• Stars
    star
    3,077
  • Rank 14,629 (Top 0.3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 4 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs). In order to make it working, you need a computer with a Debian-like operating system and two Wi-Fi interfaces. The best choice is to use a Raspberry Pi (2+) a Wi-Fi dongle and a small touch screen. This tiny configuration (for less than $50) allows you to tap any Wi-Fi device, anywhere.

TinyCheck

Architecture

Description

TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs).

The idea of TinyCheck emerged in a meeting about stalkerware with a French women's shelter. During this meeting we talked about how to easily detect stalkerware without installing very technical apps nor doing forensic analysis on the victim's smartphone. The initial concept was to develop a tiny kiosk device based on Raspberry Pi which can be used by non-tech people to test their smartphones against malicious communications issued by stalkerware or any spyware.

Of course, TinyCheck can also be used to spot any malicious communications from cybercrime to state-sponsored implants. It allows the end-user to push their own extended Indicators of Compromise via a backend in order to detect some ghosts over the wire.

If you need more documentation on how to install it, use it and the internals, don't hesitate to take a look at the TinyCheck Wiki.

If you have any question about the project, want to contribute or just send your feedback,
don't hesitate to contact us at tinycheck[@]kaspersky[.]com.

Use cases

TinyCheck can be used in several ways by individuals and entities:

  • Over a network - TinyCheck is installed on a network and can be accessed from a workstation via a browser.
  • In kiosk mode - TinyCheck can be used as a kiosk to allow visitors to test their own devices.
  • Fully standalone - By using a powerbank, two Wi-Fi interfaces or a 4G dongle and a small touch screen like in this video, you can tap any device anywhere.

Installation

Please check the few steps in the Wiki's Installation Page.

Meet the frontend

The frontend - which can be accessed from http://tinycheck.local is a kind of tunnel which help the user throughout the process of network capture and reporting. It allows the user to setup a Wi-Fi connection to an existing Wi-Fi network, create an ephemeral Wi-Fi network, capture the communications and show a report to the user... in less than one minute, 5 clicks and without any technical knowledge.

Frontend

Meet the backend

Once installed, you can connect yourself to the TinyCheck backend by browsing the URL https://tinycheck.local and accepting the SSL self-signed certificate.

Backend

The backend allows you to edit the configuration of TinyCheck, add extended IOCs and whitelisted elements in order to prevent false positives. Several IOCs are already provided such as few suricata rules, FreeDNS, Name servers, CIDRs known to host malicious servers and so on.

Special thanks

Felix Aime, for his idea and passion while developing and testing this project. Felix is a main contributor and we really appreciate his work on TinyCheck.

People who provided some IOCs

Code review

Others

  • GReAT colleagues.
  • Tatyana, Kristina, Christina and Arnaud from Kaspersky (Support and IOCs)
  • Zeek and Suricata awesome maintainers.
  • virtual-keyboard.js.org & loading.io guys.
  • Yan Zhu for his awesome Spectre CSS lib (https://picturepan2.github.io/spectre/)

More Repositories

1

Kaspresso

Android UI test framework
Kotlin
1,789
star
2

klara

Kaspersky's GReAT KLara
PHP
689
star
3

triangle_check

Python
509
star
4

iShutdown

Python
389
star
5

AdbServer

Adb Server for Espresso tests
Kotlin
119
star
6

ForensicsTools

Tools for DFIR
C++
117
star
7

VBscriptInternals

Scripts for disassembling VBScript p-code in the memory to aid in exploits analysis
Python
84
star
8

Apihashes

IDA Pro plugin for recognizing known hashes of API function names
Python
81
star
9

hrtng

C++
71
star
10

ActionScript3

Tools for static and dynamic analysis of ActionScript3 SWF files.
Python
45
star
11

BuildMigrator

C
34
star
12

uif

Integration Platform to build UI and Web Services
TypeScript
33
star
13

WinDbg-JS-Scripts

JavaScript
32
star
14

xtraining-re101

Code snippets for Reverse engineering training for xtraining platform
C
30
star
15

bitscout

Shell
20
star
16

OpenTIP-scanner

Open-source file scanner that sends requests and optionally uploads files to OpenTIP.kaspersky.com.
Python
17
star
17

Articles

C++
16
star
18

SafeBoard

Repository for general info and code samples for test tasks used in SafeBoard Hackatons in Kaspersky Lab.
C++
15
star
19

klogga

Opinionated logging-audit-tracing library. Data collected via klogga can be configured to be exported to different sources, including traditional text logs, but with emphasis on structured storages, primarily time-series databases and Open Telemetry.
Go
12
star
20

hb_dec

C
11
star
21

threat-intelligence

A repository dedicated to deliver a comprehensive set of tools for integration and convenient use of Kaspersky Threat Intelligence services
Python
9
star
22

grpc-kos

Shared C [core library], C++, Ruby, Python, PHP, C# (core library based), Objective-C
C++
4
star
23

RAM

Framework to manage the product state and configuration
Python
4
star
24

protobuf-kos

Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
C++
3
star
25

abseil-cpp-kos

Abseil is an open source collection of C++ libraries drawn from the most fundamental pieces of Googleโ€™s internal codebase.
C++
2
star
26

c-ares-kos

c-ares is a C library for asynchronous DNS requests (including name resolves)
C++
1
star
27

boringssl-kos

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
C++
1
star