[Android] HushSMS removed from Google Play Store and AndroidPit

Wow! That was a day. On December 03, 2013 Google as well as AndroidPit decided to remove (final decision) HushSMS from their stores. AndroidPit didn’t even send me an email or something. Google complained about some policy violations like that it’s a dangerous app. Well that’s bullshit. In coincidence they have patched the Class0 SMS vulnerability in the android source (https://android-review.googlesource.com/#/c/71102/) discovered by Bogdan Alecu a few hours before they pulled HushSMS from the Play Store.
A few days before that all Bogdan came up with the idea of writing a protection app for the vulnerability prior to making it public during DefCamp. I wrote the app (Class0Firewall) and released it for free and of course without ads in the Google Play Store so that owners of the vulnerable Nexus devices can protect themselves.
Hey Google, that’s not the right way to say: “Thank you for protecting my Nexus Device customers.”
What disturbs me most is the fact that there are other SMS programs in the Play Store that are able to send Flash or Class0 messages. HushSMS is nothing illegal nor abuses it the GSM network. Come on Google, read the 3GPP TS23.040 Technical realization of the Short Message Service and the OMA WAP Papers. Compare the specifications to the features of HushSMS and discover that there is nothing dangerous with it. Sorry Google, I forgot that it’s easier to remove something than to use the brain device and think.

[Android] HushSMS now with Tasker Action Plugin

I have integrated a Tasker Action Plugin. You can now define an action in Tasker to send a Class0 (Flash) SMS or Replace Messages. You will receive a Toast message if the SMS is sent and the usual notification icon if the message was delivered successfully.

If you want more message type to be available in Tasker just write me an email or a comment and I will see what I can do.

[Android] HushSMS Xposed Helper Module

With a million thanks to rovo89 for the Xposed Framework, and androcheck from the XDA-Developers Community!!!

I’m proud to announce the availability of an Xposed Module for HushSMS which allows devices without the specific API method to send all message types.

Requirements:
- Root (for Xposed to work)
- Installed and working version of the Xposed Framework (from here: http://forum.xda-developers.com/showthread.php?t=1574401)

How to use it:
Download and install the Module (from here). Current version is 1.7.4. Go into Xposed Framework and then into modules and enable the module. Reboot your device. You’re done! Please send yourself a class 0 message first to see if everything is working as expected. If you see a message text which contains “allyourmessagesarebelongtous” then something went wrong with the Xposed module. Please verify that the module is enabled and you have rebooted your device. If it is still not working please send me the debug log from Xposed. You can find it under /data/xposed/debug.log or /data/data/de.robv.android.xposed.installer/og/debug.log

HushSMS can currently not check if the module is loaded. So you will have to take look yourself in the Xposed Framework. Don’t blame me if you sent out messages without having the module enabled! :-)

[Android] HushSMS ROOT Edition released

UPDATE: This App will no longer be maintained. Please use the Xposed Plugin instead

I am aware of so many users wanting all HushSMS features for their devices even if their ROM does not provide the API. Well, the wait is over…if you’re willing to switch to a CM based ROM.

(INFO: If you have access to the ROM signing keys for the ROM you use, you can simply unsingn the HushSMS-ROOT.apk and resign it with the singning keys from your ROM and everything should be fine. At keast in theory as I have not tried this way)

Why only CM?

Short answer: Because the app has to be a system app and the signing keys for CM are public.

Long answer: The sendRawPdu API has been removed since ages and only some devices like HTC with Sense still have it available. There is still one class that has this API method available. It’s the SMSDispatcher class. Unfortunately this class is hidden and internal making it only available to system apps. To become a system app, the app in question has to be signed with the manufacturers key and need to be installed in the /system/app path. This key is only available for CM and obviously not for original ROMs like from Samsung, LG or HTC.

HushSMS ROOT Edition only supports three types of messages. To be exact these are the ones that are missing in the market version on devices which do not support the above mentioned API method. Why not all message types you ask? Well, HushSMS ROOT Edition needs to use the following in the Manifest to function properly:

android:sharedUserId="android.uid.phone"

and

android:process="com.android.phone"

This is necessary to access the SMSDispatcher. Unfortunately the com.android.phone UID is not allowed to use the permission android.permission.SEND_SMS because it has been set with the enforceCallingPermission instead of enforceCallingOrSelfPermission in the IccSmsInterfaceManager class but this is needed to use the sendData API method. Because of this the permission requested by HushSMS ROOT Edition is ignored. So why the hell am I not reflecting this method from the SMSDispatcher also? Because it is declared as an abstract and cannot be reflected.
As you see above I really tried the best to get this working as comfortable as possible, but I am limited to what the OS allows me to do with it’s APIs.

So how do you install this app on your shiny CM powered device now?

I made a post over at XDA dev which I will c&p here for simplicities sake.

- Make sure you have installed the official play store version. HushSMS ROOT Edition will not work without the official version installed.
- Download HushSMS-ROOT.apk from here
- Copy it to your PC/MAC
- Connect your phone via USB
- Open a console and change to the dir where you saved the file
- Type “adb root” (without the quotes of course)
- Then type “adb remount”
- Then type “adb push HushSMS-ROOT.apk /system/app/”

After that you should be able to start the app right from your drawer. If you can’t see it just reboot your device.

You will now be able to send the following message types:
- Class 0 (Flash SMS)
- Type 0 (Silent Ping)
- Message Waiting Indicator for Voice Messages activation and deactivation messages

If something goes wrong, feel free to contact me. I’m always willing to help and fix things as soon as I get a chance.

PS: If you can open the app but nothing happens if you try to send a message double check that you have the official play store version of HushSMS installed.

Cheers

[HowTo] Install Metasploit (and other usefull stuff) under archlinuxarm on your Android device

A thread on XDA-Devs by user flashdrv [1] catched my attention on this topic. I read through the there mentioned blog entry from Lance R. Vick [2] and looked at the stuff on archlinux.org [3]. This was something that I wanted. So let’s start getting it up:

- On your linux workstation (or bootable cd) download the Archlinuxarm disk image for exynos (= my galaxy note 10.1, or for other cpus see here: http://archlinuxarm.org/platforms) here: http://archlinuxarm.org/os/ArchLinuxARM-odroidx-latest.img.gz

- Other platforms might have a TAR file instead of a full disk image. In this case skip a few steps an d head over to lrvick’s guide below.

- install (#sudo apt-get install kpartx) and use kpartx like follows:

#kpartx ArchLinuxARM-odroidx-latest.img
loop0p1 : 0 8191 /dev/loop0 1
loop0p2 : 0 106496 /dev/loop0 8192
loop0p3 : 0 6291456 /dev/loop0 114688

#kpartx -a -v ArchLinuxARM-odroidx-latest.img
add map loop0p1 (253:0): 0 8191 linear /dev/loop0 1
add map loop0p2 (253:1): 0 106496 linear /dev/loop0 8192
add map loop0p3 (253:2): 0 6291456 linear /dev/loop0 114688

#mkdir /mnt/archlinuxarm
#mount /dev/mapper/loop0p3 /mnt/archlinuxarm
#cd /mnt/archlinuxarm
#tar czf archlinux.tgz ./*

- copy and extract the resulting tgz to your device (folder /data/local/arch)

#cd /data/local/arch
#tar xzf archlinux.tgz

- now follow the excellent guide at http://lrvick.net/blog/arch_linux_terminals_in_android/

- after everthing is up and running do the following to get metasploit installed (you have to already be in archlinuxarm chroot)
- pulling the msf svn will take some hours so relax and take a nap or do something else

#pacman -S ruby
#pacman -S zlib
#pacman -S uniconvertor
#pacman -S svn
#cd /opt
#svn co https://www.metasploit.com/svn/framework3/trunk/ msf3
#cd msf3/
#./msfconsole

- you’re done if you can see the msfconsole running
- go and install additional packages like
- nmap (#pacman -S nmap)
- kismet (#pacman -S kismet)
- aircrack-ng (#pacman -S aircrack-ng)
- ettercap (#pacman -S ettercap)
- etc. (you can search for packages here: http://archlinuxarm.org/packages)

- If you get a problem that your user cannot access network stuff see [4]

- If you want DB support in metasploit you can it like follows:
- Install some needed stuff

#pacman -S postgresql
#pacman -S gcc
#pacman -S make
#gem install pg

- This will allow you to set up the db and use it in Metasploit (google for the setup procedure)

References:
[1] http://forum.xda-developers.com/showthread.php?t=2015812
[2] http://lrvick.net/blog/arch_linux_terminals_in_android/
[3] http://archlinuxarm.org/
[4] https://blog.tuinslak.org/socket-permission-denied

[Android] HushSMS got cracked again. Do I care? No! Should you? Yes! (read why)

Well,
first of all thanks to the crackers (I’m sure you’re reading this some day). You draw some more attention to my App.

So my App got cracked (again) and I simply do not care. Why you ask? Because I personaly don’t mind if you use a manipulated App from an untrusted source that can send out messages and thus costs you money. But why should you care?
To make it short: This App is developed with maximum caution to not cause you any harm or generate costs by accidently sending thousands messages that will cost you a lot of money. So if you use the cracked version of HushSMS there is no guarantee that the protection mechanisms are still valid and you will not lose money by improper code.

Additionaly a general note on using cracked Apps: Android Apps are written in Java. They can be decompiled, manipulated and recompiled easily. Thus you will never know if the cracked App you use contains malicious code or malware, and you will not become aware of because malware writers are clever too…

However, if you can’t afford the small fee for buying HushSMS (or any other App) from an official source you should simply continue to use the cracked version and risk losing money, get scammed by malicious code or get assimilated by a Borg collective :-)

[Security Advisory] Samsung leaves it’s Android Smartphones with WAP-Push Feature Open to Attacks (one sms to rule them all)

Samsung is currently the biggest smartphone vendor in the world. Their Android based smartphones also have the hugest market share among all vendors.

They recently updated multiple devices to Android 4.0.x and more are on the waitlist. Android Smartphones with ICS from Samsung support WAP Push messages to enable the user to receive Logos, Ringtones etc.

The default setting for WAP Push messages is set to always accept which leaves these Smartphones open to attacks.

There are two kind of WAP Push Messages:

Attack 1.) Service Indication Message (SI) will present a message on the device with an embedded URL. The user can open the message and follow the URL by one click.

The senders number is not displayed by the device. The user is unable to verify who sent this message and if the contained link can be trusted. This leaves room for either social engineering, phishing or, if an exploit exists a compromise of the whole device. Obviously this kind of sms also allows malicious people to sent anonymous messages to their victims.

Attack 2.) Service Load Message (SL) will allow a provider to push software updates to the device or let logos or ringtones be pushed to the device.

A service load message can be configured in the way it should be received by the target device. Among others one option is to force the target device to load the defined content from a URL without interacting with the user. Again the senders number is not displayed by the device. If such a forced message is received by the device it will open the default browser and either display the URL defined in the message or download the targeted payload from the URL. This can be any filetype, even an APK. In case of an APK the user gets asked to if he will install the file. If sideloading is activated in the device settings the provided file will be installed.
If the browser contains a vulnerability this kind of message can be used to fully compromise the device.

Risk Mitigation: Open the SMS App and Press Menu -> Settings. Go to “Push message settings” and either disable the service, or if you need it set “Service loading” to “Prompt” or “Never”. To test if your devices is vulnerable you can use HushSMS for Android to send WAP Push SI and WAP Push SL messages.


Screenshot of a received WAP Push SI message.

[APP] Raider – A special use case backup tool ;-)

Just finished the work on the initial release of Raider. Like I wrote in the last post this tool is inspired by p2p-adb from Kyle Osborn, so all creds go to him. This app requires root and adb installed on the device. You can find adb for arm7 here. I successfully tested Raider on my Xoom running Honeycomb 3.2 and on my Galaxy Tab running ICS. As target I used several rooted phones which all could be “backed up”.

This is the initial work I’ve done on this topic. The app is not threaded currently so if something goes wrong…

All backup files go to the devices sdcard (internal or external) and the filenames begin with raider-xxx.tar

Enjoy it and leave a comment if you like it (else just go ahead).

Grab it while it is on the play store

[Android] Work in progress: Raider – A phone to phone adb app based on @theKos’s idea

Yesterday Kyle Osborn twitted a method to use adb on an android device with usb host to connect to another android device which has debugging enabled. The scripts he kindly made available (source available at github) look promising and I decide to write an app for exactly the purpose he posted about. I already started development but am currently unable to test as I’m on a business trip and don’t have enough gadgets with me to test (lack of usb-otg cable and second android device). Looks like in the future I’ll have to carry more luggage just in case stuff like this comes out again when I’m on the road.
However, expect a first beta to be out in a week when I’m back.