- Spying on FlexiSPY
- Security Vulnerabilities in FlexiSPY
- Injecting Spoofed Content into the Backend
- FlexiSPY Ass-u-mes Log Files Integrity
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
FlexiSPY is considered malware by numerous security professionals, not to mention the antivirus industry. While there might be some cases in which a solution like this can be applied ethically, not to mention legally, the product really stretches the notion of a valid consumer product.
Ironically, when it comes to security the FlexiSPY product promises much more that it really delivers on.
In this section we'll look at least two issues in the product that make using FlexiSPY a bit risky.
Weak Encryption: Information Disclosure
As we mentioned in the previous section, the details of the application are secured in an "encrypted" settings file. This file is located in a very predictable location \Windows\VPhone\setting, which makes it simple to find and extract.
For example, it would be trivial to prepare a SD card loaded with an Autorun feature programmed to copy the settings file to the card. Or it could just be pulled off via an ActiveSync connection. The problem is that if the content in this file is susceptible to deciphering, then the target can easily turn the tables on the person who installed the software.
If there is one thing the target should not have access to, it is the passkey required to open the control panel. Ironically, this particular data is the first piece of encrypted data stored in the settings file.
Specifically, the following breaks down how to locate and decipher the following key:
f&r g&v f&u f&y h&r g&v
If we look at it in its HEX equivalent, we can note a pattern (## 26 ## 20 ## 26 ## 20...):
66 26 72 20 67 26 76 20 66 26 75 20 66 26 79 20 68 26 72 20 67 26 76
Unfortunately, this string of characters can easily be deciphered into the registration code by applying two simple rules.
The first — subtract 0x36 from the left side of the "&" character. The second — subtract "0x41" from the right side of the "&" side.
The end result? The deciphered key:
66 26 72 20 67 26 76 20 66 26 75 20 66 26 79 20 68 26 72 20 67 26 76 -36 -41 -36 -41 -36 -41 -36 -41 -36 -41 -36 -41 30 31 31 35 30 34 30 38 32 31 31 35 =011504082115
Once this value is decrypted, the target can simply dial that number with a preceding "*#" to gain access to the FlexiSPY control panel, in which they can view information about the person who installed the program.
It includes the mobile number that is permitted to remotely monitor the device, the phone numbers in the watch list, and what the software is monitoring.
Hijacking the FlexiSPY Solution
Having the ability to decrypt this file also leads to one other notable issue: the FlexiSPY solution can be hijacked by someone with malicious intent. This is possible because the logging and update server web address are both stored in the settings file.
If someone alters these values to a custom value, they can redirect the log posting away from FlexiSPY's web server backend to their own.
The following lists all the various values that can be easily adjusted in the settings file:
mobile.flexispy.com/service mobile.aabackup.info/service mobile.000-111-222-333.info/service mobile.111-222-333-444.info/service mobile.222-333-444-555.info/service mobile.333-444-555-666.info/service mobile.444-555-666-777.info/service mobile.555-666-777-888.info/service mobile.666-777-888-999.info/service mobile.777-888-999-111.info/service mobile.888-999-111-222.info/service mobile.999-111-222-333.info/service vervata.com/t4l-mcli/cmd/productactivate aabackup.com/t4l-mcli/cmd/productactivate 000-111-222-333.com/t4l-mcli/cmd/productactivate 111-222-333-444.com/t4l-mcli/cmd/productactivate 222-333-444-555.com/t4l-mcli/cmd/productactivate 333-444-555-666.com/t4l-mcli/cmd/productactivate 444-555-666-777.com/t4l-mcli/cmd/productactivate 555-666-777-888.com/t4l-mcli/cmd/productactivate 666-777-888-999.com/t4l-mcli/cmd/productactivate 777-888-999-111.com/t4l-mcli/cmd/productactivate 888-999-111-222.com/t4l-mcli/cmd/productactivate 999-111-222-333.com/t4l-mcli/cmd/productactivate
The following code will allow you to decrypt your own file:
// THIS FUNCTION BORROWED BY adlerweb AT
//http://www.thescripts.com/forum/thread519762.html
function ascii2hex($ascii) {
$hex = '';
for ($i = 0; $i < strlen($ascii); $i++) {
$byte = strtoupper(dechex(ord($ascii{$i})));
$byte = str_repeat('0', 2 - strlen($byte)).$byte;
$hex.=$byte;
}
return $hex;
}
// THIS FUNCTION BORROWED BY adlerweb AT
//http://www.thescripts.com/forum/thread519762.html
function hex2ascii($hex){
$ascii='';
$hex=str_replace(" ", "", $hex);
for($i=0; $i<strlen($hex); $i=$i+2) {
$ascii.=chr(hexdec(substr($hex, $i, 2)));
}
return($ascii);
}
$handle = @fopen('<input file>', "r");
if ($handle) {
while (!feof($handle)) {
$lines[] = fgets($handle, 4096);
}
fclose($handle);
foreach ($lines as &$value) {
$temp=ascii2hex($value);
$lineArray=str_split($temp,2);
foreach ($lineArray as $char){
if ((($char == "26") and ($lineArray[$i+2]=="20"))){
$orgString=$orgString.hex2ascii($lineArray[$i-1]).hex2ascii($char).hex2ascii($lineArray[$i+1]);
print hex2ascii(dechex(hexdec($lineArray[$i-1])-hexdec(36))).hex2ascii(dechex(hexdec($lineArray[$i+1])-hexdec(41)));
$breakFlag="on";
}elseif (($char == "26") and ($lineArray[$i-2]=="20") and ($lineArray[$i+2] != "26")){
$orgString=$orgString.hex2ascii($char).hex2ascii($lineArray[$i-1]);
print hex2ascii(dechex(hexdec($lineArray[$i-1])-hexdec(36)));
$breakFlag="on";
}
if ($char == "00" and $breakFlag=="on"){
print "<br>";//.$orgString."<br>";
$breakFlag="off";
$orgString="";
}
}
}
The following code will allow you to encrypt your own string, which can be inserted into your own file. Be sure to update the preceding length byte if you do insert a new value.
$testString="mobile.flexispy.com/service";
$string=str_split($testString);
$y=0;
foreach($string as $char){
if ($y%2 == 0){
print (dechex(hexdec(ascii2hex($char))+hexdec(36)))."26";
}else{
print (dechex(hexdec(ascii2hex($char))+hexdec(41)))."20";
}
$y++;
}