Dissecting Pathao – An Uber-like app that steals SMS, contacts, app list, and more.

Preface

Pathao is a very popular Uber-style ride-sharing service based in Bangladesh. Pathao is a local startup backed by local Bangladeshi entrepreneurs, so they have a better understanding of the market than their competitors (Uber). Their marketing campaigns, despite being controversial at times, have been highly successful and they have established themselves as the main competitor to Uber in Bangladesh.

Recently I noticed that when I install Pathao on my Android Oreo smartphone, Pathao asks for SMS and Contacts permissions through the Android runtime permission interface. This is very unusual, and definitely not something a “ride-sharing” app would need. So as a head-to-toe InfoSec enthusiast, I decided to take a deeper look into Pathao and see what information is being transferred from my smartphone.

Setting up the MITM proxy

To see what Pathao sends to remote servers, first I need to monitor my Android smartphone’s web traffic. To achieve that I would need to pass my smartphone’s web traffic through my computer which runs a MITM proxy. I used Burpsuite as MITM tool, and I installed Burpsuit’s root CA as my phone’s trusted CA. This allowed me to decipher all SSL traffic originating from my smartphone and intercept these as unencrypted HTTP requests.

I set up Burpsuite to run a listener on port 8001. Since I was on a LAN, all I had to do next was to use my computer’s LAN IP as a proxy for my smartphone’s wifi.

Burpsuite listening on port 8001

So now my smartphone has to go through my computer’s MITM setup before sending anything to the internet.

My smartphone is using the MITM proxy as proxy server

Logging the requests

I started by fresh installing the Pathao app from Google Play.

Installing the Pathao app from Google Play Store

Now it is time to open Pathao and see what it sends to remote servers. Everything Pathao sends or receives will be stored in my MITM proxy’s request history.

I opened Pathao from my app drawer. It asked me to put in my phone number. From my MITM proxy’s live log, I could tell that Pathao utilizes Facebook’s Account Kit to verify phone numbers. After submitting my number, I received an SMS from Facebook with a numeric verification code, which I had to put into Pathao.

Pathao login screen

After I was in, Pathao asked for location, SMS, and contacts permissions which I obliged. In the meantime, requests were being logged by my MITM proxy.

MITM proxy logging the HTTP requests sent by Pathao

The Analysis

Let’s take a look at the MITM proxy log.

We see several SSL-encrypted POST requests to graph.facebook.com and graph.accountkit.com. These are necessary requests and are made by Facebook’s Account Kit which Pathao uses. We see similar POST requests to api.pathao.com which includes a unique identifier and are apparently also for authentication purpose.

Authentication POST requests by Pathao

We see a POST request to wzrkt.com, which sends our phone’s hardware and carrier details.

Pathao’s POST request with phone details to wzrkt.com

Next, we see three POST requests to api.pathao.com. These requests separately send our SMS, contacts list, and installed app list to Pathao.

Pathao sending my installed app list through a POST request to api.pathao.com
Pathao sending my phonebook (contacts list) through a POST request to api.pathao.com
Pathao sending ALL of my SMS messages through a POST request to api.pathao.com

Here is a Bengali-language video demonstrating everything in this post:

Ashik Emon

Ashik Emon

Ashik Ishtiaque Emon is a Google-certified Web Performance Expert and LPI-recognized Linux System Administrator. He travels and reads a lot. Reach him at [email protected].

More posts you might like: