I'm doing some Android malware research for MMS based attacks. And I'm looking for a manual way to retrieve or download a received MMS message. I was hoping to find some curl
or wget
lines to be able to do so, but have not found anything useful.
So far I have got some MMS info from the internal databases, found by:
# find / -iname "*.db" |grep -iE "mms|sms"
...
/data/data/com.android.providers.telephony/databases/mmssms.db
/data/data/com.google.android.gms/databases/icing_mmssms.db
/data/data/com.android.mms/databases/message.db
/data/data/com.android.mms/databases/message_glance.db
# cd /data/data/com.android.providers.telephony/databases/
# echo "select * from pdu;" | sqlite3 -header mmssms.db
...
# echo "select date,sub,ct_l,tr_id from pdu;" | sqlite3 -header mmssms.db
date|sub|ct_l|tr_id
1495xxxxxx|Download this message|http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx|Ae_xxxx_xxxxx-xxx
How to interpret the mmsc32:10021
part?
Then looking in the message settings for the MMSC
, Proxy
and port
, I want to build a working CLI one-liner or browser request, to download the file for inspection.
In the phone settings settings we can find the MMSC via:
Settings > More > Mobile network > Access Point Names > MMS: <your operator>
MMSC: http://mms.company.net:8002/
MMS Proxy: 194.xx.xx.xx
MMS Port: 8080
How can I download the MMS file from shell command line (or an external browser)?
PS. Obviously the phone is rooted and have both busybox
and sqlite3
, and perhaps also curl
or wget
installed. The AOS is 5.0+.
Addendum: 2017-11-09
From here:
MMS (Multimedia Messaging Service) messages are sent using a combination of SMS and WAP technologies. When an MMS message is sent, a mobile device receives an MMS notification message via SMS. When this MMS notification message is received by the mobile device, the mobile device automatically initiates a WAP gateway connection to download the content of the MMS message.
To send an MMS message, you must first create an MMS message file. The format of an MMS message file is documented in the MMS Encapsulation Protocol specification published by the Open Mobile Alliance (http://www.openmobilealliance.org) and/or the WAP Forum (http://www.wapforum.org). The MMS message file format consists of an MMS message binary header, followed by a multipart MIME message where the multipart message is encoded in a binary multipart format as defined by the WAP Wireless Session Protocol (WSP) specification. This binary MMS message file is stored on a web server using a MIME type of application/vnd.wap.mms-message and an MMS message type of m-retrieve-conf. A subset of the binary MMS header is sent as an MMS notification message (MMS message type m-notification-ind) via SMS to the mobile device together with a URL pointer to the location of the complete message.
Also, smartphones does not download the MMS or SMS content to SIM any more. That is how "feature" phones used to do it.
Addendum: 2017-11-13
Looking at the API-23 (M) sources for the SQLite3 tables shown in Telephony.java, we find that
CONTENT_LOCATION = "ct_l";
, so we can search for its other uses here. To briefly summarize our findings:
date # The message delivery time.
sub # The subject of the message, if present.
ct_l # The Content-Location of the message. A field in interface:Telephony.BaseMmsColumns
tr_id # The transaction-id of the message.
Thus we might expect that the URI in ct_l
can be interpreted as follows:
http://mmsc32:10021
is the server (IP:PORT) masked by the MMS proxy (shown) above/mmsc/3_2
is the WAP URL to the message processor ?Ae_xxxx_xxxxx-xxx
is telling the message processor to retrieve the message given by the "transaction id": Ae_xxxx_xxxxx-xxx`
Therefore, using the proxy (APN) settings, and using the URL extracted from the message DB (mmssms.db), one should be able to retrieve and download the content of the MMS, using a carefully crafted curl
statement.
Perhaps something like:
# curl -x http://proxy_server:proxy_port --proxy-user username:password -L http://url
curl -v -x http://194.xx.xx.xx:8080 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
# Or from outside local net:
curl -v -x http://mms.company.net:8002 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
The first one obviously wouldn't work from outside the phone environment as it refers to an IP class C, only visible within the mobile assigned IP.
I just used your addendum to get it working, but had to change it slightly.
Note that I'm running this from linux with a PPP
interface defined via a connected USB modem. Obviously the connection this executes from has to be "on net" for the carrier that delivered the MMS push.
curl --interface ppp0 -v -x 10.202.2.60:8080 --output mms.pdu http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
where:
ppp0
is the interface defined by the modem connection, and:
http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
was the URL passed in the original MMS push notification, and:
10.202.2.60
is the MMS proxy given by my carrier, and:
8080
is the MMS port given by my carrier.
This saves the MMS to the file mms.pdu
.
The config files:
/etc/ppp/options
:
debug
4000000
modem
crtscts
lock
connect /etc/ppp/net-connect
asyncmap 0
defaultroute
:
mtu 1400
/etc/ppp/net-chat
:
#!/bin/sh
/usr/sbin/chat -v -t 60 -f /etc/ppp/net-chat
/etc/ppp/net-connect
:
ABORT 'ERROR'
ABORT 'BUSY'
ABORT 'NO CARRIER'
'' AT
OK ATE0
OK AT+IPR=4000000
OK AT+CGDCONT=1,"IP","live.vodafone.com"
OK AT&S1
OK AT&F
OK AT&W
OK AT+CNMP=14
OK AT&W
OK ATE0
OK ATD*99***1#
CONNECT
Finally connect, by doing: /usr/sbin/pppd /dev/ttyUSB3
I hope you get an answer to this. I'm not the one, but will throw in my 2 cents worth of advice...
Short version
You can't have texts skipping the "send to" SIM card and auto-diverting to some computer.
Make an Android app to install on your phone, make sure its job is to detect and divert copies of new inbox messages to your computer.
Use a USB dongle for the SIM. When plugged into computer, then you're receiving messages directly to your computer without the phone being involved.
Long version
Rather than command line tools, you're better off making an actual app (via Android SDK) that checks for received messages and forwards some data to you (eg: via email, or sockets, or however you like). Also "some data" meaning either a full copy of the message itself, or just sends feedback of [in-app] message analysis (eg: number of images detected, the hex printout of image bytes and so on).
Looking at Android's SmsManager API it even tells you:
For information about how to behave as the default SMS app on Android 4.4 (API level 19) and higher, see Telephony.
Also look at that API's downloadMultimediaMessage command. It's doing what you need. Telephony page has the information and links to start, but independent blog articles and tutorials (one such example) about this topic are out there too.
Anyways, onto your post...
(1)
"I just want to download the message to a file, without the phone processing it, as it could contain malware"
How do you imagine "without the phone processing it" to work? The phone holds the sim that your operator (via a service centre) will forward messages to, after receiving from sender's own provider's service centre. You and curl
are out of this loop. You'll only know of a text when your SIM receives it and the phone OS alerts you.
Technically the phone has processed this message, you just haven't opened it yet.
(2)
"How can I download the MMS file from shell command line or an external browser?"
You have to download that entire mmssms.db
file and extract the specific message from it. You treat the .db
like any other online database (eg: using SQL/PHP type queries, etc).
See this tutorial for useful advice : http://cheeky4n6monkey.blogspot.co.uk/2013/02/
An alternative for future incoming messages is to just get a (USB) SIM dongle that takes your card. Once plugged into the computer it can receive/send messages since the SIM is live/active inside the dongle (as proxy of phone).
The dongles come with own software (example image of such) for managing web connections and read/write SMS/MMS messages. It's like just having SIM working not in phone but on desktop.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With