This blog post is the continuation of our series on Operation Triangulation. The previous blog post can be found here : https://shindan.io/posts/audio_module_analysis/.

In this blogpost we will focus on the sms stealing module c2393fceab76776e19848c2ca3c84bea0ed224ac53206c48f1c5fd525ef66306.

The module is pretty simple. It is opening the SMS database, executing several requests on it, and saving the compressed and encrypted output in a file.

This blog post is the continuation of our series on Operation Triangulation. The first blog post can be found here : https://shindan.io/posts/keychain_module_analysis/

In this blogpost we will focus on the audio module : ff2f223542bbc243c1e7c6807e4c80ddad45005bcd78a77f8ec91de29deb2f6e

This module is in charge of recording the device microphone. It implements some tricks to hide itself which will be explained in this blog post. This module does not contain any symbols and uses some sort of obfuscation.

Operation Triangulation is the name of an attack that has been targeting Kaspersky employees among others. Kaspersky has published a lot of really interesting blogposts detailing the exploit chain and how they caught all the samples.

• https://securelist.com/trng-2023/

Greetings to all the cybersecurity enthusiasts, forensic analysts, and tech aficionados out there!

Today, we make it public. We’ve been passionately working on for the past year: Shindan.

In the ever-evolving world of mobile technology, where devices become increasingly sophisticated, the need for equally advanced forensic tools has never been more crucial. That’s where Shindan steps in.

Mobile devices are treasure troves of data. They contain our personal messages, business emails, photos, location history, and so much more. This data can be invaluable for investigations, both in a legal context and for internal corporate audits. But as security measures in mobile devices have become more stringent, extracting this data has become a challenge. Shindan was born out of this challenge.