Posts - maia arson crimew

NSO Group is White Hat, Really

2021-07-19T00:00:00+00:00

Chances are you hate-clicked your way onto my blog, looking for a comments section where you can yell at me to let me know I’m wrong. But before you do that let’s first talk classification, shall we.

What is your classification based on?

There are two coexisting ways in which most seem to understand and explain the ‘hacking hat concept’, they’re both pretty flawed. When you ask someone to explain white/black hats they will probably tell you that white hats are defensive, while black hats are offensive, this explanation falls apart fairly quickly once you ask them if so called “ethical” pentesters and red teamers are black hats and people hardening the security of ransomware gangs are white hats. This is because even the people explaining it as such actually classify hackers into groups based on their (the observers) personal value system, those who are or work for the “good people” (the “good” governments, local corporations, law enforcement, people on their side of the political spectrum) are white hats and those working for the “bad/evil people” (other governments, organized crime, local resistance groups, foreign state actors) are black hats. It’s easy to see how this way of classifying is highly subjective and leads to collisions.

This classification cannot be absolute

One thing that should be clear by now is that any classification of hackers into black and white hats needs to be relative to the system a hacker is a part of. Which is how we very quickly come to how I classify hackers into hats:

White hats are hackers who work within or in support of a system, they generally do so without consequences and usually legally, though not neccessarily. Black hats are hackers who work outside or against the system, generally with eventual consequences and often illegally, though not neccessarily.

White hats and black hats are not universal good and evil, I mean how could they be when the concepts of good and evil are subjective and not the same accross the world. Of course this classification is still based on the values within a given system and has to be viewed with that context in mind. It should now be clear to you why I consider NSO Group (and Corporate Intelligence in general) white hat and how that is the only proper way to view them in that classification.

What good is that classification though?

It’s absolutely useless and always has been, the classification in white and black hats serves no one other than the system and those in power, it’s their way of classifying hackers into good and evil from their point of view. The more you understand about this classification the less use it brings. Letting hackers (and people in general) classify themselves into categories based on their values and goals is way more useful for discourse about “good” and “evil” hackers.

You’re still wrong and I still want to yell at you!

Feel free to do so on Twitter or Mastodon.

Giggle App: Broken in every imaginable way

2020-02-07T00:00:00+00:00

If you’re active on Twitter, you’ve probably seen some Tweets on this new “giggle” app in the last few days. It is a simple app, which provides girls with some “girls only” spaces to talk about different topics with likeminded girls. That’s all fine and dandy, they’re even nice enough to explicitly declare the app a trans inclusive space on their website.
Now you’re probably wondering how exactly they are enforcing this “girls only” thing, and the answer is obviously “AI”, because honestly what else would it be. If this alone weren’t already bad enough, they also explicitly mention that what they are doing is analyzing bone structure, which is literally Phrenology and not really something you’d want in your app. As expected their app also has major problems even with afab girls, especially if they are POC, and trans persons should just contact their support according to the website. Not a great start, and most backlash on the app was based on this. It was also what first got me interested in the app, but it turned out to be technically flawed as well.

It took me about 3 minutes to completely bypass the verification.

*Hacker voice*: I'm in

All it took was initiating the sign up process and tapping through until I’m asked to verify myself. I then used an “Activity Launcher” app to launch the main screen of the app (which is an exported activity so this doesn’t even need root), and I was just signed up now.

This prompted me to take a closer look at just how screwed up this app was, because this already clearly violates just about every best practice ever. As I had already guessed from the package name (com.appetiser.giggle), this app had not been developed by giggle themselves (“giggle ltd”, “wadd holdings ltd”, or whoever they are), it was contracted to Appetiser. Their website already screams “professionality” and talks about nothing but revenue, “growth” and their great “success”. This path didn’t really lead to much further insight, other than the fact that it’s even sadder that even mobile app contractors produce this kind of trash.

The app further simplifies exploiting and analyzing it by already shipping with the popular Stetho Android debugging tool. Usually one would have to modify the app in some way to get this into a production app for analysis, but they already did this for me.

They're making this just too damn easy

So at this point it was already almost 3am and I just decided to go to bed, there is probably way more horrible stuff, but I honestly don’t feel like touching this app again anytime soon. If you do find something else, please share it with me on Twitter (@deletescape) as I’d love to see it. If you’re from Giggle or Appetiser and would like some input on how to fix this mess of an app feel free to reach out, I usually don’t bite.

Great tweets on this app, that brought it to my attention: @killed_the_vibe, @degendering
My realtime exploration thread on it: @deletescape

Debugging in prod: Maximizing user attack surface

2019-12-29T00:00:00+00:00

Note: This is a super quick write-up and probably still full of typos and stylistic errors, which you’re free to point out in the comment section.

One thing that’s really cool about the Android developer ecosystem, is the massive amount of tools and libraries to simplify and help during development. There is an entire subgenre of various remote debugging tools, with cool tools such as Stetho or Debug Drawer. One such tool is Android-Debug-Database from Mindorks, it’s a neat little utility that allows you to view and edit your apps preferences and dbs from a web browser during development.

Android Debug Database in action.

The key phrase here is, of course, in development, which makes sense to everyone (and is also explained in the integration guide of the library), right? Well, no. During todays Shodan safari I randomly stumbled into a phone running this, openly available for anyone to play around with (Brazilian ISPs having all ports open per default be thanked). On closer inspection it turns out there are thousands of devices indexed on Shodan running debug db.

This is bad.

I took a look at some of these to figure out some notable apps, here are two of them:

Cinemark Brazil - 1M+ downloads
No Last Seen for WhatsApp - 50K+ downloads (yes, this allows reading all contacts and messages in the db)

Some of these apps include logs of sensor and location data.

I downloaded Cinemark to verify this for myself, and I was indeed able to read and edit the app’s db and prefs by opening the app and going to localhost:8080. This is especially ironic considering the app also uses the ThreatMetrix sdk, which is some Enterprise Risk management (read: corporate spyware) sdk which supposedly also prevents cybersecurity threats.

The damning thing here is that we have to consider that most ISPs won’t allow access to their clients on port 8080 (at least not without UpNp), but this will always work inside networks, thus opening up another huge security threat with public WiFis. This also makes me wonder how many other apps are out there, shipping this to all their users and opening them up for attacks by literally anyone. Another terrible thing is that this library allows editing of the data in the db and the prefs, so the actual possible ways to exploit this outside data exfiltration reach far as well.

A quick look at "ad free" mobile monetization platforms

2019-09-09T00:00:00+00:00

If you’re a mobile developer you’ve most probably received your share of E-Mails from monetization platforms, all of them making at least one incredible claim. Some of them are especially interesting as they claim the ability to monetize your app (and earn up to $$$ per month) without having to use any ads. I hope that most of you will just ignore these E-Mails, but I for once decided to dig a little deeper into the world of “ad free” monetization. It goes without saying that the majority of the Services I’ll be looking at today are shady in some way and you should generally avoid them.

This sounds pretty promising (until you actually do the math).

Luminati

Luminati is the company operating the popular Proxy VPN service Hola VPN, which surprisingly is free. When you look a bit into how Hola works,you’ll soon find out that their VPN actually uses the internet connection from their users to proxy their traffic. As a user of Hola other Hola users access the Internet through your connection, as well as paying customers of Luminati. Their large collection of origin IPs allows easy scraping of websites without having to see any Captchas or being rate limited. The Luminati SDK allows your users to become part of the Luminati network and in return get additional features in your app.

Well I don't see anything wrong with this?

Conclusion: With Luminati you are literally selling your users internet connection.

MobKnow / MobiBurn

MobKnow and MobiBurn are very similar in that they just straight up tell you they are collecting user data. MobKnow isn’t very specific regarding what the data will be used for, MobiBurn on the other side will boast about how they help building audience data for marketing purposes. On top of that it’s also not very clear how real either of these solutions actually are, none of the partners linked on the MobiBurn site seem to actually use their SDK.

MobiBurn shall not be the solution either!

Conclusion: Do you really wanna directly sell the data of your users? Oh, and risk the chance of these SDKs actually being malware?

Huq

Huq is similar to MobKnow in that it collects user data and they sell it off to investors, governments and researchers. Huq focuses on geo and behavior data to find out what consumers are doing in the real world. As all of the other providers on this list they talk big about privacy and how much they love it, we all know this is a lie and the only reason it’s there is to comfort themselves and developers thinking about integrating their SDK. Hey, at least they seem to actually exist!

It's sellout time baby

Conclusion: Hell yes, let’s sell out to make some big data company very rich and governments very happy!

Tutela

Tutela collects network and device data from around the world to gather data about network coverage and speed out in the world. This data is then used by telecom companies to improve their network service where demand exists. I didn’t expect myself to say this today, but Tutela actually seems relatively okay. I wouldn’t use it personally, but out of the bunch it seems like the least intrusive solution which might actually be used for good.

Obviously the exact same claims as always

Conclusion: Best out of the bunch, I still wouldn’t use it though

Conclusion

Monetizing your app with (moderate) ads and iap is still the best way to monetize your mobile apps while still considering your users privacy and trust. You’re also not going to get rich using any of these platforms, they all pay relatively low rates and probably earn much more with the data collected. All in all software monetization is often shady as a whole, stay safe and keep your users safe!

Thanks for the great cover image to HrX.

PSA: Avoid shady Android launcher apps

2019-05-27T00:00:00+00:00

There are a lot of really weird and shady apps on the Play Store, yet they keep getting tons of downloads. That’s actually the only reason they still exist, it’s still incredibly easy to just throw a bunch of keywords in your app descriptions and make a whole lot of revenue. Today we’re going to dig into one of the main categories of these apps, Launchers. It’s usually not hard to tell if one of them isn’t really trustworthy, common red flags are:

Keyword filled app names like ‘S Launcher - S10/S9/S8 Launcher, S10 theme, cool’ (yes, this app exists)
Built in theme/wallpaper store as a major selling point
Live/video/3D wallpapers as a major selling point
Battery/RAM boosters (these are a red flag regardless of what they come with)

Also look at the reviews, especially those with lower ratings, this kind of publishers tend to have paid positive reviews.

Yes, this app is just as shady as it looks, but somehow it has over 100.000 downloads.

How do they all look the same?

A lot of these apps all come from exactly the same developer group. They have multiple developer accounts to create tons of listings for the same app with minor look changes. This allows them to cover a massive amount of keywords and get millions of installs while staying mostly under the radar. Every now and then Google’s algorithm will bless one of them by featuring them on the Play Store homescreen for some users.

It's almost as if this was the same app (it is).

Why do these apps exist?

The first and foremost reason these work at all is because there are people that download them. Not everyone understands technology or apps well enough, to realize which apps are safe to use and which are not. It’s definitely not a bad idea to check the installed apps on the phones of your less tech savy relatives and friends (only with their consent of course), to make sure they haven’t fallen for any of these.

Almost all of these apps contain ads, usually from multiple SDKs, which generates not insignificant revenue through all the installs they get over all listings. A lot of them additionally upload analytics and other userdata to their own servers, which makes it quite likely they’re additionally selling this or using it for research.

Recently some of them have even gone as far as to start offering their prime offering not as an overpriced one time payment, but as a monthly subscription.

The 'Model X Launcher' premium offering is a bargain at only $36/year.

Who makes these?

I have no idea who has this little moral integrity to do something like this, but one of the developers I could trace most of the apps in this recent wave of launchers back to is KK Mobile. Their website is also part of the APIs these apps are using, which are obviously all based on completely unencrypted HTTP. Other API calls (also HTTP) mostly happen directly to these two IPs: 121.40.46.187, 47.74.185.216. A quick look on shodan is enough to know that these haven’t been patched in ages and are vulnerable to a whole list of CVEs. So to repeat this again, avoid this kind of launchers (or any other app category obviously) at all cost, there are always better alternatives available.

This post is based on this twitter thread.

Why do people still trust Cheetah Mobile in 2018?

2018-11-26T00:00:00+00:00

It’s pretty safe to assume that almost everyone has used a Cheetah Mobile app before, prime examples include Clean Master or CM Launcher 3D. Even if you have never heard of them, dozens of other apps and games like TikTok (formerly Musical.ly) are at least indirectly connected to, funded or owned by Cheetah Mobile. After all, they’re the 4th largest publisher on Google Play Store and the Apple App Store after Google, Facebook and Apple. We’ll get to that later. If you are still using any of their apps, it’s time to stop doing so right now. Let me tell you why.

A huge web of trash

First of all, let’s clear something up. Cheetah Mobile isn’t an Android app company, they are an AI/big data company and on their LinkedIn company page they even dream about robots and changing the future.

“So why do they make utility apps in the first place?”, you might ask. The answer to that is quite simple. They want your data and they happen to have found a weak spot. For some reason a lot of Android users download boosters, launchers, and battery savers without thinking twice, assuming that it is normal for these kinds of apps to request every permission Android offers. Speed booster apps really weren’t even a thing before Clean Master came around, and nowadays the Play Store is literally plagued by them. If you take a closer look at them and the names behind them you will soon find yourself entangled in a web of tiny companies which all received mysterious funding from Cheetah Mobile (or other shady companies like DU Apps). If you go a step further and actually take the apps apart you’ll find libraries provided by Cheetah Mobile pretty much every time.

Let’s take a look at Boost Master for an example, at the right you can see the privacy policy linked in the listing and inside the app

A quick look on whois.com and crunchbase reveals that the domain is owned by Kika Tech, an “AI” company funded directly by Cheetah Mobile

I could now spend hours explaining why cleaner/booster apps are bad and you shouldn’t use them, but that’s a topic for another post and has also been covered before.

Cheetah Mobile sells your data and it’s not even a secret

“But guys, you still haven’t shown any proof that they are selling our data!” Cheetah Mobile’s official website should be good enough proof, right? Well, that’s exactly what I can provide.’

This official Cheetah Mobile website (https://data.cmcm.com) should probably be proof enough, right?

I first discovered Cheetah Data a few months ago, and while I wasn’t really surprised by it’s existence, it still was amazing to see how big of a deal this really is. I obviously had to go ahead and register for a limited, free account to check out what kind of data they actually collect. And boy, do they collect a lot! If you are a developer yourself you probably know Google Analytics and the kind of statistics it provides you with. Imagine this, but for all applications, including your competition. Updated every two days.

Cheetah Data essentially allows paying users to get full analytics and profiles of the users of any app

Yes. Cheetah Mobile apps not only collect statistics while you’re using them, they also analyse which apps you use, at what time, and for how long. The fact that all of this data is being sold openly makes me suspect that this is just the tip of the iceberg.

They aren’t even ashamed to tell us how they get their data

When I say Samsung and Microsoft are sellouts, I mean it

You might be wondering what this has to do with this post right here and you are right to ask so. Samsung’s Android software happens to have a storage cleaning tool, which you might consider a nice to have feature at first… until you look at it a little closer.

That’s interesting, to say the least (source: Reddit )

Clean Master, just like many apps, happens to be developed by Cheetah Mobile. The app on the Google Play Store has over 1,000,000,000 downloads and this number keeps rising. For every person that downloads them, Cheetah Mobile gets more and more data from users. It may be a risky bet, but I’m pretty convinced that almost everyone who uses an Android phone has at some point used an app that is at least indirectly connected to them.

Why would more than a billion people downloads this…

Oh, and if you ever happen to be wanting to install Clean Master on your Samsung Galaxy but don’t know how to do so, there is no need for you to worry. Samsung has you covered with an official guide on how to install said app.

I am not really sure if this guide is really helping anyone at all

Now, what does Microsoft have to do with all this? To show you this we’ll need to take a closer look at the Play Store description of CM Launcher 3D to uncover this:

Wait… They actually did that?

Oh, by the way

Even if you have never used any shady utility apps before you’ve most probably downloaded at least one of the viral games of the past years like Piano Tiles, chances are that game has been created by Cheetah Games or another company magically funded by CM. Other apps and companies Cheetah Mobile owns you might not have realized include TikTok (formerly Musically) and Live.me, a live-streaming service.

Musical.ly and Cheetah Mobile merged last year. Social networks are known for pulling every little piece of data from their users. After this merger, Cheetah Mobile developed their own app, TikTok. Musical.ly happened to be shut down and switched over to TikTok. Musical.ly even shut down their live streaming service live.ly and encouraged users to switch over to Cheetah Mobile’s LiveMe.

At this point it should be clear that they do everything in their power to collect data in every field out there, so it would only make sense to also have a browser on the app palette, wouldn’t it? Presenting you “CM Browser”, made to send your juicy browser history and usage data over to your new favorite multimillion-dollar company, ready to be shared with God and the world.

And of course they label it as a secure browser, with your privacy in mind (duh)

TL;DR:

CM solely makes apps to mine data. They sell that data. There is basically nothing they are not collecting. If you have one of their apps installed, anyone can go ahead and analyze how you are using your device and what you’re doing with it. You become part of a big data pool.

If any of your friends are using Cheetah Mobile software make sure to tell them about this and link them here. You’re also free to quote this post if you are reporting about this issue as well. If you have found other scummy apps/developers or just want to know if an app you are using is tracking you, contact me on Twitter.

heavylightgoodweird

2017-09-22T00:00:00+00:00

How do I feel? No idea. I just feel. How I don’t know. I feel light. But heavy. Lightheavy. Heavylight.

Everything is fine. Finally. Years of waiting finally have an end. Feels weird. But good. Weirdgood. Goodweird.

It’s heavylightgoodweird.

Trying to sleep...

2017-07-22T00:00:00+00:00

I’m trying hard. Try to turn it off. My mind. Filled with thoughts I don’t wanna have. Can’t stop it. My mind keeps on thinking. Uncontrollable flow of useless informations. Useless pictures. Sadness. Forcing some happy memories on me. Happiness. I’m fully awake again now. I need a hug. Can’t this just stop. Trying to get it out of my head. I start to think about not thinking. Awake. It doesn’t work. Frustration. I start to move around. This just wakes me up even more. I don’t get how other people just fall asleep instantly. Why can’t I be like them. I hate them. Their life is so much easier. I can’t sleep. Crazy ideas form in my head. I want to save them somehow so I will remember them later. I forgot my idea already. It’s gone. Where the fuck is the mute button for my thoughts.