[ToorCon 19 San Diego] Dig Deep into FlexiSpy for Android

This talk was presented at ToorCon 19 San Diego on Sep 3, 2017.


FlexiSpy for Android is a spy app with full IM tracking, VoIP call recording and live call interception. It also can spy on messages, GPS, multimedia, Internet, applications, etc. In short, FlexiSpy can take full control of an Android mobile phone or tablet and spy on all its communications and activities from any computer with a web browser. At the end of April 2017, Flexidie released the old version source code and binaries of the FlexiSpy Android spy app. I have reviewed the leaked data and finished the deep analysis and reverse engineering of the app around the middle of May. My talk covered the following five parts.

1. Firstly, I looked into the first installation of the spy app. During this process, the spy app could request a root privilege, create a specific folder to store the data related to daemon process and the startup script named maind, as well as set up reboot hook scripts. These scripts could be executed when the device is booted. Then I showed the workflow of the first installation of the spy app.

2. Secondly, I took a deeper look into the startup script. When the device is booted, the spy app starts five daemon processes (maind, pmond, callmond, callmgrd, psysd) from the startup script. In the process maind, it starts the app engine as well as two remote servers “com.vvt.rmtctrl.server:12512” and “vvt.polymorphic.server port:12514”. The server “com.vvt.rmtctrl.server:12512” is a remote control server that processes remote commands. Rebooting the device after the first installation of the app and launching the spy app on the home launcher, you can see an activation view. We need to input a license key to activate the product before it can start spying. I couldn’t find the license key for the spy app in the leaked data.

3. Thirdly, I showed the workflow of the product activation and how to bypass the license check. After fully understanding of the workflow of the product activation, we can bypass the license check by patching six parts of the smali codes. Each different configuration ID had its corresponding spying features.

4. Fourthly, I analyzed two IM spy cases of FlexiSpy for Android. One was spying on Skype for Android, the other was spying on WeChat for Android. We can see the spied IM apps include Facebook, Hangouts, Hike, Instagram, Line, QQ, Skype, Snapchat, Telegram, Tinder, Viber, WhatsApp, WeChat. Besides, FlexiSpy for Android can spy on camera, email, calendar, audio, chrome, yahoo, browser, etc.

5. Finally, I gave a summary of FlexiSpy for Android. Through my deep analysis, we can see FlexiSpy for Android is an all-in-one spyware and it’s designed sophisticatedly as well as very complicated. In order to support all spy features, it’s required that the Android device is rooted. The spy app setups the startup script. When the device is rebooted, the startup script could be executed to start some daemon processes. FlexiSpy used FileObserver to monitor database file and shared preferences file stored in private folder of IM apps. Generally, the IM apps on mobile device store the chat messages in database file.  Some database files might not be encrypted like Skype app, so it’s easy to execute some SQL statements to gain the sensitive chat messages after rooting the Android device. Other database files might be encrypted like WeChat app. It looks more secure, but the private key can still be calculated via reversing engineering the IM app. Even if I uninstall FlexiSpy for Android app (package: com.Android.systemupdate), the spy activity is still ongoing.  I tested Skype and WeChat apps after uninstalling the spy app “com.Android.systemupdate”. It’s still successful to monitor the chat messages of Skype and WeChat. For normal users, if you find the file fx.log in the folder /data/misc/adn/, it can confirm your Android device is being spied by FlexiSpy for Android. Then I gave the steps to remove FlexiSpy thoroughly.

References

https://sandiego.toorcon.net/conference/#18