My name is Jonathan Scott, and I'm an American Security Researcher. I am currently a computer science PhD student at North Central University. My research focus is mobile spyware.
1. Allow the installed sample to be a device administrator
2. Authorize the data wipe
3. Double authorize the data wipe
The reason that there is a 3 step process is because data wiping is a really serious thing. If someone were to data wipe your phone, tablet, car, smart watch, drone, or other android based devices without authorization, the impact of that could immeasurable.
We were tasked to create software that would data wipe all android devices, and minimize the need for human interaction.
As Darcom and I planned this out we thought, if we can install an app elevate the privileges, and on launch wipe out the device we should be able to accomplish this.
- Elevate privileges for the data wipe app programmatically - Bypass Step 1 mentioned Above
- Launch the app programmatically - Bypass Step 2 Mentioned Above
- Strip the sample down to bare bones, and hiding all the button functionality
- Compile the app so that only Step 3 Mentioned Above is needed.
Once the app would be launched programmatically all of the steps referenced above would be bypassed, and this should work on every android mobile device in the world.
If for any reason the app failed to launch when attached to a host via USB with ADB enabled, tapping on the app alone will data wipe the device without any other need for authorization.
Years later after we had created this app, I was no longer working and hacking with Darcom, but I realized I could take this further, so I created a PoC for wiping out androids that had NFC enabled, and it was rather simple. Details to perform this down below.
We noticed that on some devices even though we were able to launch the app and trigger a factory reset, if the device did not have sufficient power to actually perform the reset. We were working for a company that was involved in reverse logistics, and this was a huge issue. The software we created was functional, but when a supply chain worker saw the device "reset" they would unplug the device and send the device down the production line. The device looked as though it was powered off which was part of the process we had programmatically implemented as well, but when you charged the device and booted the device backup, the data wiping app was still visible in the applications section, and if you were to tap on it, it would still wipe out the device.
This means there was a high potential for customers who received refurbished devices to have this app installed on it, and you can imagine what could happen next.
- Enable ADB on your android
- Install the apk in this repo
adb install jv_darcom.apk - Enable device admin
adb shell dpm set-device-owner com.Darcom.device.admin/.DeviceAdminDemo - Launch
adb shell am start -a android.intent.action.MAIN -n com.Darcom.device.admin/com.Darcom.device.admin.MainActivity
- Do steps 1-3 Above
- Write to an NFC tag with the following
com.Darcom.device.admin - Tap the tag to the device
- Done