[guardian-dev] possible malware Orbot version found in the wild

Hans-Christoph Steiner hans at guardianproject.info
Fri Nov 1 09:49:01 EDT 2013


I dug into it a bit more, I can unzip it with 'unzip' but can't unpack it with
'apktool'.  Doing a binary diff seems to show that's its just a corrupt zip,
which is odd.  Maybe someone can see something in this hexdump that I'm not.
The APKs are exactly the same except for this stuff which is tacked onto the
end of the Baidu Orbot:

                                        48 00 72                H.r
65 73 2F 64 72 61 77 61  62 6C 65 2D 6D 64 70 69  es/drawa ble-mdpi
2F 61 62 73 5F 5F 69 63  5F 63 6C 65 61 72 5F 73  /abs__ic _clear_s
65 61 72 63 68 5F 61 70  69 5F 68 6F 6C 6F 5F 6C  earch_ap i_holo_l
69 67 68 74 2E 70 6E 67  50 4B 01 02 0A 00 0A 00  ight.png PK......
00 08 00 00 93 10 5A 41  14 01 B5 D1 FC 03 00 00  ......ZA ........
FC 03 00 00 20 00 00 00  00 00 00 00 00 00 00 00  .... ... ........
00 00 DC F9 48 00 72 65  73 2F 64 72 61 77 61 62  ....H.re s/drawab
6C 65 2D 6D 64 70 69 2F  61 62 73 5F 5F 69 63 5F  le-mdpi/ abs__ic_
67 6F 2E 70 6E 67 50 4B  01 02 0A 00 0A 00 00 08  go.pngPK ........
00 00 93 10 5A 41 DB 02  A7 74 3F 02 00 00 3F 02  ....ZA.. .t?...?.
00 00 36 00 00 00 00 00  00 00 00 00 00 00 00 00  ..6..... ........
18 FE 48 00 72 65 73 2F  64 72 61 77 61 62 6C 65  ..H.res/ drawable
2D 6D 64 70 69 2F 61 62  73 5F 5F 69 63 5F 67 6F  -mdpi/ab s__ic_go
5F 73 65 61 72 63 68 5F  61 70 69 5F 68 6F 6C 6F  _search_ api_holo
5F 6C 69 67 68 74 2E 70  6E 67 50 4B 01 02 0A 00  _light.p ngPK....
0A 00 00 08 00 00 93 10  5A 41 A6 83 61 04 71 00  ........ ZA..a.q.
00 00 71 00 00 00 40 00  00 00 00 00 00 00 00 00  ..q... at . ........
00 00 00 00 AB 00 49 00  72 65 73 2F 64 72 61 77  ......I. res/draw
61 62 6C 65 2D 6D 64 70  69 2F 61 62 73 5F 5F 69  able-mdp i/abs__i
63 5F 6D 65 6E 75 5F 6D  6F 72 65 6F 76 65 72 66  c_menu_m oreoverf
6C 6F 77 5F 6E 6F 72 6D  61 6C 5F 68 6F 6C 6F 5F  low_norm al_holo_
64 61 72 6B 2E 70 6E 67  50 4B 01 02 0A 00 0A 00  dark.png PK......
00 08 00 00 93 10 5A 41  A7 76 A7 E0 7B 00 00 00  ......ZA .v..{...
7B 00 00 00 41 00 00 00  00 00 00 00 00 00 00 00  {...A... ........
00 00 7D 01 49 00 72 65  73 2F 64 72 61 77 61 62  ..}.I.re s/drawab
6C 65 2D 6D 64 70 69 2F  61 62 73 5F 5F 69 63 5F  le-mdpi/ abs__ic_
6D 65 6E 75 5F 6D 6F 72  65 6F 76 65 72 66 6C 6F  menu_mor eoverflo
77 5F 6E 6F 72 6D 61 6C  5F 68 6F 6C 6F 5F 6C 69  w_normal _holo_li
67 68 74 2E 70 6E 67 50  4B 01 02 0A 00 0A 00 00  ght.pngP K.......
08 00 00 93 10 5A 41 3C  97 93 7F D0 01 00 00 D0  .....ZA< ........
01 00 00 32 00 00 00 00  00 00 00 00 00 00 00 00  ...2.... ........
00 57 02 49 00 72 65 73  2F 64 72 61 77 61 62 6C  .W.I.res /drawabl
65 2D 6D 64 70 69 2F 61  62 73 5F 5F 69 63 5F 6D  e-mdpi/a bs__ic_m
65 6E 75 5F 73 68 61 72  65 5F 68 6F 6C 6F 5F 64  enu_shar e_holo_d
61 72 6B 2E 70 6E 67 50  4B 01 02 0A 00 0A 00 00  ark.pngP K.......

.hc


On 10/31/2013 04:49 PM, Hans-Christoph Steiner wrote:
> 
> Mark just found that Orbot is posted on the Baidu app store (with a direct
> download link):
> http://as.baidu.com/a/item?docid=3806797&pre=web_am_se
> 
> I decided to check it out to see whether it is legit or not.  Its manifest
> says it is version 0.2.3.23-rc-1.0.11-RC6.
> 
> You can get the official version with GPG sig here:
> https://guardianproject.info/releases/archive/Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
> https://guardianproject.info/releases/archive/Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk.asc
> 
> The baidu-orbot fails this first test: it does not verify based on the GPG
> sig.  And its a slightly larger file:
> 
> -rw-r--r-- 1 hans hans 5308416 Oct 31 16:24 baidu-orbot.apk
> -rw-r--r-- 1 hans hans 5307853 Oct 26  2012
> Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
> 
> It also fails the sha1sum check:
> $ sha1sum Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
> 89ba1ef0c92976851a3978491d5a99a565219164  Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
> $ sha1sum baidu-orbot.apk
> 6785d36903b1783593badc787ff79d6ad9b09722  baidu-orbot.apk
> 
> Comparing these on Android Observatory, you can see that classes.dex,
> resources.arsc, and AndroidManifest.xml are the same, but the APK is different:
> 
> Orbot-release-0.2.3.23-rc-1.0.11-RC6.apk
> https://androidobservatory.org/app/686CAD749C300C4A80251DE1DB258AB855AB8420
> 
> baidu-orbot.apk
> https://androidobservatory.org/app/9C3467E21C81E550208B42B6EF053E9F95DCA165
> 
> My install of apktool failed to uncompress baidu-orbot.apk. Anyone want to dig
> into this and see what the differences are?  This is looking like is could be
> a master key exploit.
> 
> .hc
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20131101/63cab4b9/attachment.pgp>


More information about the Guardian-dev mailing list