The app uses the Java utility:  Logger  to log numerous things from device. This is a major security issue as Logger stores everything in a Publically accessible folder on the filesystem, in clear text. Very insecure.

Also, finding the word  PAYLOAD  is never good, and just sloppy cleanup, in my opinion...

Here, it creates an:  IFRAME  ;
  giving it height of:  -1  ;
  and attributes set to:  frame.style.display = \'none\'  ;

Definitely something you don't want to see in a web page, or an app for that matter.

 const-string v0, "(function() { var height = -1; if (document.body) { height = document.body.offsetHeight; } else if (document.documentElement) { height = document.documentElement.offsetHeight; } var url = \'gmsg://mobileads.google.com/contentHeight?\'; url += \'height=\' + height; try { window.googleAdsJsInterface.notify(url); } catch (e) { var frame = document.getElementById(\'afma-notify-fluid\'); if (!frame) { frame = document.createElement(\'IFRAME\'); frame.id = \'afma-notify-fluid\'; frame.style.display = \'none\' var body = document.body || document.documentElement; body.appendChild(frame) } frame.src = url; }})();" 

There are also a few definitions written into the AndroidManifest.xml file that are security risks and not appropriate at all.  android:export="true"  means this service hss the right to clone your device image at anytime. A couple of these permissions are generally required for any functioanlity, as most apps have various data sources online. Some of the other dangerous definitions have been circomvented, and thusly will not be caught by any general apk analyzer app for Android. They are using g00gles messenging service, module called C2DM, as seen below. It also has imported the SMS module for Java. The examples that these being used are listed below. However, the most dangerous of these permissions is the  WRITE_EXTERNAL_STORAGE  capability.

 uses-permission android:name="android.permission.INTERNET"/ 
 uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/ 
 uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/ 
 uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/ 
 uses-permission android:name="com.android.vending.BILLING"/ 
 uses-permission android:name="android.permission.WAKE_LOCK"/ 
 uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/ 

 yia.smali: const-string v1, "smsto:" 
 yia.smali: const-string v1, "sms_body" 
 SettingsFragment.smali: const-string v2, "smsto:" 
 SettingsFragment.smali: const-string v2, "sms_body" 
 JV.smali: const-string v1, "sms:" 
 Sz.smali: const-string v1, "sms" 

The DEV has also written in the functionality of the apps below. They likely are used to complete this whole SE campaign, aka Social Engineering. The attribute above, stating:  androroid:exported="true"  means that whatever service has deinition, may copy your image at anytime and export. Sounds pretty private, right? the other thing I noticed, thing that is a bit unsettling after a analysing data from the source and the blocks or code and function that each is performing The incredible amount of g00gl products. There is much of the expected bloatware. But there's also some trusted and widely used products. Including dev and productivity tools, various modules loaded to import extra functionality. Here's a shortlist just to help make my point:

Take a look a t this story from TechCrunch, [ HERE ]. It explains this type of exploitation and attack as growth hacking and probably does a betterjob of explaining this than I do. It is a good read though. If you have a minute, it's worth it. Since I haven't used the app myself, I can't speak to the workflow, the bugginess nor it's behaviors. I just know that the functionaliy is there, to some extent and apparent in the source code. When various things are invoked, it may be spoofing the Instagram activity, and the followers from from posts, etc. It seems to borrow some functionality and utilize various tools from the below apps. Again, I haven't used it, but it is quite ominous that certain processes are getting invoked that belong to these other apps. The five that have explicit and relative reference throughout the source are:

| Fake Story | aka: fakeig in Play Store
| Social Prank | -alt source
| Money Master | -link broken
| iFollower | -alt app
| Repost Story | in Play Store

I would also highly recommend reading the pages of comments by users on the Play Store. Are people that dumb? Do they not read what others are posting? Every comment is the same and they are all thinking it's a bug and asking the DEV for a patch. He very rarely responds and it's always an ambiguous, arbitrary statement. He isn't fixing anything people, wake up, maybe read the 200+ comments before yours to see that everyone is having the E X A C T same problems, it's not a bug, or corrupt code, it's designed to behave this way.!! I always read the comments thoroughly before installing anything. I also think about what it's doing in silence, this is a good example of what could be by installing sketchy apps.

Moving on. Their complaints have thus far been a close match to traces of code and strings analyzed. It is stealing all the data on your device, monitoring user activity, scraping other sensitive information like browsing histories, keys, logs, installed apps and app data, along with other analytical data. It's carried out in many ways, using many exploitation techniques. Java, Firebase, Oracle, JSoup, JSON, JavaScript, Fabric, AdMob, etc. and Crashlytics do most of the work. However, there are several others that are utilized in the creation|initialization|invocation of various attacks, like: buffer overflows, null pointer dereference, out of bounds, scrapers and heap-spraying (the stack), and many more. They crash the app and or similar and grab the dump, the amount of loot held in the stack is enormous.

SQLite gets isntalled and a database is created, although many apps utilize SQLite to hold and query general app data, this instance may be keeping a bit more, and uploading the data to a RHost somewhere. Some others involved in the collecting and logging of information are two Java modules: Logger, and Collector. These along with other very fuctional libraries and modules, many by g00gle and various other sources are are imported or downloaded. The can get logged files, both native and created app internal, and other data souces, and prepare them for Output streaming. This is carried out by, for instance; Fabric.io or Java.io, or by creating background internet connections. These tranfers can use many legacy functions in Oracle: HttpRequest, HttpHeaders, HttpResponse, HttpEntity and others. Then in conjuntion with newer modules like QueueFileLogStore, LogFileManager, HttpRequestFactory, HttpClient, CrashlyticsController, the job gets completed. I've put together some documents containing compilations of scrapes in order to give you a first hand look in what the code looks like and get some real examples of what it is doing behind the scenes.

Along with everything mentioned earlier, it also monitors User activity both on and offline. It takes all the stored meta-data, scrapes JSON files, gets environmental locale information, brower history, cookies, emails, usernames, passwords, device infos, private keys, installed apps, appdata and hardware stats, plus installs many background apps and services to carry out these tasks and maintain persistance. Then once the device is rooted, it queries the env again, this time for the whole directory tree, the root directory or ' / ' becomes accessible. I have compiled and filtered various interesting scrapes from the source code. The links to these pages of snippets, etc., are output from various  $ grep -r "" *  i ran to query the ~5,000 or so files in each sample. You can be assured they are safe for viewing, nothing is executable, they are all in standard markdown format and safe than a simple text file. Much of the code is in Samli language, or gives reference to a location and the matching line of code. Over time it becomes easier to read. There is NO instructional or supporting documentation online. It's just something you need to pick-up on.

• The EASTER EGG RECOVERED!!



• PAYLOAD, other curious {%s} strings



• Email, FB and Instagram scripts



• The expansive, intrusive g00gle



• File, logging, and transport



• Capture and storage "user"



• Crashlytics is evil



• The exploitation of "username"



• Count the http(s) strings



• 6 API connects- no DNS lookups?



• The mysterious giga-string ?

Deepdive & l00t recovery: xX 0bN0xSuZ Xx    // THE END