Potential RootKit in NetHunter.apk

[STPJ]

Device:

Nexus 6

OS version (KitKat/Lollipop/Marshmallow/Nougat):

Nougat

Built from repo (date and build command) or downloaded from website (links):

Output of cat /proc/version in adb shell or NetHunter Terminal:

Issue:

I've installed NetHunter on my Nougat Nexus 6. Brand new download from Google Website. Followed all original images from Offensive-security.

Once I've updated with the latest Nethunter.apk from here, I noticed some strange traffic on my network. I first scanned my own port on NetHunter , and saw nothing. Then from Kali of my laptop I've started monitoring and scanning port of my Phone, and noticed 1 port was open.

Installed rkhunter and chkrootkit on NetHunter and there is is! Infected on Traceroute and noticed 2 process running from the NetHunter.apk folder. Killed those process but kept coming back.

I just finished flashing my entire phone and redoing those steps, everything is fine now, as long I don't update this package again.

Please check on your side, scanning from a Laptop your phone. Port open was changing at every opening and when doing a telnet to that port I had a answer in JSON. I can reinstall all the packages and give you more info if needed as kept all the file of that fresh install.

[STPJ]

Ok I've redone all the step to redo it. And have a rootKit again. I've flashed entirely my phone to be sure I installed those 3 packages: nethunter-generic-armhf-kalifs-full-rolling-2017.11-18-1618.zip kernel-nethunter-shamu-nougat-2017.11-18-1618.zip And NetHunter.apk

The 2 above come from the link: https://build.nethunter.com/nightly/2017.11-18-1618/ The NetHunter from here.

And yes I do have the rootkit and the openport (Only able to see it from a scan of other computer). The chkrootKit give me this script running: /su/bin/su -c /data/data/com.offsec.nethunter/files/scripts/bootkali_login

Going to flash my phone again to StockRom, avoiding Nethunter all together for a little while....

[Re4son]

What's the content of "/data/data/com.offsec.nethunter/files/scripts/bootkali_login"?

And what is the entire line in the output of "chkrootkit"? The detail will help me tracking down the test that flags nethunter as rootkit and why.

[jcadduono]

I can guarantee you there is nothing malicious running from the Nethunter.apk from build.nethunter.com as that server is run by myself, and the app was built and signed by @binkybear You haven't mentioned the ports, but I assume since the app was the one to initiate booting Kali it would show up as the app initiating the listening sockets. They are probably standard OS ports like ssh and mailer daemon. :/

[STPJ]

Thanks for the following up.

Ok I've gathered more info. First if I connect to that 'Hidden port' via Telnet with my laptop I have this returning: {"type":"Tier1","version":"1.0"}

NOTE: If I check via netstat on NetHunter this port is totally hidden with no process showing that is listen it. But it's definitely open if scanning from another computer.

Not sure the protocol, but definetly some JSON format, awaiting a command. Also if I kill that process (bootkali_login), the process come back but on a different port number! I've killed it 4 times, 4 different port number, but all port answer with the same: {"type":"Tier1","version":"1.0"}

I've also removed that file completly, rebooted. And it reappeared on the next reboot like nothing happen.

I've attached the entire log file of the chkrootkit, as you see it also say that traceroute and tcpd is INFECTED. chkrootkit.log

Not sure if both are related (Port open + Rootkit) but the coincidence is sure suspicious. The bootkali_login is a regular bash script opening a root login weird it's hidden in the process list...

#!/system/bin/sh

######### IMPORT BOOTKALI ENVIRONMENT #########
SCRIPT_PATH=$(readlink -f $0)
. ${SCRIPT_PATH%/*}/bootkali_env

$busybox chroot $mnt /bin/login -f root

[jcadduono]

i think you posted the wrong log lol what are you getting as output from netstat -lnutp
after bootkali_login

[STPJ]

Sorry about that, I've updated it (You were quicker). Was me scanning another machine while at it, check the chkrootkit.log of the above.

The port wasn'T a regular service port, believe me I work in that field. Was playing between the 17 000 to 35 000 open, regular scanning wasn'T detecting it, was doing a nmap -p 1-65535, port was changing when killing the script mentionned above (And script relaunching itself after a kill -KILL)

I am ruling out also nethunter.apk, as was able to reproduce with only the 2 images from a fresh flash: nethunter-generic-armhf-kalifs-full-rolling-2017.11-18-1618.zip kernel-nethunter-shamu-nougat-2017.11-18-1618.zip

[jcadduono]

are you sure it's not just a standard android service?

[STPJ]

I would say 90% sure. Still chkrootkit still flag tcpd and traceroute as infected which we can all agree it's not 'normal'.

I am feeling like throwing a honey pot on my phone, and monitor my network closely for a few days, if I can get a connection and monitor the protocol, as it appear to be a plain json format.

[Re4son]

False positive. That "chkutmp" item in your logfile is harmless. It's technically not a false positive but it is only an indication that the process /su/bin/su -c /data/data/com.offsec.nethunter/files/scripts/bootkali_login doesn't have a matching entry in "/var/run/utmp" so it could potentially be a naughty process. It is not necessarily wrong because it often happens with processes that wait for a login to occur. It's a flag prompting you to check it out, which you did and @jcadduono can assure you that this process is perfectly normal because he was involved in writing it ;-)

[Re4son]

Which version of chkrootkit are you using? I'm gonna track down the reason tcpd and traceroute are flagged.

[jcadduono]

https://askubuntu.com/questions/883495/chkrootkit-shows-tcpd-as-infected-is-it-a-false-positive

https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/page2.html#post5788733

try scanning it (tcpd and traceroute) individually

[STPJ]

I would say, congrats on the support guys. This is awesome, usually bug report take forever to have answers.

Really looking forward to hear the reason(s) why they are flagged, the chrootkit version is 0.52 default of the apt-get install chkrootkit from a fresh install.

Will check suggestion of false positive for tcpd + traceroute.

Also, nothing personnal, but will still heavily monitor my network ;)

3 false positive and a weird port behavior, kind of a lot of coincidence in one night. I am expecting to see 4 lost college girls knocking on my door looking for a place to crash...

lol

[jcadduono]

send them my way if you don't want them sorry that's unprofessional

[Re4son]

Here we go:

1. tcpd: false positive that is not flagged when tested individually.
2. traceroute: Cannot reproduce. The rootfs doesn't contain traceroute and once installed is listed as "not infected" in my chroot.

Running the latest version of chkrootkit from here comes back all clean.

3. "chkutmp" listing the nethunter process is normal.

[thepillbug]

send them my way if you don't want them sorry that's unprofessional

@jcadduono unprofessional? society is unprofessional for not rewarding you with constant gaggles of hos following you around for whatever. What I mean to say ultimately, is thanks for your work as well as everyone else. I have a nexus6p I use kali on, and was either gonna buy a gemini or one of the best phones I can run it on. Any suggestions?

[jcadduono]

I still consider the Nexus 6P the best phone to run it on, (mostly for the partition scheme, expected LTS via LineageOS, and BCM internal hardware for monitor mode) though I should probably do some updates to the support on it. Unfortunately I don't have one for testing, using the Galaxy Note 8 myself. Perhaps I might eventually work on supporting the Note 8. (N950F/D Exynos)

[kimocoder]

@jcadduono I actually took your sources, merged from upstream and run the Nexus 6P on the latest Android 8 image, unfortunately I messed up the wireless modules somehow

[STPJ]

Hi, To keep a small update.

I've been monitoring my phone all day, wasn't able to see that port traffic again.

But believe me, I've been doing this for 20+ years fulltime, there was something going on with a open port hidden from netcat.

I think I've downloaded a update of NetHunter the first time, but on a link from duckduckgo without maybe not giving the attention it should.

I am tracking down my history and trying to reproduce.

[STPJ]

Ok, mystery solved! It wasn't related to nethunter at all finally.

Dispite all the 3 positives above, I was finally able to figure out why I had weird port behavior. There is 2 apps opening port on my phone that keep changing but always open on listen mode.

Spotify and Youtube. Once any of the 2 are open, it listen on a port on ALL Interfaces... Which is pretty scary. Those port (Specially Spotify) keep changing, and it's not at a constant number.

I am guessing this is to allow some remote access within the same network. Thanks for all your help guys, we can close the thread.

The 3 chkroot was false positive as stated above, and the port services listening on are because of some apps not related.

Appreciate all the help. Now time to hack that port see how secure it is...

[jcadduono]

I would imagine those ports to be related to Bonjour and/or media discovery for streaming to TVs and AVRs which is a feature that I often use on YouTube at home. I very much doubt that the device is actually requesting a router to open the port to external networks though, and the service probably ignores all requests from external addresses.