Join us on Slack!
Society leans ever heavily on computers, if you have the power to take out computers you can take out society. - cubeman372
Friday, November 15, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 61
Guests Online: 61
Members Online: 0

Registered Members: 119901
Newest Member: Dialvo
Latest Articles
View Thread

HellBound Hackers | Computer General | OS specific

Author

NetCapture and HTTPCanary apks for android are infected

Huitzilopochtli
Member



Posts: 1624
Location:
Joined: 19.02.13
Rank:
God
Posted on 09-03-19 04:43
NetCapture and HTTPCanary two apps for packet sniffing I downloaded yesterday from the Play store are infected with malware

NetCapture makes a connection to a domain in China and uploads an rc4 encrypted gzip via a POST request, this happens at first boot and every time you connect to Wi-Fi .
http://pingma.qq.com:80/mstat/report/?index=1551456863

When you block it another Chinese domain shows up:
http://android.bugly.qq.com:80/rqd/async/aid=

HttpCanary is similar as it connects to the same android.bugly.qq domain when it uploads it's gzip files.

Blocking it brings up another Chinese based site:
http://mclean.cloud.360safe.com
http://mvconf.cloud.360safe.com
 
It's only when this domain is blocked that a change in behaviour kicks in, as it switches to a GET request for the next domain and tries to download some .dat file.

http://msafedl.ssl.qihucdn.com:80/clear_sdk_multilang/20190228/o_c_adp.dat

And again after the first one failed:

http://msafedl.ssl.qihucdn.com:80/clear_sdk_multilang/20190228/o_c_adp.dat.en_WW

Not sure what's on that site as safebrowsing kicks in and blocks it.

So, if you have one of these two apps installed, you should probably think about removing them.


.
Author

RE: NetCapture and HTTPCanary apks for android are infected

Rocket_Face
Member

Your avatar

Posts: 15
Location:
Joined: 02.05.17
Rank:
Moderate
Posted on 09-03-19 08:01
That's why I only ever download apps from the Play store, because I'm no fool.
Author

RE: NetCapture and HTTPCanary apks for android are infected

Huitzilopochtli
Member



Posts: 1624
Location:
Joined: 19.02.13
Rank:
God
Posted on 16-03-19 04:56
They were downloaded from the Play store you fucking clown.


.
Author

RE: NetCapture and HTTPCanary apks for android are infected

Futility
Member

Your avatar

Posts: 757
Location: USA
Joined: 17.12.07
Rank:
God
Posted on 19-03-19 00:18
Huitzilopochtli wrote:
NetCapture and HTTPCanary two apps for packet sniffing I downloaded yesterday from the Play store are infected with malware

NetCapture makes a connection to a domain in China and uploads an rc4 encrypted gzip via a POST request, this happens at first boot and every time you connect to Wi-Fi .
http://pingma.qq.com:80/mstat/report/?index=1551456863

When you block it another Chinese domain shows up:
http://android.bugly.qq.com:80/rqd/async/aid=

HttpCanary is similar as it connects to the same android.bugly.qq domain when it uploads it's gzip files.

Blocking it brings up another Chinese based site:
http://mclean.cloud.360safe.com
http://mvconf.cloud.360safe.com
 
It's only when this domain is blocked that a change in behaviour kicks in, as it switches to a GET request for the next domain and tries to download some .dat file.

http://msafedl.ssl.qihucdn.com:80/clear_sdk_multilang/20190228/o_c_adp.dat

And again after the first one failed:

http://msafedl.ssl.qihucdn.com:80/clear_sdk_multilang/20190228/o_c_adp.dat.en_WW

Not sure what's on that site as safebrowsing kicks in and blocks it.

So, if you have one of these two apps installed, you should probably think about removing them.


This is super interesting! I've got a thousand questions, feel free to answer any/none at your leisure. If you could post a hash of the apks (or the apks themselves!), I'd love to do a bit of my own analysis to fill in some blanks.

Any idea what's included in the gzip that gets sent? What the RC4 password is/if they use it for anything else? Any example .dats or a guess as to what they contain? DNS lookups on the domains, or affiliation with any of the big threat actors? If the comms are encrypted between you and the server, are the certificates known-bad? What other domains are in the apk (it doesn't look like this is fast-flux or other type of domain generation- I'm guessing there's a listing somewhere). Did you do any DEX decomplication for static analysis, or was everything dynamic?

Again, interesting stuff, just curious as to some of the finer details and looks like it was fun to poke.

- Futility
Futility91@hotmail.com Futility91
Author

RE: NetCapture and HTTPCanary apks for android are infected

Huitzilopochtli
Member



Posts: 1624
Location:
Joined: 19.02.13
Rank:
God
Posted on 20-03-19 21:56
You can still download them from both from the play store man. I didn't try anything with the dex files, and I didn't try to open the gzip files either. But I have the full thing with about 100+ requests it sent to diff IPs I can zip for you if you want it.

A typical dump from HTTPCanary to bugly.qq was like this:

POST /rqd/async?aid=0ad83de9-a487-46fd-953d-fd566eada84f HTTP/1.1
wup_version: 3.0
raKey: l8Jvcr%2BKpsYUFZ3KlMvt0CjBbfoGIWD1LZnYLQUsiPvPqF6w
Y2iLkb%2FaJGJL5LabENShd8eB960S%0Alduspc%2BUV
Ru2z5ePCUF0IQUQECddf7POKpcUPxLaPjcx08l8yeU3MCmPxOZAsTm4z
qoywDnHWjv2%0AxtZKL1Jn8HLzPA8qS%2Fo%3D%0A
platformId: 1
cmd: 840
sdkVer: 2.6.6
appVer: 2.3.1
prodId: 4490ee2e04
bundleId: com.guoshi.httpcanary
strategylastUpdateTime: 1543642045000
A37: WIFI
A38: WIFI
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; SM-G925F Build/NRD90M)
Host: android.bugly.qq.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 1032

!�d�72y�Uv(�[��T�jC�^,C;
�F��o�U3.��)V��R�_��-"���O����ɠ߸�
t'�J�'p��lfd�_��|V�^MT[i�����@"����_0Vt��
��5���`��C?@@o�t!R�@ຣEk�|�9�R�H~F~���d����/�$>��hIF����>Y�&�0Q��us�@��
QJ�tH�AU�c��,��/�uat?��[uL�0I��
���"�PC��̺���v���=�M~��ʹ��\q)O,x��Q�Wu�����2��;�4��v��
��� �����|D��'�&����j�y����
���h��E%��������?>d�{�(�1�T陗�b��Bx����A��ېg��e0d�;�
DZ7�O��/�^z��Aڶ$j�XF{PQ��GD���V�gѠ�P�҇�q
a#�_��U�f���㟢���u�S��.���?@�*�;(6`��C=�3*x`J/����ov(l��ȓ�I�G,u]X�B�C��
^q�!3yk����ڏZ���=Q}�ƼWf�2�'��2}w����"
<�0����3�ɯ)�����Wu���t♁�$j�]�oI�W��
�X��q@��]5?tr��qVy�v�;�X#R|.�"�I��'��P˴چ�X&����f�L�#닢��:�)�����:վ�wV���P���F�,�
�kvL�+�e�<�]�X���y:��fOʖ@�O���S/�b���
��>��+���R�lj xa��:=D���$$�*"�%�֯�I�>��"|���*֫/�.;���&Yt�35ܜ�S��Y�g�ɤRV��d�'���2����Y;GM�}�T�П�H��e�3�Q:�D�!��m�J��ӹgZ*hj�Z�vx��&F�����N#F!sG�'�˹��nk�mz
��H���x%ə�J}JY��
��.����Bڴ�c��-


There is also an occasional request that has no gzip compression:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 22 Feb 2019 23:37:46 GMT
Content-Length: 194
Connection: keep-alive
Bugly-Version: bugly/1.0
status: 0
nstat: 0

јёР°ЈСlЧH ;®vW¦M
к\Њ=5Л>{жЛЏК2љиш›Л™UБu§EцhаЕ;ЃMЃ\&Ў¦·Hщў1…оE’Q#зг#bр¬R. x…'HЯ\ҐnDџ\4”R<‰Pxн©lg±
h”z˜hКЏЌчUE†N’ьмrПЂьѓ Ђ‹Х]Ў9шьавt2>Bґ*іжЂунNX|›ЅёН¬av6\Ч’™'Ю(oµiИPw~јн:ЂgѕЭ


The Content-Length of the requests is always different and can range anywhere between 290 and 7490.

Only one request never changes:
HTTP/1.1 200 OK
Content-Encoding: rc4
Content-Length: 9
Connection: keep-alive

Æ8çf—G

Resending the full POST request without the fields above returns an error.  
{"ret":-1, "msg":"invalid appkey"}

And the ones sent from NetworkCapture were almost identical, and go to the same domain:
POST /rqd/async HTTP/1.1
wup_version: 3.0
platformId: 1
cmd: 830
sdkVer: 2.1.9
secureSessionId: 5bd7cf676827461cb553889a9d61d669_0222_SZ
appVer: 2.9.0.5
prodId: 900015015
bundleId: com.minhui.networkcapture
strategylastUpdateTime: 1484023430000
A37: WIFI
A38: WIFI
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; SM-G925F Build/NRD90M)
Host: aexception.bugly.qq.com:8012
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 4483


And being sent to pingma.qq
POST /mstat/report/?index=1551456863 HTTP/1.1
Accept-Encoding: gzip
Connection: Keep-Alive
Content-Encoding: rc4
Content-Length: 296
Host: pingma.qq.com:80

�aT�k�UC�u���K�s�H�m�y�?P�\���
z4~��܂�<?�HqOM;��VILn@|K�P�c��?���T��P1���w�5�8NG|
�hHQ;aI"�����r1)�]�;6�9U��G�M�ȡ��t>WinkR\=-<Jg�>C��ؖ[�-�����b�ۖ�c�^�=��r�������0\ٯ���*�a��B<s�ʼ���3�y;w��㰪\�:��2�)yq�ܖ�����qG5Ч�sz�0E
u��m�§�!X�VG� h6U�m��� ���u�ծ�_�|�bV=U����



.

Edited by Huitzilopochtli on 20-03-19 22:00
Author

RE: NetCapture and HTTPCanary apks for android are infected

Huitzilopochtli
Member



Posts: 1624
Location:
Joined: 19.02.13
Rank:
God
Posted on 21-03-19 00:21
The first domain it connected to was owned by TenCent, and after I blocked it the 360 domain started to appear. It appears those two Chinese companies have a long history of sabotaging each other's software if it's installed on a system alongside their own shit.

Anyway I just ran it through another scanner:

https://www.hybri. . .mentId=200


.
Author

RE: NetCapture and HTTPCanary apks for android are infected

Futility
Member

Your avatar

Posts: 757
Location: USA
Joined: 17.12.07
Rank:
God
Posted on 26-03-19 01:01
Huitzilopochtli wrote:
The first domain it connected to was owned by TenCent, and after I blocked it the 360 domain started to appear. It appears those two Chinese companies have a long history of sabotaging each other's software if it's installed on a system alongside their own shit.

Anyway I just ran it through another scanner:

https://www.hybri. . .mentId=200

Cool! I'm gonna poke it a bit, see if I can find anything. Thanks for the info!
Futility91@hotmail.com Futility91
Author

RE: NetCapture and HTTPCanary apks for android are infected

Megatron King
Member

Your avatar

Posts: 1
Location:
Joined: 30.04.19
Rank:
Newbie
Posted on 30-04-19 07:47
Hi guys, I am the developer of HttpCanary. HttpCanary is a legal app and no hacker backdoors.

Bugly is a famous crash report and event statistics platform designed by Tencent, I use this to collect the crash logs and fix the bugs. There is no user private and sensitive data uploads to bugly and other servers. About the Bugly platform, here is the official website: https://bugly.qq.com/v2/.

I have declared the crash log collections in EULA and private policy, please trust this app and welcome to supervise it!
Author

RE: NetCapture and HTTPCanary apks for android are infected

Huitzilopochtli
Member



Posts: 1624
Location:
Joined: 19.02.13
Rank:
God
Posted on 02-05-19 14:34
Hi Megatron King, thank you for visiting HBH to answer our questions about your awesome app.

Bugly may well be famous but the sdk used in a previous version of your apk was still flagged as being malicious both here: https://www.hybri. . .44b183569e and here:  https://www.virus. . ./detection

According to the same online scanners the newest version of HttpCanary  has no such issues and is safe to use. I have it installed on my phone and I think it's great. Thumbs Up


.

Edited by Huitzilopochtli on 02-05-19 14:36
Author

RE: NetCapture and HTTPCanary apks for android are infected

jsoso
Member

Your avatar

Posts: 1
Location:
Joined: 16.06.19
Rank:
Newbie
Posted on 16-06-19 09:45
but now Shock HttpCanary v2.10.2 got worse:
https://www.virus. . ./detection
5 engines detected this file

Edited by jsoso on 16-06-19 09:48