[Help] Scripting job for someone... Android / iPhone Picture Hack

[Joystik]

Hello there. I stumbled across the USB Rubber Ducky and I am very interested in it. However, I was disappointed in the limited number of payloads. Sure some of them are nifty but none that interested me enough to buy the device. Yes I know the purpose is to make your own and to contribute, but what I would like to do is a bit complicated, or so I would think anyways.

I would gladly buy my very own ducky if someone could make this payload. I would even be willing to buy the finished payload depending on the price.

Features:

• Secretly uploads all future pictures taken on the device
• uploads to either ftp or google drive, something of the sort
• Upload destination creates new folder for each new device added
• Option but would be nice if there was a hook on the camera. What I mean is that it saves and uploads any picture taken even if it is not in the default camera app, such as when you take a picture on snapchat.

Compatibility:

• Works on Android / iPhone 4 / 4S / 5
• Able to work on a locked device
• Able to work on a device that is not rooted or jailbroken

I am a college student majoring in Information Systems of Management. This payload has several practical approaches for myself. Catching a cheating girlfriend, the obvious joker approach to how people always leave their phones everywhere at frat parties, and down to learning more about it. At heart I do like code but I more-so enjoy modifying existing scripts. I Know VB.net, some php, html, css, basic understanding of batch, etc.

Please let me know if such a script (or similar) exists or if anyone would be interested in creating something like this. Thanks!

[overwraith]

Found a page which has most of the android keyboard shortcuts on it:

http://cruzsupport.velocitymicro.com/link/portal/5462/5758/Article/1065/USB-Keyboard-Shortcuts-for-Android-4-0

Looks pretty difficult to make a duck script based on them though, the android OS looks like it is mostly oriented toward touch, and GUI elements. I notice that my play store icon is located in the bottom right hand corner of the screen, and is reachable through the duck script:

REM Launch Play Store
REM Preform once, repeat three times, four times total.
SHIFT TAB
REPEAT 3
ENTER

The play store it's self changes frequently however. It might be possible to download some kind of free file sharing app, and share the target device's info away. Another possibility would be placing some kind of custom android app on the ducky's removable storage and somehow activating it. Don't know if this kind of app install is possible however. As far as I know, there is no Android scripting language that can help us out. Your description suggests using some kind of malware app, and an app such as this would need to run as a system service, so it would be running in the background when it is closed down.

Just verified that you can install an app from a USB stick, but you will need to change the security settings to allow the instillation of unknown sources.

REM ANDROID ALLOW INSTILLATION OF UNKNOWN SOURCES

CTRL P

REM SELECT SECURITY
REM TOTAL 13 DOWNARROWS
DOWNARROW
REPEAT 12

REM SELECT UNKNOWN SOURCES
RIGHTARROW
ENTER

REM SAY OK TO THE POPUP MESSAGE
RIGHTARROW
ENTER

Delay's may be tricky.

Edited July 24, 2013 by overwraith

[Joystik]

Hmm, Interesting. Thank you for your response! It's always great to have some code to look at and the page you linked me to is a nice reference.

For whatever reason I got the idea from one of the hak5 videos with Darren that you could inject code. I know he mentioned that it is recognized as a keyboard but It never clicked until now.

Installing an apk may be plausible, noting that I would have to flip the 'accept unknown source' setting. This may prove to be some fun to play around with!

On another approach, I guess it might be easier to have it simply upload some of the current pictures on the device.

Oh here's a thought, is the duck able to save data? For example, having it backup all pictures on the phone to the duck? I know it is recognized as a keyboard but it is running the payload from an SD card after all :)

Now i'll be rummaging through that webpage you sent, thanks again!

EDIT:

The web page is in a load loop but hopefully it will surface soon.

Anyways, I thought of something. They make commercial monitoring apps for android which I have tried in the past and do offer the ability to upload pictures as the device takes them. I could potentially use ducky to install said apk. Another thing to look into :) I am very excited

Edited July 24, 2013 by Joystik

[overwraith]

Installing an apk may be plausible, noting that I would have to flip the 'accept unknown source' setting.

In order to upload my apk file from my USB device, I was required to change the "accept unknown source" option.

Oh here's a thought, is the duck able to save data? For example, having it backup all pictures on the phone to the duck? I know it is recognized as a keyboard but it is running the payload from an SD card after all :)

The duck is able to have data saved to it if you download and install special firmware. I would recommend one of the "twin duck" firmwares from ducky decode:

https://code.google.com/p/ducky-decode/

Anyways, I thought of something. They make commercial monitoring apps for android which I have tried in the past and do offer the ability to upload pictures as the device takes them. I could potentially use ducky to install said apk. Another thing to look into :) I am very excited

A lot of those are probably paid for services, but it is worth looking into. I would also recommend looking at one of those Android programming books if nothing really has all the features you want. Another Idea would be maybe to use two or three apps that all do different things. Also, if you do end up actually programming an app that does all this stuff, don't post it online where antivirus companies can get to it, a good tutorial for the rest of us could show us all how to do it though, without all the programs being exactly the same. If you do end up going the multiple app route, the antivirus companies cant very well shut down a legitimate service.

Edited July 24, 2013 by overwraith

[Joystik]

I have a lot of research to do and several options to dig into. Thank you again for helping me out, I really do appreciate it.

Ah yes, the AV companies haha. Good old days. Many programmers worked very hard to make their programs UD (undetected) by AV's. They even developed obfuscation methods and ways of messing with a source code to throw off an AV company from recognizing any malicious code. I guess you could say I'm pretty familiar with that :)

I might just buy a ducky to mess around with it. Seems like it could be a bit of fun in the very least. Ya know, this forum reminds me of Leetcoders in its early days.

[overwraith]

I am glad to hear that you know about obfuscation techniques. Unfortunately not enough of us actually know how to use these techniques. I am sure a tutorial on that too would be greatly appreciated around here. Just a thought.

[Joystik]

Back then I mostly worked in VB. Infact, I have not coded anything in years like I used to unfortunately. The community was very giving and very eager to make advancements in knowledge to empower themselves.

A few people custom coded obfuscators, oh jeez lets see if I can remember his name.... aha! JapaBRZ. He was among the first. Run a quick google search on him, hes got stuff published to a few websites. Most was on Leetcoders but the sites been rolled back. I might have his source somewhere actually. A lot of it has to do with adding "junk Code" which is really just fake code and fluff for distraction. Sometimes AV companies use app info such as actual size in bytes, author, version number, other build info like that. Change the build info, change the icon, add more strings that point to eachother, etc. All of that completely throws off AV companies, or rather just makes it seem like they are hunting down "A" but instead see "B" (the new build) so a message comes back to the user as "scan completed. nothing malicious here, move along." Of course, there are two kinds of detectability. Runtime and Scantime. Runtime crypters we called them... something that encrypts your build so that it can run in such a way that an active AV will not see it. Something that was only scantime crypted / obfuscated will get detected when it runs, unfortunately. This turned into a sort of business. People made and ripped off eachothers crypters and sold them. They were cheap and didnt know what they were doing, so the files got detected weekly or monthly, requiring them to re-code parts of the crypter. They got smart and used stubs so they only had to change part of the stub.

It is all very collusive and mostly came down to newbs trying to mass spread their botnets. The only way around all that, like you mentioned, is to not share anything unfortunately. Unique code kept private for small use wont likely get picked up by an AV company. But hell, back in the day as a child when I made a simple SMS / MMS phone bomber in VB it got detected as a trojan. Explain that to me? lol I coded it so I know it was safe. Anyways, thats probably a bit too much info all over the place, but hopefully serves as a brain-dump to get some of you to ask questions and inspire you to research more. I don't really have a whole lot of time to make threads and post stuff, but hey I'm bored at work right now :)

[ThatNateGuy]

Would the SL4A be useful in this situation?

[overwraith]

Yeah, that might work. Didn't even know that something like that existed. Looks like would still need the script to turn on instillation of unknown sources, because would need to install the apk from the ducky's removable storage. Might end up being more trouble than a custom made android app though, because the ducky script would have to wait until the scripting apk was installed to start using it.