bot nobot Advanced EN
Introduction
Some time ago applications were found using the keywords bot and nobot https://teletype.in/@hawkeye/9z-UnOVbb. The key feature of these examples was the presence of Apache Cordova to interact with the user.
The logic on the server was rudimentary and only consisted of returning data with keywords. Depending on the keywords, the logic of the application allowed to show either a primitive game (a stub) or a webview with the required site.
Because of their primitive logic, such applications were easily detected and deleted; however, applications with similar logic were added, but with a more complicated server side.
Traffic analysis
Analysis of such applications always starts with checking traffic for unique links. When intercepting traffic, the following link caught my eye: http://85.209.88.171/escape.php?temple=escape&vpn=false&pin=false&google=c01167bf-7a2f-4040-ab40-974196c0c32a&mcc=ua&model=ASUS_Z01QD&manuf=Asus&adb=true&tmz=Asia/Shanghai&lvl=100&autoTMZ=false&deeplink&media_sou&adsetid&campid&app_camp&adset&adgroup&adid&userid=1610735446100-9011812202475738674
A list of all parameters in formatted form:
temple=escape
vpn=false
pin=false
google=c01167bf-7a2f-4040-ab40-974196c0c32a
mcc=ua
model=ASUSZ01QDmanuf=Asusadb=truetmz=Asia/Shanghailvl=100autoTMZ=falsedeeplinkmediasou
adsetid
campid
app_camp
adset
adgroup
adid
userid=1610735443100-9011812202475748674
For clarity, the key parameters were highlighted in bold.
In response to such a request a response was received:
{ "url": "forbidden", "osig": "err", "stream": "bot" }
When I tried to edit one of the query parameters, namely adb=true to replace adb=false, the answer came back:
{ "url": "https:\/\/trident.website\/?lp=1&token=uuid_33d7cu5b7mlt7cu5b7mlt6002cff6bcef84.92476408", "osig": "go", "mode": "newod", "od": "https:\/\/trident.website\/?_lp=lp=1&n=uuid_3d7cu3d7cu5b7mltb7mlt6002cff6bcef84.92476408", "stream": "666" }
On the emulator screen showed online casino site.
Code analysis
The application did not use complex obfuscators and practically the strings were in pure form. This made it possible to find the location of the query thoroughly.
In the screenshot you can clearly see the list of parameters and check for the keywords bot, forbidden, applink.
The logic of this code is the following: in the response from the server it checks if the keyword forbidden is present in the url parameter. If it passes, the following code is executed:
OneSignal.sendTag("key1", "bot");
This line avoids sending a request to the server the next time the application is launched, instead of opening a "stub" immediately.
After executing this code, the standard activation of the application is shown.
If the check fails and there is a link in the url parameter, the web activation is opened and the link is followed.
Based on the references, strings and variable names used, the yara-signature was created, password: 0a2eCK8mkK