We have collaborated with Amnesty International for whom we have analyzed a new variant of the FinSpy spyware.

Executive summary

By analyzing the sample we found what we suspect to be a new version of the FinFisher’s malware FinSpy for Android.

Even though the malware behavior and capabilities seem to be the same as what it has already been described in the past, this version goes a step further to hide the malware configuration and its capabilities.

This new version we named DexDen has very likely been released between May 2017 and October 2019.

Command and control server associated to the malware configuration is still alive by the time we wrote this report.

In terms of capabilities, the sample we have analyzed is meant to exfiltrate SIM card information, SMS log, call log, calendar events, address book, messages and files from 12 popular messenger applications and to track victim’s location.

This report provides details on how strings are obfuscated, how the communication protocol has evolved and how the extraction of three technical aspects of the malware can give insights on the malware code-base evolution.

Analysis assets & tools on GitHub Report by Amnesty International

Overview

This report focuses on the analysis of the sample described below.

Sample file

Filename	`WIFI.apk`
Size	`2.87MB`
MD5	`79ba96848428337e685e10b06ccc1c89`
SHA-1	`51b31827c1d961ced142a3c5f3efa2b389f9c5ad`
SHA-256	`854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3`
Application name	`wifi`
Package	`org.xmlpush.v3`
Main activity	`org.xmlpush.v3.StartVersion`

Sample certificate

Subject	`CN='MITAS Ltd.'`
Signature Alg.	`rsassa_pkcs1v15`
Validity	`2017-05-27` - `2023-05-26`
Issuer	`CN='MITAS Ltd.'`
Hash Alg.	`sha256`
MD5	`b99ac605872a55e609854176413e603c`
SHA-1	`7c6e4f2e84ebaa8d25040f63d840e14f6f822125`
SHA-256	`8052584eacfd199602b348ef60e20c246ec929d62bc5b85fd0e60ba3205b05a2`

For this analysis we use the following tools:

Aether to analyze CFG
Javalang to parse the Java code
Smalisca to analyze the Smali code
Yara to detect FinSpy variants
FinSpy tools to parse the FinSpy configuration

We share the following assets on our GitHub repository:

java_parser.py to extract obfuscated from Java code
string_decoder.py to decode obfuscated strings
table.ods containing TLV types and decoded strings
FinSpy.yar Yara rules detecting FinSpy variants

Tiny tools

Yara rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
rule FinSpy_ConfigInAPK : android apkhideconfig finspy
{
	meta:
		description = "Detect FinFisher FinSpy configuration in APK file. Probably the original FinSpy version."
		date = "2020/08/05"
		reference = "https://github.com/devio/FinSpy-Tools"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"

	strings:
		$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/

	condition:
		uint32(0) == 0x04034b50 and $re and (#re > 50)
}

rule FinSpy_DexDen : android dexhideconfig finspy
{
	meta:
		description = "Detect FinFisher FinSpy configuration in DEX file. Probably a newer FinSpy variant."
		date = "2020/08/05"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"

	strings:
		$config_1 = { 90 5b fe 00 }
		$config_2 = { 70 37 80 00 }
		$config_3 = { 40 38 80 00 }
		$config_4 = { a0 33 84 }
		$config_5 = { 90 79 84 00 }

	condition:
		uint16(0) == 0x6564 and
		#config_1 >= 2 and 
		#config_2 >= 2 and 
		#config_3 >= 2 and 
		#config_4 >= 2 and 
		#config_5 >= 2
}

rule FinSpy_TippyTime: finspyTT
{
	meta:
		description = "Detect FinFisher FinSpy 'TippyTime' variant."
		date = "2020/08/05"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"
	strings:
		$config_1 = { 90 5b fe 00 }
		$config_2 = { 70 37 80 00 }
		$config_3 = { 40 38 80 00 }
		$config_4 = { a0 33 84 }
		$config_5 = { 90 79 84 00 }
		$timestamp = { 95 E9 D1 5B }

	condition:
		uint16(0) == 0x6564 and
		$timestamp and
		$config_1 and 
		$config_2 and 
		$config_3 and 
		$config_4 and 
		$config_5
}

rule FinSpy_TippyPad: finspyTP
{
	meta:
		description = "Detect FinFisher FinSpy 'TippyPad' variant."
		date = "2020/08/05"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"
	strings:
		$pad_1 = "0123456789abcdef"
		$pad_2 = "fedcba9876543210"

	condition:
		uint16(0) == 0x6564 and
		#pad_1 > 50 and
		#pad_2 > 50
}

Script to plot CFG

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import networkx as nx
from androguard.misc import AnalyzeAPK
from graphviz import Digraph as dg

apk = '<path to you APK>'
a, d, dx = AnalyzeAPK(apk)
call_graph = dx.get_call_graph()
graph = nx.empty_graph()


def clean_name(name):
    return name[0:name.rfind(')')+1]


graphs = {
    'audio': [
        {
            'class': 'Landroid/media/AudioRecord',
            'method': 'startRecording'
        },
        {
            'class': 'Landroid/media/AudioManager',
            'method': 'setMicrophoneMute'
        },
    ],
    'read_sms_configuration': [
        {
            'class': 'Landroid/telephony/SmsMessage',
            'method': 'getPdu'
        },
        {
            'class': 'Landroid/telephony/SmsMessage',
            'method': 'getMessageBody'
        },
        {
            'class': 'Landroid/telephony/SmsMessage',
            'method': 'getUserData'
        },
        {
            'class': 'Lorg/xmlpush/v3/q/c',
            'method': '<init>'
        },
        {
            'class': 'Lorg/xmlpush/v3/q/c',
            'method': 'a',
            'starts_with': 'Lorg/xmlpush/v3/q/c;->a([Ljava'
        },
    ],
}

for g in graphs:
    fg = dg(engine='dot',
            format='png',
            graph_attr={'overlap': 'orthoxy',
                        'diredgeconstraints': 'true',
                        'splines': 'ortho'},
            node_attr={'shape': 'box',
                       'style': 'filled',
                       'fontcolor': '#212529',
                       'fontsize': '10',
                       'fontname': 'sans-serif'})

    methods = []
    for search in graphs[g]:
        for m in dx.find_methods(methodname=search['method'], classname=search['class']):
            if 'starts_with' in search:
                cm = clean_name(str(m.get_method()))
                if cm.startswith(search['starts_with']):
                    methods.append(m)
            else:
                methods.append(m)

    for m in methods:
        fg.node(clean_name(str(m.get_method())), color='#985e6d', fontcolor='white')
        ancestors = nx.ancestors(call_graph, m.get_method())
        ancestors.add(m.get_method())
        graph = call_graph.subgraph(ancestors)
        for n, d in graph.in_degree():
            if d == 0:
                fg.node(clean_name(str(n)), color='#494e6b', fontcolor='white')
        for u, v in graph.edges:
            fg.edge(clean_name(str(u)), clean_name(str(v)))

    fg.render(g)

A suspected new FinSpy version

FinSpy capabilities and technical aspects are widely documented online. In this section we focus on what we suspect to be clues of a new version of FinSpy for Android.

To do so, we investigate on the following parameters:

location of the FinSpy configuration
string obfuscation
local socket address generation
unknown TLV types

Configuration storage

As far as we know, FinSpy stores its configuration into APK metadata. It was well documented and extraction tools are available online:

The sample we investigate on shows that the FinSpy configuration is stored into the DEX file.

FinSpy configuration stored into the DEX

Even if existing extraction tools failed to extract the configuration from the DEX, parsing tools succeeded to parse it. The structure of the configuration remains the same, only its storage location has changed.

We name this FinSpy variant DexDen.

String obfuscation

As far as we know, FinSpy strings defined in its code are not obfuscated. The sample we analyze is different, all Java strings are obfuscated. Each Java class using strings implements the following 2 Java methods:

String OOOoOoiIoIIiO0o01I1I00(final int index) returning the obfuscated string as bytes at the given index.
byte[] i1IlIil011Iiil(final byte[] array, final byte[] array2) decoding an obfuscated string.

Example of obfuscated strings and the two decoding TippyPads

Example of the Java method decoding obfuscated strings

Strings are decoded by XORing of the obfuscated one with one of the two pads. The pad is selected according to the index mod 2. Pads are the same for all Java classes using strings:

0123456789abcdef
fedcba9876543210

We have developed a Python script parsing the entire Java code to retrieve obfuscated strings java_parser.py and one to decode them string_decoder.py.

We denote this kind of string obfuscation TippyPad for short.

Local socket address generation

FinSpy uses Unix socket to communicate between threads. The local socket address is generated by hashing the values of the following system properties:

ro.product.model
ro.product.brand
ro.product.name
ro.product.device
ro.product.manufacturer
ro.build.fingerprint

An utility method meant to encode data and generate local socket address uses the timestamp 1540483477 corresponding to Thu 25 October 2018 16:04:37 UTC. Java method generating local socket address is listed below.

Java method generating the local socket address

We denote this kind of address generation TippyTime for short.

Unknown TLV types

After leaks about FinFisher and FinSpy, community has reversed the different TLV values used in data marshaling/unmarshaling to ensure a common data format between C2s and implants. These values are available online: https://github.com/devio/FinSpy-Tools/blob/master/Android/finspyCfgParse.py

The FinSpy version we analyze seems to be using unknown TLV values. To get some meaning about the different unknown TLV values, we reversed existing values. We were able to detect semantic groups based on the binary representation of these values.

The Python script we developed recovers groups based on existing values. Then parses the sample Smali code to extract unknown TLV values. We used a patched version of Smalisca to do so. We have extracted the following suspected unknown TLV values. The entire list of TLV and groups is available in the GitHub repository.

To determine the group the TLV value belongs to just mask that value with 0xFFFFF800.

Group ID	Group name	TLV value	Known TLV	TLV name
64	drives all get	131488	✔	TlvTypeGetAllDrivesRequest
64	drives all get	131744	✔	TlvTypeGetAllDrivesReply
66	contents folder get	135328	✔	TlvTypeGetFolderContentsRequest
66	contents folder get	135584	✔	TlvTypeGetFolderContentsReply
66	contents folder get	135840	✔	TlvTypeGetFolderContentsNext
66	contents folder get	136096	✔	TlvTypeGetFolderContentsEnd
68	download file	139424	✔	TlvTypeDownloadFileRequest
68	download file	139680	✔	TlvTypeCancelDownloadFileRequest
68	download file	139936	✔	TlvTypeDownloadFileReply
68	download file	140192	✔	TlvTypeDownloadFileNext
68	download file	140448	✔	TlvTypeDownloadFileEnd
68	download file	140704	✔	TlvTypeCancelDownloadFileReply
70	upload file	143520	✔	TlvTypeUploadFileRequest
70	upload file	143776	✔	TlvTypeCancelUploadFileRequest
70	upload file	144032	✔	TlvTypeUploadFileReply
70	upload file	144288	✔	TlvTypeUploadFileNext
70	upload file	144544	✔	TlvTypeUploadFileEnd
70	upload file	144800	✔	TlvTypeUploadFileCompleted
70	upload file	145056	✔	TlvTypeCancelUploadFileReply
72	delete file	147616	✔	TlvTypeDeleteFileRequest
72	delete file	147872	✔	TlvTypeDeleteFileReply
74	search file	151968	✔	TlvTypeSearchFileRequest
74	search file	152224	✔	TlvTypeSearchFileReply
74	search file	152480	✔	TlvTypeSearchFileNext
74	search file	152736	✔	TlvTypeSearchFileEnd
74	search file	152992	✔	TlvTypeCancelSearchFileRequest
74	search file	153248	✔	TlvTypeCancelSearchFileReply
78	fs	159888	✔	TlvTypeFSFileDataChunk
78	fs	160128	✔	TlvTypeFSDiskDrive
78	fs	160384	✔	TlvTypeFSFullPath
78	fs	160640	✔	TlvTypeFSFilename
78	fs	160896	✔	TlvTypeFSFileExtension
78	fs	161088	✔	TlvTypeFSDiskDriveType
78	fs	161408	✔	TlvTypeFSFileSize
78	fs	161584	✔	TlvTypeFSIsFolder
79	fs	161840	✔	TlvTypeFSReadOnly
79	fs	162096	✔	TlvTypeFSHidden
79	fs	162352	✔	TlvTypeFSSystem
79	fs	162688	✔	TlvTypeFSFileCreationTime
79	fs	162944	✔	TlvTypeFSFileLastAccessTime
79	fs	163200	✔	TlvTypeFSFileLastWriteTime
79	fs	163472	✔	TlvTypeFSFullPathM
79	fs	163632	×	unknown
82	system config file	168096	✔	TlvTypeGetFileSystemConfigRequest
82	system config file	168352	✔	TlvTypeFileSystemConfigReply
82	system config file	168608	✔	TlvTypeSetFileSystemConfigRequest
128	line cmd	262560	✔	TlvTypeStartCmdLineSessionRequest
128	line cmd	262816	✔	TlvTypeStartCmdLineSessionReply
128	line cmd	263072	✔	TlvTypeStopCmdLineSessionRequest
128	line cmd	263328	✔	TlvTypeCmdLineSessionStoppedReply
128	line cmd	263584	✔	TlvTypeCmdLineExecute
128	line cmd	263840	✔	TlvTypeCmdLineExecutionResult
130	line cmd execute	266352	✔	TlvTypeCmdLineExecuteCommand
130	line cmd execute	266560	✔	TlvTypeCmdLineExecuteAnswerID
130	line cmd execute	266864	✔	TlvTypeCmdLineExecuteAnswerData
146	line config cmd	299168	✔	TlvTypeGetCmdLineConfigRequest
146	line config cmd	299424	✔	TlvTypeCmdLineConfigReply
146	line config cmd	299680	✔	TlvTypeSetCmdLineConfigRequest
160	config scheduler	328096	✔	TlvTypeGetSchedulerConfigRequest
160	config scheduler	328352	✔	TlvTypeSchedulerConfigReply
160	config scheduler	328608	✔	TlvTypeSetSchedulerConfigRequest
162	task scheduler	331920	✔	TlvTypeSchedulerTask
162	task scheduler	332192	✔	TlvTypeSchedulerTaskRecordByTime
162	task scheduler	332448	✔	TlvTypeSchedulerTaskRecordScreenWhenAppRuns
162	task scheduler	332704	✔	TlvTypeSchedulerTaskRecordMicWhenAppUsesIt
162	task scheduler	332960	✔	TlvTypeSchedulerTaskRecordWebCamWhenAppUsesIt
176	sch	360592	✔	TlvTypeSCHTaskConfiguration
176	sch	360752	✔	TlvTypeSCHTaskEnabled
176	sch	361344	✔	TlvTypeSCHTaskStartDateTime
176	sch	361600	✔	TlvTypeSCHTaskStopDateTime
176	sch	362112	✔	TlvTypeSCHApplicationName
176	sch	362288	✔	TlvTypeSCHApplicationWindowOnly
512	microphone	1048992	✔	TlvTypeStartMicrophoneRequest
512	microphone	1049248	✔	TlvTypeStartMicrophoneReply
512	microphone	1049504	✔	TlvTypeMicrophoneFrame
512	microphone	1049760	✔	TlvTypeStopMicrophoneRequest
512	microphone	1050016	✔	TlvTypeMicrophoneStoppedReply
512	microphone	1050272	✔	TlvTypeStartMicrophoneRecording
514		1052736	✔	TlvTypeMICFrameID
514		1053072	✔	TlvTypeMICFrameData
514		1053312	✔	TlvTypeAudioSessionType
514		1053568	✔	TlvTypeAudioEncodingType
518	audio config	1061024	✔	TlvTypeGetAudioConfigRequest
518	audio config	1061280	✔	TlvTypeAudioConfigReply
518	audio config	1061536	✔	TlvTypeSetAudioConfigRequest
520	type video	1066112	✔	TlvTypeVideoSessionType
520	type video	1066368	✔	TlvTypeVideoEncodingType
544	screen	1114528	✔	TlvTypeStartScreenRequest
544	screen	1114784	✔	TlvTypeStartScreenReply
544	screen	1115040	✔	TlvTypeScreenFrame
544	screen	1115296	✔	TlvTypeStopScreenRequest
544	screen	1115552	✔	TlvTypeScreenStoppedReply
544	screen	1115808	✔	TlvTypeStartScreenRecording
548	cam web	1122720	✔	TlvTypeStartWebCamRequest
548	cam web	1122976	✔	TlvTypeStartWebCamReply
548	cam web	1123232	✔	TlvTypeWebCamFrame
548	cam web	1123488	✔	TlvTypeStopWebCamRequest
548	cam web	1123744	✔	TlvTypeWebCamStoppedReply
548	cam web	1124000	✔	TlvTypeStartWebCamRecording
550	config video	1126560	✔	TlvTypeGetVideoConfigRequest
550	config video	1126816	✔	TlvTypeVideoConfigReply
550	config video	1127072	✔	TlvTypeSetVideoConfigRequest
552		1130560	✔	TlvTypeVDFrameID
552		1130896	✔	TlvTypeVDFrameData
552		1131136	✔	TlvTypeOriginalVideoResolution
552		1131392	✔	TlvTypeVideoResolution
552		1132160	✔	TlvTypeAutomaticRecordingUID
576	key logging	1180064	✔	TlvTypeStartKeyLoggingRequest
576	key logging	1180320	✔	TlvTypeStartKeyLoggingReply
576	key logging	1180576	✔	TlvTypeKeyLoggingFrame
576	key logging	1180832	✔	TlvTypeStopKeyLoggingRequest
576	key logging	1181088	✔	TlvTypeKeyLoggingStoppedReply
582	config keylogger	1192096	✔	TlvTypeGetKeyloggerConfigRequest
582	config keylogger	1192352	✔	TlvTypeKeyloggerConfigReply
582	config keylogger	1192608	✔	TlvTypeSetKeyloggerConfigRequest
584	kl frame data	1196416	✔	TlvTypeKLFrameData
640	skype	1311136	✔	TlvTypeSkypeAudioMetaInfo
640	skype	1311376	✔	TlvTypeSkypeAudioRecording
640	skype	1311648	✔	TlvTypeSkypeTextRecording
640	skype	1311904	✔	TlvTypeSkypeFileMetaInfo
640	skype	1312144	✔	TlvTypeSkypeFileRecording
640	skype	1312416	✔	TlvTypeSkypeContactsRecording
640	skype	1312640	✔	TlvTypeSkypeContactsUserData
646	config skype	1323168	✔	TlvTypeGetSkypeConfigRequest
646	config skype	1323424	✔	TlvTypeSkypeConfigReply
646	config skype	1323680	✔	TlvTypeSetSkypeConfigRequest
646	config skype	1324336	✔	TlvTypeConfigSkypeAudioEnable
646	config skype	1324592	✔	TlvTypeConfigSkypeTextEnable
646	config skype	1324848	✔	TlvTypeConfigSkypeFileEnable
647	config contacts enable list skype	1325104	✔	TlvTypeConfigSkypeContactsListEnable
648	skype	1327232	✔	TlvTypeSkypeAudioEncodingType
648	skype	1327488	✔	TlvTypeSkypeLoggedInUserAccountName
648	skype	1327744	✔	TlvTypeSkypeConversationPartnerAccountName
648	skype	1328000	✔	TlvTypeSkypeConversationPartnerDisplayName
648	skype	1328256	✔	TlvTypeSkypeChatMembers
648	skype	1328512	✔	TlvTypeSkypeTextMessage
648	skype	1328768	✔	TlvTypeSkypeChatID
648	skype	1329024	✔	TlvTypeSkypeSenderAccountName
649	skype	1329280	✔	TlvTypeSkypeSenderDisplayName
649	skype	1329536	✔	TlvTypeSkypeIncoming
649	skype	1329792	✔	TlvTypeSkypeSessionType
704	changed file	1442208	✔	TlvTypeChangedFileMetaInfo
704	changed file	1442432	✔	TlvTypeChangedFileChangeTime
704	changed file	1442688	✔	TlvTypeChangedFileChangeEvent
704	changed file	1442960	✔	TlvTypeChangedFileRecording
710	config changed	1454240	✔	TlvTypeGetChangedConfigRequest
710	config changed	1454496	✔	TlvTypeChangedConfigReply
710	config changed	1454752	✔	TlvTypeSetChangedConfigRequest
710	config changed	1454912	✔	TlvTypeConfigChangedEvents
736		1507744	✔	TlvTypeAccessedFileMetaInfo
736		1507968	✔	TlvTypeAccessedFileAccessTime
736		1508224	✔	TlvTypeAccessedFileAccessEvent
736		1508496	✔	TlvTypeAccessedFileRecording
736		1508736	✔	TlvTypeAccessedApplicationName
736		1508912	✔	TlvTypeConfigRecordImagesFromExplorer
742	accessed config	1519776	✔	TlvTypeGetAccessedConfigRequest
742	accessed config	1520032	✔	TlvTypeAccessedConfigReply
742	accessed config	1520288	✔	TlvTypeSetAccessedConfigRequest
742	accessed config	1520448	✔	TlvTypeConfigAccessedEvents
768	print	1573280	✔	TlvTypePrintFileMetaInfo
768	print	1573520	✔	TlvTypePrintFrame
772	print	1581184	✔	TlvTypePrintApplicationName
772	print	1581440	✔	TlvTypePrintFilename
772	print	1581696	✔	TlvTypePrintEncodingType
774	print config	1585312	✔	TlvTypeGetPrintConfigRequest
774	print config	1585568	✔	TlvTypePrintConfigReply
774	print config	1585824	✔	TlvTypeSetPrintConfigRequest
800	deleted	1638816	✔	TlvTypeDeletedFileMetaInfo
800	deleted	1639296	✔	TlvTypeDeletedFileDeletionTime
800	deleted	1639552	✔	TlvTypeDeletedFileRecycleBin
800	deleted	1639808	✔	TlvTypeDeletedMethod
800	deleted	1640064	✔	TlvTypeDeletedApplicationName
800	deleted	1640336	✔	TlvTypeDeletedFileRecording
806	config deleted	1650848	✔	TlvTypeGetDeletedConfigRequest
806	config deleted	1651104	✔	TlvTypeDeletedConfigReply
806	config deleted	1651360	✔	TlvTypeSetDeletedConfigRequest
1024	application upload forensics	2097568	✔	TlvTypeUploadForensicsApplicationRequest
1024	application upload forensics	2097824	✔	TlvTypeUploadForensicsApplicationReply
1024	application upload forensics	2098080	✔	TlvTypeUploadForensicsApplicationChunk
1024	application upload forensics	2098336	✔	TlvTypeUploadForensicsApplicationDoneRequest
1024	application upload forensics	2098592	✔	TlvTypeUploadForensicsApplicationDoneReply
1026	application remove forensics	2101664	✔	TlvTypeRemoveForensicsApplicationRequest
1026	application remove forensics	2101920	✔	TlvTypeRemoveForensicsApplicationReply
1028	app forensics execute	2105760	✔	TlvTypeForensicsAppExecuteRequest
1028	app forensics execute	2106016	✔	TlvTypeForensicsAppExecuteReply
1028	app forensics execute	2106272	✔	TlvTypeForensicsAppExecuteResult
1028	app forensics execute	2106528	✔	TlvTypeForensicsAppExecuteResultChunk
1028	app forensics execute	2106784	✔	TlvTypeForensicsAppExecuteResultDone
1028	app forensics execute	2107040	✔	TlvTypeForensicsCancelAppExecuteRequest
1028	app forensics execute	2107296	✔	TlvTypeForensicsCancelAppExecuteReply
1030	config forensics	2109600	✔	TlvTypeGetForensicsConfigRequest
1030	config forensics	2109856	✔	TlvTypeForensicsConfigReply
1030	config forensics	2110112	✔	TlvTypeSetForensicsConfigRequest
1032	application config info forensics	2113680	✔	TlvTypeConfigForensicsApplicationInfoGeneric
1032	application config info forensics	2113952	✔	TlvTypeConfigForensicsApplicationInfo
1034	forensics	2117760	✔	TlvTypeConfigForensicsApplicationName
1034	forensics	2117952	✔	TlvTypeConfigForensicsApplicationSize
1034	forensics	2118208	✔	TlvTypeConfigForensicsApplicationID
1034	forensics	2118528	✔	TlvTypeConfigForensicsApplicationCmdline
1034	forensics	2118784	✔	TlvTypeConfigForensicsApplicationOutput
1034	forensics	2118976	✔	TlvTypeConfigForensicsApplicationTimeout
1034	forensics	2119232	✔	TlvTypeConfigForensicsApplicationVersion
1034	forensics	2119552	✔	TlvTypeForensicsFriendlyName
1035	output application config forensics	2119808	✔	TlvTypeConfigForensicsApplicationOutputPrepend
1035	output application config forensics	2120064	✔	TlvTypeConfigForensicsApplicationOutputContentType
1056	vo meta info ip	2163104	✔	TlvTypeVoIPMetaInfo
1058	vo ip	2166912	✔	TlvTypeVoIPEncodingType
1058	vo ip	2167168	✔	TlvTypeVoIPSessionType
1058	vo ip	2167424	✔	TlvTypeVoIPApplicationName
1058	vo ip	2167696	✔	TlvTypeVoIPAppScreenshot
1058	vo ip	2167952	✔	TlvTypeVoIPAudioRecording
1058	vo ip	2168112	✔	TlvTypeConfigVoIPScreenshotEnabled
1062	vo config ip	2175136	✔	TlvTypeGetVoIPConfigRequest
1062	vo config ip	2175392	✔	TlvTypeVoIPConfigReply
1062	vo config ip	2175648	✔	TlvTypeSetVoIPConfigRequest
1088	clicks mouse	2228640	✔	TlvTypeMouseClicksMetaInfo
1088	clicks mouse	2228896	✔	TlvTypeMouseClicksFrame
1090	clicks mouse	2232448	✔	TlvTypeMouseClicksEncodingType
1090	clicks mouse	2232896	✔	TlvTypeConfigMouseClicksRectangle
1090	clicks mouse	2233152	✔	TlvTypeConfigMouseClicksSensitivity
1090	clicks mouse	2233408	✔	TlvTypeConfigMouseClicksType
1094	clicks config mouse	2240672	✔	TlvTypeGetMouseClicksConfigRequest
1094	clicks config mouse	2240928	✔	TlvTypeMouseClicksConfigReply
1094	clicks config mouse	2241184	✔	TlvTypeSetMouseClicksConfigRequest
2112	sms	4325792	✔	TlvTypeMobileSMSMetaInfo
2112	sms	4326016	✔	TlvTypeMobileSMSData
2112	sms	4326256	✔	TlvTypeSMSSenderNumber
2112	sms	4326512	✔	TlvTypeSMSRecipientNumber
2112	sms	4326528	✔	TlvTypeSMSInformation
2112	sms	4326768	✔	TlvTypeSMSDirection
2112	sms	4327040	×	unknown
2144	address book mobile	4391328	✔	TlvTypeMobileAddressBookMetaInfo
2144	address book mobile	4391552	✔	TlvTypeMobileAddressBookData
2152	address book checksum mobile	4407360	✔	TlvTypeMobileAddressBookChecksum
2176	mobile blackberry	4456864	✔	TlvTypeMobileBlackberryMessengerMetaInfo
2176	mobile blackberry	4457088	✔	TlvTypeMobileBlackberryMessengerData
2176	mobile blackberry	4457328	✔	TlvTypeMobileBlackberryMsChatID
2176	mobile blackberry	4457600	✔	TlvTypeMobileBlackberryMsConversationPartners
2208	mobile tracking	4522400	✔	TlvTypeMobileTrackingStartRequest
2208	mobile tracking	4522656	✔	TlvTypeMobileTrackingStopRequest
2208	mobile tracking	4523376	✔	TlvTypeMobileTrackingDataV10
2214	mobile config tracking	4535200	✔	TlvTypeMobileTrackingConfig
2214	mobile config tracking	4535440	✔	TlvTypeMobileTrackingConfigRaw
2216	mobile tracking	4538432	✔	TlvTypeMobileTrackingTimeInterval
2216	mobile tracking	4538688	✔	TlvTypeMobileTrackingDistance
2216	mobile tracking	4538928	✔	TlvTypeMobileTrackingSendOnAnyChannel
2240	mobile call phone	4587936	✔	TlvTypeMobilePhoneCallLogsMetaInfo
2240	mobile call phone	4588192	✔	TlvTypeMobilePhoneCallLogsData
2240	mobile call phone	4588400	✔	TlvTypeMobilePhoneCallLogsType
2240	mobile call phone	4588672	✔	TlvTypeMobilePhoneCallAdditionalInformation
2240	mobile call phone	4588912	✔	TlvTypeMobilePhoneCallLogsCallerNumber
2240	mobile call phone	4589168	✔	TlvTypeMobilePhoneCallLogsCalleeNumber
2240	mobile call phone	4589440	✔	TlvTypeMobilePhoneCallLogsCallerName
2241	name call phone logs mobile callee	4589696	✔	TlvTypeMobilePhoneCallLogsCalleeName
2242	last call phone entry mobile endtime log	4591680	✔	TlvTypeMobilePhoneCallLogLastEntryEndtime
3072	mobile logging	6291872	✔	TlvTypeMobileLoggingMetaInfo
3072	mobile logging	6292096	✔	TlvTypeMobileLoggingData
3616	master agent	7405984	✔	TlvTypeMasterAgentLogin
3616	master agent	7406240	✔	TlvTypeMasterAgentLoginAnswer
3616	master agent	7406752	✔	TlvTypeMasterAgentTargetList
3616	master agent	7407008	✔	TlvTypeMasterAgentTargetOnlineList
3616	master agent	7407264	✔	TlvTypeMasterAgentTargetInfoReply
3616	master agent	7407520	✔	TlvTypeMasterAgentUserList
3617	master agent list	7407776	✔	TlvTypeMasterAgentUserListReply
3617	master agent list	7408032	✔	TlvTypeMasterAgentTargetArchivedList
3617	master agent list	7408288	✔	TlvTypeMasterAgentTargetListEx
3617	master agent list	7408544	✔	TlvTypeMasterAgentTargetOnlineListEx
3617	master agent list	7408800	✔	TlvTypeMasterAgentMobileTargetArchivedList
3617	master agent list	7409056	✔	TlvTypeMasterAgentMobileTargetList
3617	master agent list	7409312	✔	TlvTypeMasterAgentMobileTargetOnlineList
3618		7409824	✔	TlvTypeMasterAgentQueryFirst
3618		7410080	✔	TlvTypeMasterAgentQueryNext
3618		7410336	✔	TlvTypeMasterAgentQueryLast
3618		7410592	✔	TlvTypeMasterAgentQueryAnswer
3618		7410848	✔	TlvTypeMasterAgentRemoveRecord
3618		7411104	✔	TlvTypeMasterAgentTargetInfoExReply
3618		7411344	✔	TlvTypeTargetInfoExProperty
3618		7411616	✔	TlvTypeTargetInfoExPropertyValue
3619		7411840	✔	TlvTypeTargetInfoExPropertyValueName
3619		7411968	✔	TlvTypeTargetInfoExPropertyValueData
3619		7412384	✔	TlvTypeMasterAgentAlarm
3620	master agent	7413920	✔	TlvTypeMasterAgentRetrieveData
3620	master agent	7414176	✔	TlvTypeMasterAgentRetrieveDataAnswer
3620	master agent	7414432	✔	TlvTypeMasterAgentRemoveUser
3620	master agent	7414688	✔	TlvTypeMasterAgentRemoveTarget
3620	master agent	7414944	✔	TlvTypeMasterAgentRetrieveDataComments
3620	master agent	7415200	✔	TlvTypeMasterAgentUpdateDataComments
3620	master agent	7415712	✔	TlvTypeMasterAgentRetrieveActivityLogging
3621	master agent	7415968	✔	TlvTypeMasterAgentRetrieveMasterLogging
3621	master agent	7416224	✔	TlvTypeMasterAgentRetrieveAgentActivityLogging
3621	master agent	7417248	✔	TlvTypeMasterAgentSendUserGUIConfig
3621	master agent	7417504	✔	TlvTypeMasterAgentGetUserGUIConfigRequest
3621	master agent	7417760	✔	TlvTypeMasterAgentGetUserGUIConfigReply
3622	master agent	7418016	✔	TlvTypeMasterAgentProxyList
3622	master agent	7418272	✔	TlvTypeMasterAgentProxyInfoReply
3622	master agent	7419040	✔	TlvTypeMasterAgentNameValuePacket
3622	master agent	7419248	✔	TlvTypeMasterAgentValueName
3622	master agent	7419392	✔	TlvTypeMasterAgentValueData
3622	master agent	7419808	✔	TlvTypeMasterAgentRetrieveTargetHistory
3623	install master agent	7421088	✔	TlvTypeMasterAgentInstallMasterLicense
3623	install master agent	7421344	✔	TlvTypeMasterAgentInstallSoftwareUpdate
3623	install master agent	7421600	✔	TlvTypeMasterAgentInstallSoftwareUpdateChunk
3623	install master agent	7421856	✔	TlvTypeMasterAgentInstallSoftwareUpdateDone
3624	master agent	7422112	✔	TlvTypeMasterAgentSoftwareUpdateInfo
3624	master agent	7422368	✔	TlvTypeMasterAgentSoftwareUpdateInfoReply
3624	master agent	7422624	✔	TlvTypeMasterAgentSoftwareUpdate
3624	master agent	7422880	✔	TlvTypeMasterAgentSoftwareUpdateReply
3624	master agent	7423136	✔	TlvTypeMasterAgentSoftwareUpdateNext
3624	master agent	7423392	✔	TlvTypeMasterAgentAddTimeSchedule
3624	master agent	7423648	✔	TlvTypeMasterAgentAddScreenSchedule
3624	master agent	7423904	✔	TlvTypeMasterAgentAddLockedSchedule
3625	master agent	7424160	✔	TlvTypeMasterAgentRemoveSchedule
3625	master agent	7424416	✔	TlvTypeMasterAgentGetSchedulerList
3625	master agent	7424672	✔	TlvTypeMasterAgentSchedulerTimeAction
3625	master agent	7424928	✔	TlvTypeMasterAgentSchedulerScreenAction
3625	master agent	7425184	✔	TlvTypeMasterAgentSchedulerLockedAction
3625	master agent	7425440	✔	TlvTypeMasterAgentProjectSoftwareUpdateInfo
3625	master agent	7425696	✔	TlvTypeMasterAgentProjectSoftwareUpdateInfoReply
3625	master agent	7425952	✔	TlvTypeMasterAgentProjectSoftwareUpdate
3626	master agent	7426112	✔	TlvTypeMasterAgentSchedulerID
3626	master agent	7426368	✔	TlvTypeMasterAgentSchedulerStartTime
3626	master agent	7426624	✔	TlvTypeMasterAgentSchedulerStopTime
3626	master agent	7427488	✔	TlvTypeMasterAgentAddRecordedDataAvailableSchedule
3626	master agent	7427744	✔	TlvTypeMasterAgentSchedulerRecordedDataAvailableAction
3627	master agent data	7428256	✔	TlvTypeMasterAgentRetrieveRemoteMasterData
3627	master agent data	7428512	✔	TlvTypeMasterAgentRetrieveRemoteMasterDataReply
3627	master agent data	7428768	✔	TlvTypeMasterAgentDeleteRemoteMasterData
3627	master agent data	7429024	✔	TlvTypeMasterAgentRetrieveOfflineMasterData
3627	master agent data	7429280	✔	TlvTypeMasterAgentRetrieveOfflineMasterDataReply
3627	master agent data	7429536	✔	TlvTypeMasterAgentDeleteOfflineMasterData
3628	master agent	7430304	✔	TlvTypeMasterAgentQueryFirstEx
3628	master agent	7430560	✔	TlvTypeMasterAgentQueryNextEx
3628	master agent	7430816	✔	TlvTypeMasterAgentQueryLastEx
3628	master agent	7431072	✔	TlvTypeMasterAgentQueryAnswerEx
3628	master agent	7431328	✔	TlvTypeMasterAgentSendUserPreferences
3628	master agent	7431584	✔	TlvTypeMasterAgentGetUserPreferencesRequest
3628	master agent	7431840	✔	TlvTypeMasterAgentGetUserPreferencesReply
3628	master agent	7432096	✔	TlvTypeMasterAgentListMCFilesRequest
3629	master agent mc	7432608	✔	TlvTypeMasterAgentDeleteMCFiles
3629	master agent mc	7432864	✔	TlvTypeMasterAgentSendMCFiles
3629	master agent mc	7433120	✔	TlvTypeMasterAgentMCStatisticsRequest
3629	master agent mc	7433376	✔	TlvTypeMasterAgentMCStatisticsReply
3629	master agent mc	7433616	✔	TlvTypeMasterAgentMCStatisticsValues
3630	master agent	7434400	✔	TlvTypeMasterAgentTrojanKeyRequest
3630	master agent	7434656	✔	TlvTypeMasterAgentTrojanKeyReply
3630	master agent	7434912	✔	TlvTypeMasterAgentEvProtectionX509Request
3630	master agent	7435168	✔	TlvTypeMasterAgentEvProtectionX509Reply
3630	master agent	7435424	✔	TlvTypeMasterAgentEvProtectionImportCert
3630	master agent	7435680	✔	TlvTypeMasterAgentEvProtectionImportCertCompleted
3630	master agent	7435936	✔	TlvTypeMasterAgentConfigurationRequest
3630	master agent	7436192	✔	TlvTypeMasterAgentConfigurationReply
3631	master agent configuration	7436448	✔	TlvTypeMasterAgentConfigurationUpdateRequest
3631	master agent configuration	7436704	✔	TlvTypeMasterAgentConfigurationUpdateRequestCompleted
3631	master agent configuration	7436944	✔	TlvTypeMasterAgentConfiguration
3631	master agent configuration	7437216	✔	TlvTypeMasterAgentConfigurationValue
3631	master agent configuration	7437424	✔	TlvTypeMasterAgentConfigurationValueName
3631	master agent configuration	7437568	✔	TlvTypeMasterAgentConfigurationValueData
3631	master agent configuration	7437984	✔	TlvTypeMasterAgentConfigurationTransferDone
3632	master agent	7438496	✔	TlvTypeMasterAgentRetrieveTargetFile
3632	master agent	7438752	✔	TlvTypeMasterAgentRetrieveTargetFileAnswer
3632	master agent	7438912	✔	TlvTypeMasterAgentAlarmEntryID
3632	master agent	7439168	✔	TlvTypeMasterAgentAlarmEntryVersion
3632	master agent	7439424	✔	TlvTypeMasterAgentAlarmTriggerFlags
3632	master agent	7439776	✔	TlvTypeMasterAgentGetAlarmList
3632	master agent	7440032	✔	TlvTypeMasterAgentAddAlarmEntry
3632	master agent	7440288	✔	TlvTypeMasterAgentRemoveAlarmEntry
3633	master agent	7440544	✔	TlvTypeMasterAgentAlarmEntry
3633	master agent	7440800	✔	TlvTypeMasterAgentSystemStatus
3633	master agent	7441056	✔	TlvTypeMasterAgentSystemStatusRequest
3633	master agent	7441312	✔	TlvTypeMasterAgentSystemStatusReply
3633	master agent	7441552	✔	TlvTypeMasterAgentLicenseValues
3633	master agent	7441824	✔	TlvTypeMasterAgentLicenseValuesRequest
3633	master agent	7442080	✔	TlvTypeMasterAgentLicenseValuesReply
3634	master agent	7442592	✔	TlvTypeMasterAgentGetNetworkConfigurationRequest
3634	master agent	7442848	✔	TlvTypeMasterAgentSetNetworkConfigurationRequest
3634	master agent	7443104	✔	TlvTypeMasterAgentSetNetworkConfigurationReply
3634	master agent	7443360	✔	TlvTypeMasterAgentRetrieveAllowedModulesList
3634	master agent	7443616	✔	TlvTypeMasterAgentRetrieveAllowedModulesListAnswer
3636	master agent	7446688	✔	TlvTypeMasterAgentRemoveAllTargetData
3636	master agent	7446944	✔	TlvTypeMasterAgentForceDownloadRecordedData
3636	master agent	7447200	✔	TlvTypeMasterAgentTargetCreateNotification
3636	master agent	7447456	✔	TlvTypeMasterAgentMobileTargetInfoReply
3636	master agent	7447696	✔	TlvTypeMasterAgentMobileTargetInfoValues
3638	master agent alert	7450784	✔	TlvTypeMasterAgentAlert
3640	master agent	7454880	✔	TlvTypeMasterAgentAddUser
3640	master agent	7455392	✔	TlvTypeMasterAgentAddUserReply
3640	master agent	7455648	✔	TlvTypeMasterAgentModifyUser
3640	master agent	7455904	✔	TlvTypeMasterAgentSetUserPermission
3640	master agent	7456160	✔	TlvTypeMasterAgentSetTargetPermission
3640	master agent	7456400	✔	TlvTypeMasterAgentUserPermission
3640	master agent	7456656	✔	TlvTypeMasterAgentTargetPermission
3641	master agent	7456928	✔	TlvTypeMasterAgentUserPermissionValuePacket
3641	master agent	7457184	✔	TlvTypeMasterAgentTargetPermissionValuePacket
3641	master agent	7457344	✔	TlvTypeMasterAgentUserPermissionValueName
3641	master agent	7457600	✔	TlvTypeMasterAgentTargetPermissionValueName
3641	master agent	7457856	✔	TlvTypeMasterAgentUserPermissionValueData
3641	master agent	7458112	✔	TlvTypeMasterAgentTargetPermissionValueData
3641	master agent	7458464	✔	TlvTypeMasterAgentModifyPassword
3641	master agent	7458656	✔	TlvTypeMasterAgentMobileTargetPermissionValueName
3642	master agent	7458976	✔	TlvTypeMasterAgentUploadFile
3642	master agent	7459232	✔	TlvTypeMasterAgentUploadFileChunk
3642	master agent	7459488	✔	TlvTypeMasterAgentUploadFileDone
3642	master agent	7459744	✔	TlvTypeMasterAgentUploadFilesTransferDone
3642	master agent	7460000	✔	TlvTypeMasterAgentGetTargetModuleConfigRequest
3642	master agent	7460256	✔	TlvTypeMasterAgentRemoveFile
3642	master agent	7460512	✔	TlvTypeMasterAgentMobileProxyList
3642	master agent	7460768	✔	TlvTypeMasterAgentSMSProxyList
3643	master agent	7461024	✔	TlvTypeMasterAgentSMSProxyInfoReply
3643	master agent	7461280	✔	TlvTypeMasterAgentCallPhoneNumberList
3643	master agent	7461536	✔	TlvTypeMasterAgentCallPhoneNumberInfoReply
3643	master agent	7461792	✔	TlvTypeMasterAgentGetMobileTargetModuleConfigRequest
3643	master agent	7462048	✔	TlvTypeMasterAgentSendSMS
3647	master agent	7469984	✔	TlvTypeMasterAgentEncryptionRequired
3647	master agent	7470240	✔	TlvTypeMasterAgentFileCompleted
3647	master agent	7470496	✔	TlvTypeMasterAgentRequestCompleted
3647	master agent	7470752	✔	TlvTypeAgentMasterComm
3647	master agent	7471008	✔	TlvTypeMasterAgentRequestStatus
3648	master	7471424	✔	TlvTypeProxyMasterCommSig
3648	master	7471520	✔	TlvTypeMasterTargetConn
3648	master	7471776	✔	TlvTypeProxyMasterComm
3648	master	7472032	✔	TlvTypeMasterProxyComm
3648	master	7472288	✔	TlvTypeProxyMasterHeartBeatAnswer
3648	master	7472544	✔	TlvTypeProxyMasterDisconnect
3648	master	7472704	✔	TlvTypeProxyMasterNotification
3648	master	7473056	✔	TlvTypeProxyMasterRequest
3649	master	7473312	✔	TlvTypeMasterProxyCommNotification
3649	master	7473568	✔	TlvTypeMasterCheckTargetDisconnect
3680	target proxy	7536960	✔	TlvTypeProxyTargetCommSig
3680	target proxy	7537312	✔	TlvTypeProxyTargetComm
3680	target proxy	7537568	✔	TlvTypeProxyMasterTargetComm
3680	target proxy	7537728	✔	TlvTypeProxyTargetRequestCrypto
3680	target proxy	7538064	✔	TlvTypeProxyTargetAnswerCrypto
3744	target	7668128	✔	TlvTypeMasterTargetComm
3744	target	7668384	✔	TlvTypeTargetCloseAllLiveStreaming
3776	relay	7733664	✔	TlvTypeRelayProxyComm
3776	relay	7734176	✔	TlvTypeRelayDummyHeartbeat
4032	test type meta	8257792	✔	TlvTypeTestMetaTypeInvalid
4032	test type meta	8258608	✔	TlvTypeTestMetaTypeBool
4032	test type meta	8258880	✔	TlvTypeTestMetaTypeUInt
4032	test type meta	8259152	✔	TlvTypeTestMetaTypeInt
4032	test type meta	8259440	✔	TlvTypeTestMetaTypeString
4033	test	8259712	✔	TlvTypeTestMetaTypeUnicode
4033	test	8259984	✔	TlvTypeTestMetaTypeRaw
4033	test	8260256	✔	TlvTypeTestMetaTypeGroup
4033	test	8260416	✔	TlvTypeTestMemberIdentifier
4033	test	8260736	✔	TlvTypeTestMemberName
4096	target	8389008	✔	TlvTypeTargetData
4096	target	8389280	✔	TlvTypeTargetHeartBeat
4096	target	8389680	✔	TlvTypeTargetKeepSessionAlive
4096	target	8390000	✔	TlvTypeTargetLocalIP
4096	target	8390256	✔	TlvTypeTargetGlobalIP
4096	target	8390448	✔	TlvTypeTargetState
4097	agent master	8390784	✔	TlvTypeTargetID
4097	agent master	8391072	✔	TlvTypeGetInstalledModulesRequest
4097	agent master	8391328	✔	TlvTypeInstalledModulesReply
4097	agent master	8391488	✔	TlvTypeTrojanUID
4097	agent master	8391808	✔	TlvTypeTrojanID
4097	agent master	8392000	✔	TlvTypeTrojanMaxInfections
4097	agent master	8392240	✔	TlvTypeScreenSaverOn
4097	agent master	8392496	✔	TlvTypeScreenLocked
4098	agent master	8392752	✔	TlvTypeRecordedDataAvailable
4098	agent master	8393024	✔	TlvTypeDownloadedRecordedDataTimeStamp
4098	agent master	8393280	✔	TlvTypeInstallationMode
4098	agent master	8393552	✔	TlvTypeTargetRemoveNotification
4098	agent master	8393792	✔	TlvTypeTargetPlatformBits
4098	agent master	8394032	✔	TlvTypeRemoveItselfMaxInfectionReached
4098	agent master	8394288	✔	TlvTypeRemoveItselfAtMasterRequest
4098	agent master	8394544	✔	TlvTypeRemoveItselfAtAgentRequest
4099	agent master	8394912	✔	TlvTypeRemoveItselfAtAgentReqRequest
4099	agent master	8395072	✔	TlvTypeRecordedFilesDownloadTotal
4099	agent master	8395328	✔	TlvTypeRecordedFilesDownloadProgress
4099	agent master	8395632	✔	TlvTypeTargetLicenseInfo
4099	agent master	8395840	✔	TlvTypeRemoveTargetLicenseInfo
4099	agent master	8396176	✔	TlvTypeTargetAllConfigurations
4100	target error	8396960	✔	TlvTypeTargetError
4102	target config	8401056	✔	TlvTypeGetTargetConfigRequest
4102	target config	8401312	✔	TlvTypeTargetConfigReply
4102	target config	8401568	✔	TlvTypeSetTargetConfigRequest
4102	target config	8402304	✔	TlvTypeConfigTargetID
4102	target config	8402496	✔	TlvTypeConfigTargetHeartbeatInterval
4102	target config	8402800	✔	TlvTypeConfigTargetProxy
4103	agent master	8403008	✔	TlvTypeConfigTargetPort
4103	agent master	8403584	✔	TlvTypeConfigAutoRemovalDateTime
4103	agent master	8403776	✔	TlvTypeConfigAutoRemovalIfNoProxy
4103	agent master	8404032	✔	TlvTypeInternalAutoRemovalElapsedTime
4104	active hiding config	8405040	✔	TlvTypeConfigActiveHiding
4106	target module	8409248	✔	TlvTypeTargetLoadModuleRequest
4106	target module	8409504	✔	TlvTypeTargetLoadModuleReply
4106	target module	8409760	✔	TlvTypeTargetUnLoadModuleRequest
4106	target module	8410016	✔	TlvTypeTargetUnLoadModuleReply
4106	target module	8410272	✔	TlvTypeTargetUploadModuleRequest
4106	target module	8410528	✔	TlvTypeTargetUploadModuleReply
4106	target module	8410784	✔	TlvTypeTargetUploadModuleChunk
4106	target module	8411040	✔	TlvTypeTargetUploadModuleDoneRequest
4107	target module	8411296	✔	TlvTypeTargetUploadModuleDoneReply
4107	target module	8411552	✔	TlvTypeTargetRemoveModuleRequest
4107	target module	8411808	✔	TlvTypeTargetRemoveModuleReply
4107	target module	8412064	✔	TlvTypeTargetOfflineUploadModuleRequest
4107	target module	8412320	✔	TlvTypeTargetOfflineUploadModuleReply
4107	target module	8412576	✔	TlvTypeTargetOfflineUploadModuleChunk
4107	target module	8412832	✔	TlvTypeTargetOfflineUploadModuleDoneRequest
4107	target module	8413088	✔	TlvTypeTargetOfflineUploadModuleDoneReply
4108	target error	8413344	✔	TlvTypeTargetOfflineError
4108	target error	8413600	✔	TlvTypeTargetUploadError
4109	files reply master list agent mc	8415392	✔	TlvTypeMasterAgentListMCFilesReply
4110	target recorded	8417440	✔	TlvTypeTargetGetRecordedFilesRequest
4110	target recorded	8417696	✔	TlvTypeTargetRecordedFilesReply
4110	target recorded	8417952	✔	TlvTypeTargetRecordedFileDownloadRequest
4110	target recorded	8418208	✔	TlvTypeTargetRecordedFileDownloadReply
4110	target recorded	8418464	✔	TlvTypeTargetRecordedFileDownloadChunk
4110	target recorded	8418720	✔	TlvTypeTargetRecordedFileDownloadCompleted
4110	target recorded	8418976	✔	TlvTypeTargetRecordedFileDeleteRequest
4110	target recorded	8419232	✔	TlvTypeTargetRecordedFileDeleteReply
4111	target recorded ex	8419488	✔	TlvTypeTargetGetRecordedFilesRequestEx
4111	target recorded ex	8419744	✔	TlvTypeTargetRecordedFilesReplyEx
4111	target recorded ex	8420000	✔	TlvTypeTargetRecordedFileDeleteRequestEx
4111	target recorded ex	8420256	✔	TlvTypeTargetRecordedFilesDownloadRequestEx
4128	data	8454544	✔	TlvTypeProxyData
4128	data	8454800	✔	TlvTypeRelayData
4130	proxy	8458400	✔	TlvTypeProxyTargetDisconnect
4130	proxy	8458656	✔	TlvTypeProxyMobileTargetDisconnect
4130	proxy	8458912	✔	TlvTypeProxyDummyHeartbeat
4130	proxy	8459168	✔	TlvTypeProxyMobileDummyHeartbeat
4160	master	8520080	✔	TlvTypeMasterData
4160	master	8520768	✔	TlvTypeMasterMode
4160	master	8521024	✔	TlvTypeMasterToken
4160	master	8521344	✔	TlvTypeMasterQueryResult
4161	string master alarm	8522368	✔	TlvTypeMasterAlarmString
4192	agent	8585616	✔	TlvTypeAgentData
4192	agent	8585808	✔	TlvTypeAgentQueryID
4192	agent	8586048	✔	TlvTypeAgentQueryModSubmodID
4192	agent	8586304	✔	TlvTypeAgentQueryFromDate
4192	agent	8586560	✔	TlvTypeAgentQueryToDate
4192	agent	8586816	✔	TlvTypeAgentQuerySortOrder
4192	agent	8587136	✔	TlvTypeAgentQueryValueFilter
4193	uid agent	8587328	✔	TlvTypeAgentUID
4224	mobile	8651152	✔	TlvTypeMobileTargetData
4224	mobile	8651376	✔	TlvTypeMobileTargetHeartBeatV10
4224	mobile	8651632	✔	TlvTypeMobileTargetExtendedHeartBeatV10
4224	mobile	8651888	✔	TlvTypeMobileHeartBeatReplyV10
4225	installed reply modules mobile	8653472	✔	TlvTypeMobileInstalledModulesReply
4225	installed reply modules mobile	8652912	×	unknown
4226	module upload mobile target	8655008	✔	TlvTypeMobileTargetOfflineUploadModuleRequest
4226	module upload mobile target	8656032	✔	TlvTypeMobileTargetUploadModuleRequest
4226	module upload mobile target	8656288	✔	TlvTypeMobileTargetUploadModuleReply
4226	module upload mobile target	8656544	✔	TlvTypeMobileTargetUploadModuleChunk
4226	module upload mobile target	8656800	✔	TlvTypeMobileTargetUploadModuleDoneRequest
4227	target mobile	8657056	✔	TlvTypeMobileTargetUploadModuleDoneReply
4227	target mobile	8657312	✔	TlvTypeMobileTargetRemoveModuleRequest
4227	target mobile	8657568	✔	TlvTypeMobileTargetRemoveModuleReply
4227	target mobile	8657824	✔	TlvTypeMobileTargetOfflineUploadModuleReply
4227	target mobile	8658080	✔	TlvTypeMobileTargetOfflineUploadModuleChunk
4227	target mobile	8658336	✔	TlvTypeMobileTargetOfflineUploadModuleDoneRequest
4227	target mobile	8658592	✔	TlvTypeMobileTargetOfflineUploadModuleDoneReply
4227	target mobile	8658848	✔	TlvTypeMobileTargetOfflineError
4228	mobile target	8659104	✔	TlvTypeMobileTargetError
4228	mobile target	8659360	✔	TlvTypeMobileTargetGetRecordedFilesRequest
4228	mobile target	8659616	✔	TlvTypeMobileTargetRecordedFilesReply
4228	mobile target	8659872	✔	TlvTypeMobileTargetRecordedFileDownloadRequest
4228	mobile target	8660128	✔	TlvTypeMobileTargetRecordedFileDownloadReply
4228	mobile target	8660384	✔	TlvTypeMobileTargetRecordedFileDownloadChunk
4228	mobile target	8660640	✔	TlvTypeMobileTargetRecordedFileDownloadCompleted
4228	mobile target	8660896	✔	TlvTypeMobileTargetRecordedFileDeleteRequest
4229	target reply delete mobile recorded file	8661152	✔	TlvTypeMobileTargetRecordedFileDeleteReply
4230	mobile config target	8663968	✔	TlvTypeMobileTargetOfflineConfig
4230	mobile config target	8664224	✔	TlvTypeMobileTargetEmergencyConfigAsTLV
4230	mobile config target	8664432	✔	TlvTypeMobileTargetEmergencyConfig
4234	load module mobile target	8671392	✔	TlvTypeMobileTargetLoadModuleRequest
4234	load module mobile target	8671648	✔	TlvTypeMobileTargetLoadModuleReply
4234	load module mobile target	8671904	✔	TlvTypeMobileTargetUnLoadModuleRequest
4234	load module mobile target	8672160	✔	TlvTypeMobileTargetUnLoadModuleReply
4236	target error	8675472	✔	TlvTypeMobileTargetHeartbeatEvents
4236	agent master files mc reply list	8675648	✔	TlvTypeMobileTargetHeartbeatInterval
4236	recorded target	8675984	✔	TlvTypeMobileTargetHeartbeatRestrictions
4236	recorded target	8676208	✔	TlvTypeConfigSMSPhoneNumber
4236	recorded target	8676496	✔	TlvTypeMobileTargetPositioning
4236	recorded target	8676672	✔	TlvTypeMobileTrojanUID
4236	recorded target	8676976	✔	TlvTypeMobileTrojanID
4236	recorded target	8677296	✔	TlvTypeMobileTargetLocationChangedRange
4237	config	8677440	✔	TlvTypeConfigMobileAutoRemovalDateTime
4237	config	8677808	✔	TlvTypeConfigOverwriteProxyAndPhones
4237	config	8678000	✔	TlvTypeConfigCallPhoneNumber
4238	ex recorded target	8679488	✔	TlvTypeLocationAreaCode
4238	ex recorded target	8679744	✔	TlvTypeCellID
4238	ex recorded target	8680048	✔	TlvTypeMobileCountryCode
4238	data	8680304	✔	TlvTypeMobileNetworkCode
4238	data	8680560	✔	TlvTypeIMSI
4238	proxy	8680816	✔	TlvTypeIMEI
4238	proxy	8681072	✔	TlvTypeGPSLatitude
4238	proxy	8681328	✔	TlvTypeGPSLongitude
4239	proxy	8681520	✔	TlvTypeFirstHeartbeat
4239	master	8681872	✔	TlvTypeInstalledModules
4240	gps valid values	8683568	✔	TlvTypeValidGPSValues
4288	mobile proxy comm target	8782176	✔	TlvTypeProxyMobileTargetCommSig
4288	mobile proxy comm target	8782496	✔	TlvTypeProxyMobileTargetComm
4288	mobile proxy comm target	8782752	✔	TlvTypeProxyMasterMobileTargetComm
4384	master mobile	8978752	✔	TlvTypeMobileProxyMasterCommSig
4384	master mobile	8978848	✔	TlvTypeMasterMobileTargetConn
4384	master mobile	8979104	✔	TlvTypeMobileProxyMasterComm
4384	master mobile	8979360	✔	TlvTypeMobileMasterProxyComm
4384	master mobile	8979616	✔	TlvTypeProxyMasterMobileHeartBeatAnswer
4384	master mobile	8979872	✔	TlvTypeMobileMasterProxyCommNotification
8128	agent	16646544	✔	TlvTypePlaintext
8128	agent uid	16646800	✔	TlvTypeCompression
8128	mobile	16647056	✔	TlvTypeEncryption
8128	mobile	16647232	✔	TlvTypeTargetUID
8128	mobile	16647536	✔	TlvTypeIPAddress
8128	mobile	16647808	✔	TlvTypeUserName
8128	installed reply modules mobile	16648064	✔	TlvTypeComputerName
8129	installed reply modules mobile	16648304	✔	TlvTypeLoginName
8129	module upload mobile target	16648560	✔	TlvTypePassphrase
8129	module upload mobile target	16648832	✔	TlvTypeRecordID
8129	module upload mobile target	16649088	✔	TlvTypeOwner
8129	module upload mobile target	16649344	✔	TlvTypeMetaData
8129	module upload mobile target	16649536	✔	TlvTypeModuleID
8129	mobile target	16649856	✔	TlvTypeOSName
8129	mobile target	16650048	✔	TlvTypeModuleSubID
8130	mobile target	16650320	✔	TlvTypeErrorCode
8130	mobile target	16650560	✔	TlvTypeOffset
8130	mobile target	16650816	✔	TlvTypeLength
8130	mobile target	16651088	✔	TlvTypeRequestID
8130	mobile target	16651328	✔	TlvTypeRequestType
8130	mobile target	16651584	✔	TlvTypeVersion
8130	mobile target	16651840	✔	TlvTypeMachineID
8130	mobile target	16652096	✔	TlvTypeMajorNumber
8131	mobile target	16652352	✔	TlvTypeMinorNumber
8131	mobile target	16652656	✔	TlvTypeGlobalIPAddress
8131	mobile target	16652912	✔	TlvTypeASCII_Filename
8131	mobile target	16653120	✔	TlvTypeFilesize
8131	mobile target	16653392	✔	TlvTypeFilecount
8131	mobile target	16653712	✔	TlvTypeFiledata
8131	target reply recorded delete file mobile	16653968	✔	TlvTypeMD5Sum
8131	mobile target config	16654144	✔	TlvTypeProxyPort
8132	mobile target config	16654400	✔	TlvTypeStatus
8132	mobile target config	16654656	✔	TlvTypeUserID
8132	module load mobile target	16654912	✔	TlvTypeGroupID
8132	module load mobile target	16655168	✔	TlvTypePermissions
8132	module load mobile target	16655424	✔	TlvTypeRequestCode
8132	module load mobile target	16655680	✔	TlvTypeDataSize
8132		16655936	✔	TlvTypeKeyType
8132		16656240	✔	TlvTypeEmail
8133		16656432	✔	TlvTypeEnabled
8133		16656688	✔	TlvTypeLicensed
8133		16656960	✔	TlvTypeAudioFrequency
8133		16657216	✔	TlvTypeAudioBitsPerSample
8133		16657472	✔	TlvTypeAudioChannels
8133		16657728	✔	TlvTypeStartTime
8133	config	16657984	✔	TlvTypeStopTime
8133	config	16658240	✔	TlvTypeBitMask
8134	config	16658560	✔	TlvTypeTimeZone
8134		16658816	✔	TlvTypeDateTime
8134		16659072	✔	TlvTypeStartSessionDateTime
8134		16659328	✔	TlvTypeStopSessionDateTime
8134		16659520	✔	TlvTypeDateTimeRef
8134		16659776	✔	TlvTypeScheduleRepeat
8134		16660032	✔	TlvTypeUnixMasterDateTime
8134		16660288	✔	TlvTypeUnixUTCDateTime
8135		16660544	✔	TlvTypeDurationInSeconds
8135		16660864	✔	TlvTypeMasterRefTime
8135		16661120	✔	TlvTypeMasterRefTimeStart
8135	values gps valid	16661376	✔	TlvTypeMasterRefTimeEnd
8135		16661568	✔	TlvTypeCounter
8135		16661888	✔	TlvTypeWhiteListEntry
8135		16662144	✔	TlvTypeBlackListEntry
8135		16662336	✔	TlvTypeBlackWhiteListingMode
8136	config	16662576	✔	TlvTypeConfigEnabled
8136	config	16662848	✔	TlvTypeConfigMaxRecordingSize
8136	config	16663104	✔	TlvTypeConfigAudioQuality
8136	config	16663344	✔	TlvTypeConfigVideoBlackAndWhite
8136	config	16663616	✔	TlvTypeConfigVideoResolution
8136	config	16663872	✔	TlvTypeConfigCaptureFrequency
8136	config	16664128	✔	TlvTypeConfigVideoQuality
8136	config	16664384	✔	TlvTypeConfigFilesStandardFilter
8137	config	16664704	✔	TlvTypeConfigFilesCustomFilter
8137	config	16664896	✔	TlvTypeConfigStandardLocation
8137	config	16665216	✔	TlvTypeConfigCustomLocation
8137	config	16665408	✔	TlvTypeConfigFileChunkSize
8137	config	16665664	✔	TlvTypeConfigFileTransferSpeed
8137	config	16665904	✔	TlvTypeConfigUploadFileOverwrite
8137	config	16666160	✔	TlvTypeConfigDeleteOverReboot
8137	config	16666496	✔	TlvTypeConfigCustomLocationException
8138	master mobile	16666752	✔	TlvTypeExtraData
8138	master mobile	16667008	✔	TlvTypeSignature
8138		16667264	✔	TlvTypeComments
8138		16667520	✔	TlvTypeDescription
8138		16667776	✔	TlvTypeFilenameExtension
8138		16668032	✔	TlvTypeSessionType
8138		16668224	✔	TlvTypePeriod
8138		16668512	✔	TlvTypeMobileTargetUID
8139		16668784	✔	TlvTypeMobileTargetID
8139		16669072	✔	TlvTypeMobilePlaintext
8139		16669328	✔	TlvTypeMobileCompression
8139		16669584	✔	TlvTypeMobileEncryption
8139		16669824	✔	TlvTypeEncodingType
8139		16670576	✔	TlvTypePhoneNumber
8140	custom config location mode	16670784	✔	TlvTypeConfigCustomLocationMode
8140	custom config location mode	16672080	×	unknown
8140	custom config location mode	16671792	×	unknown
8142	network interface	16674928	✔	TlvTypeNetworkInterface
8142	network interface	16675136	✔	TlvTypeNetworkInterfaceMode
8142	network interface	16675440	✔	TlvTypeNetworkInterfaceAddress
8142	network interface	16675696	✔	TlvTypeNetworkInterfaceNetmask
8142	network interface	16675952	✔	TlvTypeNetworkInterfaceGateway
8142	network interface	16676208	✔	TlvTypeNetworkInterfaceDNS_1
8142	network interface	16676464	✔	TlvTypeNetworkInterfaceDNS_2
8143		16677440	✔	TlvTypeLoginTime
8143		16677696	✔	TlvTypeLogoffTime
8143		16678720	✔	TlvTypeGeneric_Type
8144		16678976	✔	TlvTypeChecksum
8144		16679280	✔	TlvTypeCity
8144		16679536	✔	TlvTypeCountry
8144		16679792	✔	TlvTypeCountryCode
8146		16683072	✔	TlvTypeTargetType
8146		16683392	✔	TlvTypeDurationString
8146		16683904	×	unknown
8146		16684848	×	unknown
8160		16712000	✔	TlvTypeTargetConnectionBroken
8160		16712256	✔	TlvTypeAgentConnectionBroken
8160		16712512	✔	TlvTypeTargetOffline
8176		16744768	✔	TlvTypeProxyConnectionBroken
4242		8688960	×	unknown
4242		8689296	×	unknown
4242		8689568	×	unknown
2752		5636992	×	unknown
2752		5637504	×	unknown
2752		5637760	×	unknown
2752		5636464	×	unknown
2752		5636736	×	unknown
2752		5637248	×	unknown
2753		5638256	×	unknown
2753		5638768	×	unknown
2754		5641600	×	unknown
2754		5640608	×	unknown
2754		5641120	×	unknown
2754		5640864	×	unknown
2754		5640352	×	unknown
2218		4542832	×	unknown
2218		4542624	×	unknown
8147		16685104	×	unknown
8147		16685392	×	unknown
2658		5444000	×	unknown
2658		5444512	×	unknown
2656		5440320	×	unknown
2656		5439904	×	unknown
2660		5447840	×	unknown
2722		5575072	×	unknown
2722		5575328	×	unknown
2722	config	5575840	×	unknown
2560	config	5243552	×	unknown
2560	config	5243296	×	unknown
4244	config	8693104	×	unknown
4244	config	8692080	×	unknown
4244	config	8692336	×	unknown
4244	config	8692592	×	unknown
4244	config	8692848	×	unknown
4244	config	8693360	×	unknown
4244	config	8691872	×	unknown
2690	config	5509536	×	unknown
2690	config	5510048	×	unknown
2692	config	5513376	×	unknown
2688	config	5505856	×	unknown
2688	config	5505440	×	unknown
2592	config	5309088	×	unknown
2602		5329824	×	unknown
2602		5330592	×	unknown
2602		5329568	×	unknown
2602		5330080	×	unknown
2596		5317536	×	unknown
2596		5317792	×	unknown
2596		5318048	×	unknown
2596		5317280	×	unknown
2594		5313440	×	unknown
2594		5312928	×	unknown
2594		5313184	×	unknown
2600		5325216	×	unknown
2598		5321376	×	unknown
2598		5322144	×	unknown
2784	mode location custom config	5703584	×	unknown
2784	mode location custom config	5703328	×	unknown
2784	mode location custom config	5702816	×	unknown
2784	interface network	5702032	×	unknown
2784	interface network	5702304	×	unknown
2785	interface network	5703808	×	unknown
2785	interface network	5704064	×	unknown
1757	interface network	3600000	×	unknown
2696	interface network	5521552	×	unknown
2696	interface network	5521568	×	unknown
2720		5570960	×	unknown
2720		5571232	×	unknown
2756		5644432	×	unknown
2756		5644704	×	unknown
2848		5833104	×	unknown
2848		5833376	×	unknown
3104		6357392	×	unknown
3104		6357664	×	unknown
2664		5456016	×	unknown
2664		5456288	×	unknown
4243		8690064	×	unknown
4243		8690336	×	unknown
4243		8689712	×	unknown
2304		4719008	×	unknown
2304		4719232	×	unknown
3106		6361200	×	unknown
16425		33639248	×	unknown
48781		99903492	×	unknown
41609		85215461	×	unknown
4494		9203775	×	unknown
25586		52401552	×	unknown
21214		43446532	×	unknown
27793		56920439	×	unknown
26992		55281185	×	unknown
44308		90744648	×	unknown

Conclusion

SHA256	DexDen	Conf. in APK	TippyTime	TippyPad	Cert not before	VT submission	Suspected build date
c2ce202e6e08c41e8f7a0b15e7d07817 04e17f8ed52d1b2ad7212ac29926436e	×	✔	×	×	2016/10/10	2017/07/27	approx. 2017/06/01
2f881b98088bbe91dc8fd003eed17f41 a35182a27663e6e103b2b6673b592350	×	✔	✔	×	2014/10/21	2019/10/12
269227c4c4770e109e53c6cf87bd9bde 367843c4806f5975c5aa317f318e28a9	×	✔	✔	×	2018/06/20	2019/03/24	> 2017/12/07
1221bb41b315b5d6dc336a931eb4fb6f eca7fe80e8dc42647c16686629767ec8	×	✔	✔	✔	2017/05/29	2017/09/13	> 2017/05/29
269227c4c4770e109e53c6cf87bd9bde 367843c4806f5975c5aa317f318e28a9	×	✔	✔	×	2018/06/20	2019/03/24	> 2018/06/20
a504ba88c39c325589079afd7822cc4b 431182c8ec0304f21316e964b6e9eb7f	×	✔	✔	×	2017/11/16	2018/07/31	> 2017/11/16
854774a198db490a1ae9f06d5da5fe6a 1f683bf3d7186e56776516f982d41ad3	✔	×	✔	✔	2017/05/27	2019/11/27	> 2017/05/27

Our analysis based on 3 different parameters: configuration location, string obfuscation and local socket address generation tends to demonstrate that the sample we have analyzed is (as far as we know) the only known FinSpy for Android sample storing its configuration directly into the DEX file (DexDen). Reports FinSpy Dokumentation yaraby Thorsten Schröder & Linus Neumann - CCC (Jan. 2020), AccessNow: FinFisher changes tactics to hooks critics (May 2018) and Hacking FinSpy by Sophos (2015) explain how the FinSpy configuration is stored in the APK file metadata. A retro-hunt on VT has found 0 samples (our sample excluded) storing the configuration the DEX. Changing the configuration location is a strong structural change indicating a suspected new version of FinSpy for Android.

A trend emerges when we focus on how the local socket address is generated and how strings are obfuscated. Old samples do not use a “magic” timestamp (TippyTime) in the generation algorithm nor pad-obfuscated strings (TippyPad). By analyzing briefly samples shared by CCC, we observed that since 2017, FinSpy seems to use TippyTime. However, only one sample use TippyPad string obfuscation.

Regarding unknown or undocumented TLV types, we have no clue indicating they are new or not since we have not analyzed other samples in deep and no unknown TLV types have ever been reported.

Sample behavioral analysis

The sample we analyze is heavily obfuscated:

strings are encoded at the class level;
Java methods are obfuscated (shortened);
control flow graph is broken by the heavy use of threads and IPC;
dummy calls are inserted between almost all the “useful” ones.

To analyze the sample, we firstly do a fast behavioral recon with Aether by extracting control flow graphs in which:

sinks are Java methods of interest;
sources are detected entry-points (i.e. services, threads, activities, …).

Secondly we extract TLV types involved in the different control flow graphs and then correlate the meaning of TLV with the meaning of actions done on the OS.

Configuration parsing

As we have seen before FinSpy stores its configuration into the DEX file. Thus, the first step for it is to locate the DEX file. On Android, the Java method android.content.Context.getPackageCodePath() returns the location of the APK which contains the original DEX (not the optimized one). Once located, the DEX file is copied at a randomly generated path into the cache directory. Once copied, the DEX loaded (or self-loaded since it is loaded by itself) using the Java method dalvik.system.DexClassLoader.loadClass().

Finally, FinSpy parses its configuration stored into the loaded DEX using a large switch-case statement.

The configuration stored into the current sample looks like:

TlvTypeMobileTargetID = “WIFI”
TlvTypeMobileTargetHeartbeatInterval = 120
TlvTypeMobileTargetPositioning = b’\x82\x87\x86\x81\x83'
TlvTypeConfigTargetProxy = “[redacted]”
TlvTypeConfigTargetProxy = “[redacted]”
TlvTypeConfigTargetPort = [redacted]
TlvTypeConfigSMSPhoneNumber = “[redacted]”
TlvTypeMobileTrojanID = “WIFI”
TlvTypeMobileTrojanUID = b’\xfc\x14\xb0\r'
TlvTypeUserID = 1000
TlvTypeTrojanMaxInfections = 9
TlvTypeConfigMobileAutoRemovalDateTime = Thu Jan 1 01:00:00 1970
TlvTypeConfigAutoRemovalIfNoProxy = 168
TlvTypeMobileTargetHeartbeatEvents = 173
TlvTypeMobileTargetHeartbeatRestrictions = b’\xd0\x00'
TlvTypeMobileTrackingDistance = 1000
TlvTypeMobileTrackingTimeInterval = 300
TlvTypeInstalledModules =
- Logging: Off
- Spy Call: Off
- Call Interception: Off
- SMS: On
- Address Book: On
- Tracking: On
- Phone Logs: On

Note: Trojan UID is the AES sub-key used to encrypt/decrypt payloads exchange with the C2.

Emergency reconfiguration

FinSpy can be reconfigured by SMS, the Java method org.xmlpush.v3.q.c.a() is dedicated to that. FinSpy uses a lot of threads, probably not for performance purposes but to circumvent automatic reverse engineering of CFG. The following CFG shows the break in the CFG.

When an SMS corresponding to TlvTypeMobileTargetEmergencyConfig is received, FinSpy reconfigures itself by parsing the SMS payload. The following attributes can be reconfigured:

TlvTypeConfigTargetPort: port for C2 proxy
TlvTypeConfigSMSPhoneNumber: phone number for SMS based C2 communications
TlvTypeMobileTrojanID: unknown purpose
TlvTypeMobileTrojanUID: AES sub-key
TlvTypeUserID: unknown purpose
TlvTypeTrojanMaxInfections: unknown purpose
TlvTypeConfigMobileAutoRemovalDateTime: implant self-destruct past this date
TlvTypeConfigAutoRemovalIfNoProxy: implant self-destruct if C2 proxy is unavailable
TlvTypeMobileTargetHeartbeatRestrictions: conditions to avoid callbacks
TlvTypeMobileTargetHeartbeatEvents: events to trigger callbacks to the C2
TlvTypeMobileTargetLocationChangedRange: trigger updates based on location changes
TlvTypeInstalledModules: list of implant features and their configuration (SMS log, call log, etc.)
and other unknown parameters

Privilege escalation

FinSpy needs super user privileges to do things like access data of other applications. When started, the implant checks if su is available and then check if the user id is 0. We found no evidence of vulnerability exploitation (DirtyCow or SELinux abuse) like the ones mentioned in other publicly available reports. We did not find ELF hidden into the APK, DEX or into natives libraries packaged in the APK.

Either we have missed something or this sample is tailored to be implanted after exploitation.

Communication with C2

The implant can use both SMS and HTTP requests to send collected data to the command and control server. Both SMS and HTTP communications use the same marshaling schema based on TLV types describing data. Payload are encrypted before being sent. The encryption mechanism is the same as the one described in AccessNow: FinFisher changes tactics to hooks critics.

Self-destruction capability

Since FinSpy has the ability to remove itself, it generates a shell script /system/etc/xrebuild.sh listed below.

1
2
3
4
5
#!/system/bin/sh
mount -o rw,remount /system
am force-stop <package name>
dd if=/dev/zero of=<apk path> bs=1024 count=8192
find <path> | while read line; do dd if=/dev/zero of=$line bs=1024 count=8192; done

Then it makes the script executable and reboots the device.

The script writes zeros over the APK file and does the same for all files located into the application data directory. FinSpy can be configured to remove itself at a given date and time, when the C2 is not reachable for a given amount of time or when the implant receive a specific command. By filling all files with zeros, FinSpy prevents forensic investigation. The script generation takes in account the fact that the implant can be a system application or a regular application.

Data collection

Java class org.xmlpush.v3.Services registers the following content observers on:

changes on phone contact list
changes on SIM contact list
changes on SMS log
changes on calendar

Java class org.xmlpush.v3.eventbased.ReceiverService listens to the following events:

new outgoing phone call
new data SMS received
SIM card has been changed

Numerous threads are started to periodically check device location and messenger applications files. Every time a change occurs on observed data or an event occurs, FinSpy collects data related to that change/event and sends it to the C2 either over HTTP or SMS.

Data collected and sent by default

The FinSpy code shows that all payloads sent to C2s contain at least:

trojan UID
phone number
timezone
current date and time
mobile operator name
country code based on mobile network
location area code
mobile cell ID

Messenger applications data exfiltration

FinSpy is designed to exfiltrate contacts, messages, groups, location and files of the following applications:

com.viber.voip
jp.naver.line.android
com.skype.raider
com.facebook.orca
com.futurebits.instamessage.free
jp.naver.line.android
com.viber.voip
com.skype.raider
com.futurebits.instamessage.free
com.bbm
ch.threema.app
org.telegram.messenger

FinSpy looks at the content of each application data directory (i.e. /data/data/com.futurebits.instamessage.free/). This capability has already been documented in many public reports.

Call log exfiltration

FinSpy exfiltrates the following information each time a call is placed:

caller’s phone number
callee’s phone number
caller’s name
callee’s name
call duration is seconds

SMS log exfiltration

FinSpy exfiltrates the following information each time a SMS received:

date and time
sender’s phone number
recipient’s phone number
SMS content

Calendar events exfiltration

FinSpy exfiltrates the following information each time a new event is added/edited:

attendees’ names
attendees’ emails
event title
event description
event location
event start and end date

Address book exfiltration

FinSpy exfiltrates the following information each time a modification is done on the address book:

work phone number
mobile phone number
home phone number
all other available phone numbers
display name
location
email addresses
postal addresses

FinSpy collects contacts stored in the phone memory and in the SIM card.

SIM information exfiltration

Each time the SIM card is changed, FinSpy sends the following data to the C2:

phone number
SIM serial number
IMEI
IMSI
network operator name

Location tracking

FinSpy periodically collects and sends the device location. It collects both GPS based location and network based location by using cells.

FinSpy spyware analysis

September 25, 2020
Mobile Applications FinSpy Malware analysis

Executive summary

Overview

Tiny tools

Yara rules

Script to plot CFG

A suspected new FinSpy version

Configuration storage

String obfuscation

Local socket address generation

Unknown TLV types

Conclusion

Sample behavioral analysis

Configuration parsing

Emergency reconfiguration

Privilege escalation

Communication with C2

Self-destruction capability

Data collection

Data collected and sent by default

Messenger applications data exfiltration

Call log exfiltration

SMS log exfiltration

Calendar events exfiltration

Address book exfiltration

SIM information exfiltration

Location tracking

FinSpy spyware analysis

September 25, 2020Mobile Applications FinSpy Malware analysis

Executive summary

Overview

Tiny tools

Yara rules

Script to plot CFG

A suspected new FinSpy version

Configuration storage

String obfuscation

Local socket address generation

Unknown TLV types

Conclusion

Sample behavioral analysis

Configuration parsing

Emergency reconfiguration

Privilege escalation

Communication with C2

Self-destruction capability

Data collection

Data collected and sent by default

Messenger applications data exfiltration

Call log exfiltration

SMS log exfiltration

Calendar events exfiltration

Address book exfiltration

SIM information exfiltration

Location tracking

September 25, 2020
Mobile Applications FinSpy Malware analysis