Malicious Life Podcast: ToTok, Part 1: How to Convince Someone to Download Spyware Transcript:
Two months ago, Jeff Bezos was hacked when the Crown Prince of Saudi Arabia sent him a malware-laced WhatsApp message.
“[Roy Ackerman] And while reading this and pressing a specific link that was attached or video that was attached to this WhatsApp message, a hidden process or like a code execution has been done in this device which installed a remote Trojan or remote agent on Bezos’ iPhone X.”
This is Roy Akerman, VP of Product Incubation at Cybereason.
“[Roy Ackerman] Now, since then the report mentions that a lot of – vast amount of megabytes and gigabytes poured out of this device and they didn’t conclude what exactly was collected but it was a lot of data, personal data of Bezos including messages and pictures that was shared with his lover.”
You probably heard of the Bezos hack. It’s a great story. One of the world’s most powerful leaders hacking one of the world’s most powerful men. To those of us in cybersecurity, the story rang differently. An iPhone X–typically thought of as one of the world’s most secure devices–and WhatsApp–one of the world’s most popular, mainstream apps–were both compromised.
Mobile is no longer on the fringe of cybersecurity.
“[Roy Ackerman] Mobile hacking tools are now a basic tool, preliminary and basic tool in every Western intel-organization that we have there. Mobile is considered as the next generation endpoint. Mobile is considered as a great replacement for you know just like installing a hidden mic on apartments.”
Too little of the discourse around cybersecurity takes mobile threats into account. And we, here at Malicious Life, are part of the problem. We did about sixty episodes before getting to mobile malware, in our episode on spyware. That was too long a wait.
So, to make up for lost time, we’re dedicating three episodes to one case study in the complexity, popularity and dangerousness of mobile malware. So, listen on. It’s in your interest. Because, let’s face it: if the world’s richest man can be hacked with a simple text message, so can you. Who knows? Maybe it’s already happened…
PATRICK WARDLE
“[Patrick Wardle] My name is Patrick Wardle. I am a Principal Security Researcher at Jamf and also the creator of the Mac security website and tool suite Objective-See.”
Patrick Wardle is the guide for our show today. He’s a nice guy, probably in small part because he gets to live in sunny Hawaii. That’s far away from where the rubber hits the road in international cyberespionage. Late last year, though, he was approached by the New York Times. They needed his help with an investigation. Our Senior Producer, Nate Nelson, asked him about it.
“[Nate Nelson] Now, I don’t want this to come up through our way, but why did The New York Times call on you instead of anyone else in the security world?
[Patrick Wardle] That’s an excellent question. I have a long history focusing exclusively on Apple security, predominantly Mac but also iOS. So I spent a lot of time analyzing iOS applications. I’ve reported vulnerabilities to Apple in iOS that have received CDE’s. The Mac side, they don’t have a lot of Mac malware analysis with that nation state tools. And I think also the fact that I used to work for the National Intelligence – National Security Agency, pardon, the NSA might also played into the decision.
Finally, I’ve done some joint research before with the New York Times looking at various cyber espionage operations. So there was kind of an existing relationship already there.”
The story that led to Patrick’s investigation began when an official in U.S. intelligence tipped off the New York Times to a peculiar app. The app was called “ToTok.”
TOTOK POPULARITY
ToTok was very popular. Only a few months after release, it had over five million downloads from the Google Play store. In Apple’s app store it was the number four messaging app worldwide, just behind WhatsApp at number three.
“[Patrick Wardle] So the interesting thing because ToTok really came out of nowhere in the sense that you know I would say about a year ago, basically, wasn’t even in existence.”
Looking at the app itself, it’s not obvious what made ToTok so popular. It was just a messaging app, with no features you couldn’t find in other apps. Its interface was nearly identical to WhatsApp’s.
So what was it that made ToTok so popular, so quickly? The answer: nothing good.
The app’s distinguishing feature was the audience it reached: citizens of the United Arab Emirates.
“[Patrick Wardle] The reason it became so popular in the UAE and this is part of the genius of the whole operation is that in the UAE, the government has banned the majority of messaging applications, for example, Skype, WhatsApp. So it’s very difficult for citizens within the UAE to actually communicate among themselves and then also communicate with their friends, families, relatives outside. So ToTok was the exception, surprise, surprise, in the sense that it was fully functional within the UAE, so almost overnight gained this massive popularity. I believe it became the number one messaging social media app within the UAE.”
The overwhelming majority of ToTok’s customer base originated from the UAE. Many of its customers outside of the UAE had family in the country, whom they could now finally speak to, without any barriers in their way, for the first time in, really, ever.
In that sense, ToTok was a massive humanitarian achievement.
“[Patrick Wardle] Over a few months, very surprising and this was solely because the fact that it worked within UAE where the majority of other messaging applications did not. We also saw instances where the media in that country, in that region would review this application or recommend this application so there was a lot of media coverage as well. So that media coverage coupled with the fact that it provided the citizens with a way to communicate in both within the country and externally made it the number one social networking application in the region in the UAE.”
Now, had ToTok remained exclusively an Emirati phenomenon, we may not have heard so much about it so soon. But what happened, instead, is a story common to the startup world. Its quick initial rise in popularity drew attention. Enough people in or related to people in the UAE downloaded it, to where it became one of the world’s most popular messaging apps, at which point individuals with no connection whatsoever to the country began downloading it themselves, just to see what the hype was about. Soon it was one of the fastest-growing apps in the United States.
“[Patrick Wardle] So I think this is again the main reason why the American Intelligence individual came forward to the New York Times to kind of provide this information. My guess and again, this is just a hypothetical guess is that as ToTok became so popular, Americans started using this application, for example, to communicate with their friends and relatives perhaps in the UAE and that’s when you know from an American Intelligence point of view a line perhaps had been crossed at that.”
At this point, dear listeners, it might not surprise you to learn that this highly successful app came with a catch.
ToTok wasn’t just a popular messaging service–it was a little too popular, a little too close to powerful people who don’t have a good track record on free speech and independent media. It was a free and open communications app, in a country where Skype and WhatsApp are banned for being free and open communications apps. It was being promoted in the state-run news media.
ToTok was clearly not just any startup.
JAILBREAKING THE iPHONE
Patrick’s job, then, was simple: to break into the app, and figure out what was really going on.
“[Patrick Wardle] actually, it’s rather difficult to analyze applications or any part of iOS and this is kind of interesting. iOS is an incredibly secured device, but a negative aspect of this and this is kind of paradoxical is this actually makes the device basically a black box in a way you don’t really know what’s going on, right?
So say you want to analyze an application. Well, apps obviously come from the iOS App Store. But when you download them they are encrypted which means you can’t just pull them onto, for example, a PC or Mac and then look at the binary code because it’s all encrypted. So what you actually have to do is you have to jailbreak your iPhone using an exploit or vulnerability and then you can install the bugging tools and analysis tools.
So again, this is rather problematic from a security point of view because this means, say the New York Times comes to you and says, “Hey, there’s this application that we want you to analyze to look at the bones to analyze its internal to look at the binary code.”
In order to view the code behind ToTok, Patrick had to jailbreak his phone.
“[Patrick Wardle] Luckily, there was a very popular jailbreak or vulnerability called Checkra1n which had recently been released by jailbreak community. And that allowed me to jailbreak an older version of an iPhone I had, an older iPhone running iOS I believe it was 13 at the time or perhaps 12. And from that with this jail-broken device, I was then able to dump the now decrypted code and that allowed me to analyze the device, rather the application.
In conjunction, I was then also able to install analysis tools on the now jail-broken iOS device. So I could for example watch what files the application accessed, what network traffic it generated, et cetera, et cetera.”
DIRTY JOB
Now, listeners, I have a theory. It’s about what we mentioned before: why Patrick was called upon by the New York Times investigative team.
I think this is the real reason why Patrick was involved in the case. It wasn’t just that he’s an expert in iOS security. The ToTok investigation was wading into legally dubious territory. This was a dirty job.
In fact, the job was so messy that responsibility had to be passed down twice over. The New York Times only got the scoop because even more powerful people couldn’t handle the story themselves.
“[Patrick Wardle] You know it’s a really interesting way that the intelligence committee can use the press in a very positive way because you know it’s unlikely that the Intelligence community can go directly, for example, to Apple or to Google and say, “Hey, you need to remove this application.” There’s probably some legal issues there where the state just leak something to the press and then press can basically run with it, have someone like me to look at the application or do their own investigation. It’s then New York Times that’s uncovering this operation and then Google and Apple are more likely to then take that seriously or take steps to mitigate that.”
Patrick was a hired gun–the guy you hire in a movie to get the job done, even if it requires some rules to be broken. It’s funny, actually, because Patrick wouldn’t make for a great movie hitman. He’s a super nice guy.
“[Nate Nelson] what are you looking for before you even find anything?
[Patrick Wardle] Yeah, that’s another excellent question. And that really depends on the ultimate goal of what I’m analyzing. So say I’m analyzing a piece of malware. What I want to know for that piece of malware is how it got on the system, how it persists, how it installed itself, what’s it payload, right, what’s its interest then and then perhaps, what servers or data it’s connecting to and exfiltrate it.
In the context of an application that may be spying on users, I just want to kind of gain a comprehensive understanding of what the application is doing perhaps behind the scenes. So for example, on your iOS device, there’s a lot of sensitive information. For example, photos, use your geolocation which obviously updates as you move around, there’s all your contacts, other applications that have sensitive information.”
After cracking his phone open, Patrick could view what was really happening under the veil of ToTok’s seemingly ordinary interface. His first, most glaring discovery was that ToTok’s code, really, wasn’t its own.
YEECALL/INTERNAL CODE
“[Patrick Wardle] it looked like it was packaged or built on top of existing code, specifically the code or this product, it looked like it was built on top of was called YeeCall, that’s Y-E-E-C-A-L-L. And there were some strings, some class names, some indications, for example, Facebook ID’s that would tie back to YeeCall.
Yeecall turns out to be a company that is – developed a messenger app called YeeCall. And as I said, it looked like what ToTok was, was simply a repackaging of this application”
Ironically, YeeCall is a lot like ToTok: a messaging and calling app created in an authoritarian country, China, where similar apps like Skype and WhatsApp are banned in order to tamp down free speech and/or promote internal companies.
Nonetheless: that ToTok was basically just YeeCall with a new paint coating doesn’t, necessarily, indicate anything shady. In a country like the UAE, where private sector programming talent is scarce, purchasing another company’s code may just be good business.
What this does indicate is that ToTok wasn’t really a normal business. Typically, a startup needs some good idea: an innovation which separates their product or service from the rest. That’s how you get customers to use your app. It’s as if ToTok’s creators were aware, from the beginning, that they didn’t need to create something unique to get customers.
“[Patrick Wardle] So it was kind of interesting and didn’t point anything malicious per se but again, kind of comes along with a narrative that this application wasn’t built from the ground up. It really looked like somebody quickly wanted to have an application that could be used, for example, in the UAE where all of the other applications were blocked.”
Oddly enough, there wasn’t anything particularly amiss about the rest of the code.
“[Patrick Wardle] The rest of the code was fairly standard you know kind of what you would expect in a messaging application.
“[Patrick Wardle] So I have to say there was no backdoors, no malware, no exploits embedded in the code. this was not surprising because if you’re going to build an application that is going to be approved for the iOS App Store, Apple does a fairly decent job analyzing those applications to make sure they don’t contain malware, exploits or backdoors.”
NETWORK TRAFFIC
After the code yielded only one major insight, and no malicious activity, the next step was to investigate network traffic: not how the app worked, but how it was being used.
“[Patrick Wardle] So network traffic was probably the most interesting. And the first thing I noticed is the information it was sending it to was again a server in the UAE which again tied this application to – likely tied this company – this application to a company in the UAE. So if we look at the fingerprint for the SSL certificate, the location, the region was set to Abu Dhabi. Again, tied to ToTok you know kind of again tying the application to that region of the world.
Other things that the application did that we can see from the network traffic was first and foremost, it would take the user’s entire address book and exfiltrate that to this server and it would do those multiple times. So for example, when you would restart the application or look after certain time period, perhaps when you would start the phone, it would take your address book and this is your – all your contacts, their phone numbers, their email addresses, everything in that address book and send that up to the server.
Now, I do want to make a point that legitimate applications, messaging applications do often need access to perhaps your contacts to perhaps find other friends. But it’s slightly unusual to see one just kind of sucking up the entire address book and uploading that or exfiltrating that again multiple times.”
ToTok was gathering an unusual amount of customer data that it didn’t need. But in an age where companies gather and track our data in ways we can’t even know of, this isn’t necessarily so far out of the realm of normalcy.
“[Patrick Wardle] If you look at the application with kind of blinders on, meaning you just look at the binary code or just look at the functionality of the application. It really, in a sense, is not doing anything massively wrong. You know, kind of oversteps, right? It kind of maybe it’s a little aggressive about gathering your address book, perhaps using your location and other such things. But compared to like a piece of malware, it’s essentially fully benign.”
So, in the end, maybe ToTok was just another, ordinary app after all.
Ah…what’s that? I think I can someone, listening to our episode on a train near Edinburgh in Scotland. He sounds pissed.
“Wait, Ran, are you serious? I just listened to 25 minutes of a podcast, just to learn that this app I’ve never heard of before actually wasn’t that interesting?”
“[Patrick Wardle] But again, I want to caveat all that. That is when you’re solely looking at the application kind of in a vacuum, not at the broader picture of, for example, who’s behind the said application.”
This last point is key. A knife in the hand of a chef is a tool. But if it’s late at night, and you’re in an alleyway, and someone wearing a facemask pulls out a knife, they’re not about to chop carrots.
According to the New York Times, ToTok was not, in fact, a private enterprise, but a UAE government enterprise. The app wasn’t actually built to make money. Its proprietors had ulterior motives.
STEPS: HOW TO GET PEOPLE TO DOWNLOAD SPYWARE
Recall that we named this episode of our podcast “How to Convince Someone to Download Spyware.” Well, if you wanted to know how, here you go–here’s how:
Step one: ban an entire market. Lay the groundwork for a monopoly.
Step two: devise a suitable app for that market. Gather as much data as can be reasonably explained away.
Step three: mask the origins of your app, to make it difficult for investigators to trace its origins.
Step four: publish the app, and market it aggressively with advertising, and perhaps a healthy dose of fake social media posts and reviews.
“[Patrick Wardle] So in a way, you know you can write a fully legitimate application that’s going to pass both Apple and Google’s analysis because it doesn’t have any malware, doesn’t have any backdoors, it’s not doing anything suspicious. It’s going to get into the Google Play Store and the iOS App Store where users are trustingly going to download this and recommend it to their friends and then it’s going to become incredibly widespread and popular.
Then behind the scenes, the developers of the application or the sponsors of the applications are going to then be able to see perhaps all this data, all this traffic. So yes, Android and iOS is barely secure and difficult to hack. But you know this approach using a legitimate application essentially sidesteps all of that because at the end of the day if you have a legitimate application that’s providing you with user’s locations, their contact information, perhaps their photos, what they’re saying, who they’re talking to, really, what more do you need?
So you know from their point of view, this is a genius approach, right? Really likely cost them you know a mere percentage, a mere slice of what it would buy – what it would cost to buy for example remote exploit chain against iOS.”
ToTok is cheap, easy, highly effective, and basically legal. It’s malware, but it’s not. Ask two people, and they’ll give you different answers. After the Times expose, Apple and Google banned it from their app stores. Then, not long after, Google actually let it back on. Then, later, they banned it again. If you can confuse Google that badly, you know you pulled off something genius.
But do you want to know why it’s really genius? Like really, really genius? Because even if you know all of this–even if you’ve listened to both of these Malicious Life episodes, in their entirety–ToTok still wins.
“[Nate Nelson] I could imagine if I were UA citizen – a UAE citizen, maybe what I’d be willing to trade my privacy for an open and robust chat app when there are none others available to me. I’m not suggesting that the citizens of that country should be content with it. But you know, can we really blame them for taking what they can get and if this app really does do what it say it does then what is this? What are we talking about?
[Patrick Wardle] Yeah. That is an excellent question. That is why I’m so intrigued by this because in a way, it really redefines perhaps what is malware and what is not.
I’m not surprised that both this application became so popular and likely that it will continue to retain its popularity because again if there’s no other options for the average citizen, they are going to default to this perhaps even knowing who is behind that. And you know I think in a way that’s really problematic and kind of sad but again, I understand why that approach might be taken.”
What masterminds could’ve come up with such a devilishly deceitful plan?
Bill Marczak: So that’s a really interesting question.
Coming up on Malicious Life: the people behind ToTok, as told by the person who found them.