Android - Compromise

[P!X3LTR0N]

Hi guys,

I would like some of your input on this. I have recently had a client where their network was tight. Obviously there were still loopholes, but the security team really knew what they were doing. So i came up with an idea to approach the task from another angle. And this is through the mobile architecture.

Some background about the idea:

So basically the CEO of the client approved a more mobile environment for the company, and they do not bring in laptops to meetings anymore, and most of their tasks are going to be run from mobile apps now. What I want to do is prove to them that mobile devices can be compromised as well. Now, what I want to do is send out an email to the employees in the company (I have obtained a record of all the employees) and tell them that I am the lead developer on one of the apps that they will be using. They then need to log in to my malicous app with their email, which will be hard coded to reject the initial login and redirect them to a new screen which asks them to register. (the credentials are logged by now and I can use their email credentials to read emails).

After this, I want to be able to record, screen print and read messages sent via the users and have it stored on my external hosting server. The problem I am facing is, that due to me knowing when meetings will be scheduled  etc I want to record on specific times. The thing is I have developed apps before that record automatically and that is not really the concern. I want to send the device a command, which does not pop up on the victim device, and I want it to send me a reply to my device stating the command is being executed. Obviously I dont want the device to upload a full day worth of recordings, since this will eat up bandwidth and consume a lot of data, thus exposing the intent.

Now I have done some research about sending the device commands via SMS and reading these resources:
http://www.undernews.fr/wp-content/uploads/2011/05/Shmoocon2011_SmartphoneBotnets_GeorgiaW.pdf
http://www.dtic.mil/dtic/tr/fulltext/u2/a562722.pdf

The main problem I see with this is that the user will see that messages are being sent to his device, stating "recordforgiggles" of "screenshotbecausebitches" and he wont know the number and he might block my cell number.

Have any of you worked on a project such as this? If so any input would be appreciated. I don't want you to write any functions for the program, I am just looking for intellegent approaches to look into this from other angles.

thanks

[techb]

You could make the app a service and have it poll your server for commands like every 30 min or something. A simple GET request wont eat bandwidth and if it sees the command, then it'll just execute in the background since it was installed as a service.

IDK about iOS, but android handles services pretty straight forward:

http://developer.android.com/training/run-background-service/create-service.html

[P!X3LTR0N]

Great!

I think this would work perfectly, IOS is not a concern as of yet since the company's policy is to distribute android mobile devices among the employees. But in the future other clients might use IOS, for that I will try and use the same principles. Thanks for the input.

[gh05t3d]

just a thought! Some like droidjack could let you monitor the cellulars and you can choose wich device you want to monitor and gather sms/calls/contacts and other stuff.