Categories
cybersecurity stalkerware

New Stalkerware 'Mobile Tracker Free' Targets Victims

Stalkerware is the digital equivalent of following someone 24/7 and eaves dropping on their conversations.
Stalkerware’s usage has been on the rise in situations of domestic abuse, one report by the BBC cites an individual (Amy) who’s husband had been tracking her every move. It gives the perpetrator (one controlling the Stalkerware) complete visibility of the victims mobile device and all of its data.
In this research article we demonstrate the stalkerware app Mobile Tracker Free and it’s capabilities, and even expose a technical security risk in it’s code. The security hole discovered in Mobile Tracker Free could even lead to your contacts and social media messages from the likes of WhatsApp, Telegram and Instagram being completely exposed to all other apps and processes on your device.

The Stalkerware application Mobile Tracker free is an application which boasts of it’s ability to “track employees to increase their productivity” and “monitor child’s whatsapp without them knowing”.  It has the capacity to constantly monitor the following:

  • Location
  • Stream live video
  • Stream live audio
  • Read SMS, MMS
  • Monitor calls
  • Read social media messages (Instagram, Facebook, Whatsapp, Telegram, Snapchat, Youtube, Tinder, Gmail and more)
  • Track clipboard
  • Screen record at any time
  • Track web history

Infection

In order to infect a victim’s device with Mobile Tracker free, an account must be created on the mobile tracker free website. This helps create the SAAS Command and Control (aka C2) platform for the stalkerware. Once signed up through this portal, a sophisticated dashboard is provided asking for installation of the mobile tracker apk and providing detailed instructions to do so.
There are even professional looking videos which have been released by Mobile Tracker free on Youtube to help individuals with nefarious intentions infect their victim’s phones. At the time of writing this, one video tutorial has over 1.4 million views and 3200 likes.

Once downloaded, the application app-download.apk is installed onto the device using com.google.android.packageinstaller, which is the default installer for any app installed via your web browser. This installs on Android as an application titled “Download Mobile Tracker Free”. As an application, it has the capability of communicating with it’s servers in plaintext (i.e. not encrypted).

This app’s intention isn’t to do the tracking or communicate with the C2 server, instead this is the dropper. It’s aim is to disable the default anti-virus installed on Android (Google Play Protect Services), allow itself to install apps from unknown sources and download the app which performs the stalking.

Image displays code to launch intent to allow app installs from unknown sources for app com.mtf.d.

Once this prep work is complete, this dropper then installs m.secu.children the intended Stalkerware payload.

Although the dropper app com.mtf.d is capable of performing plain text communication because of the following configuration in the Android Manifest android:usesCleartextTraffic="true". It performs the download of m.secu.children over a TLS encrypted link.

Download of m.secu.children over TLS encrypted link

After m.secu.children is installed, it then requests that the dropper is uninstalled to remove any trace of the infection from the device. Within traced, we store these install events for later analysis.

Tracking Capability

Although the device infection is sneaky, it all gets rather scary once m.secu.children is installed on the device.
First off m.secu.children performs an extensive permission grab, to make sure it’s as hidden as it can be whilst having access to all of the permissions it requires to function.

Screenshot of granted permissions of m.secu.children within traced app

Once this permission grab is through, we see our victim (my OnePlus 3T test device) now calling back into the Mobile Tracker free command and control SAAS platform. On the dashboard displayed is my location accurate to the last minute, battery and online status.

Once we drill down further into the console, we start to see every aspect of my life displayed through my mobile device. Luckily for me, this is simply a test device.

It starts with all of my devices stored images

The Stalkerware provides the capability for the attacker to live stream the victims camera, audio and screen at any time!

Image of the live streaming capability of Mobile Tracker
Live stream of the victim’s camera (Excuse the angry face, stalkerware tends to have that effect on us here at traced Ltd)

The app is also capable of accessing a large array of social media messaging on the device.

You might find yourself having questions about the end-to-end encryption which these messaging apps are using and how that isn’t protecting your private messages from the tyranny of your stalker. WhatsApp and other messaging apps do indeed encrypt your data whilst in-transit, however on your device, it’s sat in plain text. This means that once the device is compromised, it’s left open to the attacker.
We see below the code used by Mobile Tracker to grab the WhatsApp msgstore.db which contains all of the messages sent and received on the device. It also includes code used by the app to obtain the whatsapp contacts wa.db. The Mobile Tracker app uses dataOutputStream, a Java method which provides the app full access to the android shell. It uses this to print the contents of the WhatsApp databases to a local file which the app then has direct access to.
Ignoring it’s sinister potential for a moment, the capabilities of this Stalkerware are impressive and as a fellow programmer, it has to be admired. That being said, whilst traversing the code we discovered a misguided use of a recursive chmod 777, providing far too much access to the whatsapp databases created in a directory more accessible to m.secu.children. This means that these files which Mobile Tracker has backed up locally for later sync, are now accessible by everyone on this device (any process or user).

Code analysis of the ability to obtain access to the whatsapp database files.

Looking further into this, we notice that the app is performing this same action on the following databases:

  • Facebook Messages
  • Viber
  • Google
  • Instagram
  • Kik
  • Skype
  • Telegram

If the victims device is offline, Mobile Tracker Free has also taken into account a method of remotely controlling the device using SMS.

Protection

Make sure that you’re as best protected as you can be from Stalkerware, you may not know that your device is infected, by it’s very nature Stalkerware is designed to be evasive.
As is our strapline we aim to make the invisible visible here at traced. The below is a screenshot of the stalkerware using the camera, accessing location and accessing the microphone on my device.

If you find yourself in a situation where you think Stalkerware is lurking on your device, you have two options:

  1. Search through the list of installed apps in settings and attempt to uninstall any which appear malicious.
  2. Or download and install the free traced app and look for malicious behaviour and see your highest risk installed apps.