Thursday, April 02, 2015

Smishing Maybe Smashed, but Fake Tache Goes On

Credit to Google Play Store - Combined screen shots of apps purporting to fake SMS and call logs

Continuing on the text messaging discussion about examining raw data. Previously the subject was associated with Emotion Icons  http://trewmte.blogspot.co.uk/2015/03/emotion-icons.html and generally determining the bit-encoding scheme, Unicode, encrypted messaging hidden within Icons sent with messages.

Back in 2012 Android was reported to have a vulnerability in its platform that was labelled in the research **"Smishing Vulnerability in Multiple Android Platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean)" by Xuxian Jiang, Associate Professor, Department of Computing Science, NC State University - http://www.csc.ncsu.edu/faculty/jiang/smishing.html. The research raised two important points:

(1) **"This vulnerability allows a running app on an Android phone to fake arbitrary SMS text messages, which will then be received by phone users."..." The affected platforms that have been confirmed range from Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1)."

The Android Security Team produced a fix for this in Android 4.2, but the research does not confirm whether devices existing in the marketplace continuing to use Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1) would also be fixed or remain with the vulnerability?

(2) **"Note that any app on the phone can fake incoming messages, including both SMS and MMS messages".

By late 2013  Aditya Mahajan, Laxmikant Gudipaty, Dr. M. S. Dahiya continued research beyond the findings of Xuxian Jiang. Their analysis focused on "Identification of Fake SMS generated using Android Applications in Android Devices" 54d35df10cf28e0697281a74.pdf which concluded it is possible to show the presence of a potential fake SMS text message based upon the file header  content e.g. the reply paths etc. Moreover, if an original message was deleted but later recovered and the fake message purporting to represent the original message (but with altered content) were analysed side-by-side, so to speak, then disparity in content and file header content could assist an investigation. The test case apps used by the authors on a selection of Android Smartphones phones were “SUPER SMS FAKER (SSF)” & “LogMe”.

Within our mobile/smartphone examination, forensics and evidence community we are still plagued by the fact that there are a huge range of apps purporting to fake:

- SMS Text Messages
- MMS Messages
- Calls Logs
- Etc.

See - Fake Call & SMS & Call Logs search of google play store: https://play.google.com/store/search?q=Fake%20Call%20%26%20SMS%20%26%20Call%20Logs

The above suggests students and newcomer examiners maybe tricked into giving lower scrutiny priority to these sources of evidence. Skillsets available in automated tools to extract and harvest data content from databases such as SMS text message history found in e.g. "/data/data/com.android.providers.telephony/databases/mmssms.db" are highly useful but the message should not be obfuscated when informing students and newcomers to mobile/smartphone examination, forensics and evidence that extracted and harvest data requires deeper analysis. That is not merely at the investigation/interpretation stage but at the atomic collection stage, too.

As mentioned previously viewing harvested data can be a trompe l'oeil (a lie to the eye). A faked SMS text message can be as simple as a perpetrator dressing up an innocent-looking fake message with (metaphorically speaking) a false moustache (fake tache) with a intent to falsify the impression in the message to be communicated.


Fake caption: Heeeyyyy, Briiaan, why the fake moustache? Stu-eey!!!!! I am just off to the bathroom.

No comments: