Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cell Phone Monitoring. Who is Watching the Watchers? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cell Phone Monitoring. Who is Watching the Watchers?

 

I was looking through network alarms, and I came across an interesting alert I’ve not seen before for cell phone tracking. I noticed that the POST to the website was in clear text. I started to look at the URL’s that Phone was accessing.

 

 

POST to URLS included:

/smart_php/update.php

/smart_php/upload_mms.php

/smart_php/upload_rec.php

 

I started looking at the different data that was sent to each of the URLs. The information posted to the update.php page included: Userid, Serial, Model, Phone number, Sim card number, IMEI, Phone Number Called and the contact named in phone and more.

 

The upload_MMS is what I expected; it contained what was being sent via TXT, including pictures.

 

The upload_rec.php was very surprising to me. My initial thought it was voicemail, but it appears that its an mp4 of all phone conversations. The file that was transferred was 15 min long, obviously too long for a voicemail. Network Miner was able to quickly determine their was MP4 files embedded in the PCAP.

 

 

 

The software is sending this data to http://cellphonetrackers.co. The website appears not to have been updated since 2013 as that's the copyright listed on the front page.

 

Monitoring your loved ones on devices is important, but you need to make sure that their privacy is still be protected by the tool you are using. There are lots of legitimate review sites that cover pro and cons of tools from name brands you know and trust.

 

-- Tom Webb @twsecblog

Tom

50 Posts
ISC Handler
Using the isc.sans.edu whereis tool, cellphonetrackers.co at 91.196.126.212 IPv4 address is located in Bulgaria at this time. Is that correct?
Gibb

1 Posts
That is correct based on the whois information.

inetnum: 91.196.124.0 - 91.196.127.255
netname: SUPERHOSTINGBG
country: BG
org: ORG-SL338-RIPE
admin-c: SHRO-RIPE
tech-c: SHRO-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: SHOSTING-MNT
mnt-by: SUPERHOSTING-MNT
mnt-routes: SHOSTING-MNT
mnt-routes: MNT-NETERRA
mnt-routes: AS8262-MNT
mnt-domains: SHOSTING-MNT
created: 2007-06-12T08:39:49Z
last-modified: 2016-04-14T09:37:33Z
source: RIPE

organisation: ORG-SL338-RIPE
org-name: SuperHosting.BG Ltd.
org-type: LIR
address: bul. G.M.Dimitrov 36
address: 1797
address: Sofia
address: BULGARIA
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: SUPERHOSTING-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: SUPERHOSTING-MNT
abuse-c: SHRO-RIPE
created: 2011-12-22T13:20:34Z
last-modified: 2018-05-14T12:35:39Z
source: RIPE # Filtered
phone: +35928108999
fax-no: +35928108966

role: SuperHosting.BG administrative contact
address: bul. G.M.Dimitrov 36
admin-c: DTC99-RIPE
admin-c: LRUS-RIPE
admin-c: MDRE-RIPE
tech-c: DTC99-RIPE
tech-c: LRUS-RIPE
tech-c: MDRE-RIPE
nic-hdl: SHRO-RIPE
mnt-by: superhosting-mnt
created: 2012-03-21T11:51:39Z
last-modified: 2013-11-19T13:38:06Z
source: RIPE # Filtered
abuse-mailbox: abuse@superhosting.bg
Tom

50 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!