Kontacto – an insecure mobile app to track voters in Colombia

24 October 2019

On October 22nd, Qurium was informed by Cuestion Publica of the existence of a non-public Mobile application named Kontacto that seemed to track the intention of vote for the upcoming elections in Pereira (Colombia) on October 27th. The application also provides technical means to build a pyramid of referrals lobbying for a specific candidate.

This report summarizes our digital forensics findings of Kontacto, an Android Mobile application that not only engages in a “dubious” and questionable political campaigning scheme but also breaches many of the data protection principles required by the data protection law of Colombia.

Qurium obtained a copy of the Android application on October 22nd and started to “reverse engineer” the mobile application by means of both static and dynamic analysis.

The static analysis consists of de-compiling the code and the dynamic analysis is performed by running the application in a controlled environment, so called Sandbox. Ultimately, Qurium aims to gain an understanding of the Application’s functionality and identify the developer of the code.

According to local sources, the name “Kontacto” is used to mimic the Spanish word “Contact”, and the Application has not been distributed via Google Apps, but via social media (WhatsApp).

kontacto.apk c9d26fb14d694eb3b7cb167f589c4807

When was Kontacto created?

The certificate they are using to sign the app is the default Android debug one, debug.keystore, and not a release certificate. We can only know the creation date of that certificate, showing October 17th 2018.

 Owner: C=US, O=Android, CN=Android Debug
 Issuer: C=US, O=Android, CN=Android Debug
 Serial number: 1
 Valid from: Wed Oct 17 06:37:03 CEST 2018 
 until:      Fri Oct 09 06:37:03 CEST 2048

The application is written using the Android Development Framework “WinDev Mobile” distributed by pcsoft.fr.

What permissions are required to run Kontacto?

The permissions required by the application include access to location (GPS), phone contacts, external storage, camera and be able to trigger phone calls.

The application communicates with a web server using SOAP (Simple Object Access Protocol), which is a message protocol that allows distributed elements of an application to communicate.

In our sample of Kontacto, the developer had hardcoded the domain kontactows.co in the file “kontacto/wdgen/GWDPKontacto.java”. The domain kontactows.co was registered in GoDaddy on May 7th 2019.

Nombre del Dominio kontactows.co
ID del dominio del registro D4FA72A9BCE3E42B289EACA6C86706A04-NSR
Fecha actualizada 2019-05-12T22:06:54Z
Fecha de creación 2019-05-07T22:06:53Z
Fecha de caducidad del registro 2020-05-07T22:06:53Z
Registrador GoDaddy.com, Inc.
Teléfono de contacto de abuso de Registrador +1.4806242505

What does the application do?

A list of the functions supported by the server side of the application are included in the following table. The functions marked with ** contain personal identifiable information.

ActivarRecordarContrasena
AtenderRequerimiento
CambiarContrasena
** ConfirmarVotacionPersona
** ConsultarPersona
EliminarUsuario
GenRepCantidades
GenRepCategoria
GenRepRefEstrategia
RecordarContrasena
RegistrarCorreccionPersona
** RegistrarEmpresa
RegistrarEncuesta
** RegistrarPersona
RegistrarPublicacion
RegistrarRequerimiento
** RegistrarUsuario
RegistrarVisita
RegistrarVisitaLider
RegistrarVisitaSeguimiento
RegistrarVistaPublicacion
getAvancePuestoVotacion
getComoVamos

** getContactosNuevos
** getDatosAMovil
** getDatosUsuario
getHayPublicacionesPendientes
** getListaEquipo
getListaPublicaciones
getListasValores
getPreguntas
** getReferidosPersona
** getReferidosUsuario
** getRegUsuario
getRequerimientosMovil
getResumenCall
getResumenComoVamos
** getVotoReferidosPersona
getXlsRequerimientosAbiertos
This image has an empty alt attribute
List of icons used by Kontacto.
Companies are also registered in Kontacto

Kontacto and their army of trolls

One of the functionalities of Kontacto is to coordinate the presence of the supporters in social media. The menu “Lista Publicaciones” shows articles in Facebook talking about “Carlos Maya” and supporters are encouraged to participate and support the candidate. We review each of the articles and could see how members of the support network flooded with positive comment in social media.

The facebook ID https://www{.}facebook.com/923783677803824 corresponds to the account “carlosmayapereirano”. In the following screenshot it can be seen the “army of trolls” responding to the “Kontacto request”

Does Kontacto encrypt any data?

The application does not include any libraries for encryption and connects to the web server using non-encrypted HTTP to the URL. The application sends personal information of “political campaigners” and “vote influencers” and their referrals “referidos” in plain text.

Personal information includes ID number, addresses and location of poll stations.

Registering “Los Referidos” using their ID cards

The application has also the ability to read the “personal identifiable information” present in the Colombian ID card (Cedula)

The code allows to read the name and ID card number from the “Code Bar” present in the document.

This is the information that can be obtained from the Code Bar of the National ID.

Where is the server hosted?

During initialization, the application checks that the user is connected to the Internet by contacting http://www.google{.}com. Later on, the application contacts the IP address 3{.}221.46.163, a server hosted in the Amazon Cloud.

Using Censys , we also traced the “Kontacto Server/Servidor Kontacto” in Amazon to the same IP address 3{.}221.46.163.

How long has the Kontacto Server been active?

A search in Censys historical database (Big Query) reveals that the web server has been functional from at least July 17th 2019.

Does the application perform any personal or location tracking?

The application tracks the position of the user by GPS when the operator registers future voters and verifies the correctness of the ID cards submitted.

Error message, forcing the mobile to turn on the GPS.
WDWS Call (SOAP) to server to verify ID (Cedula).

Is Kontacto safe to use?

No, the application is vulnerable to several forms of cyber attacks that puts personal data at risk.

The server that interfaces with the Mobile Application “Kontacto” is not properly protected and leaks its core functions (SOAP API) and what might be the motivation behind the design of the application.

Due to the lack of internal authentication, it is possible for any skilled pentester to retrieve personal data registered in the application.

As a proof of concept, we include a few screenshots of identified flaws in Kontacto.

The application shows the support to Juan Pablo Gallo / Carlos Maya
It is also possible to know which votes were referred by a given person.

The application has serious design and security flaws that allows to bypass the authentication and retrieve personal identifiable information.

How many people are making use of the system?

Kontacto Database contains more than 1.000 people as part of their recruitment team (Equipo) and more than 55.000 records as “Los referidos”

The following graph shows how many people are “refereed” by each of the 1000 campaigners. 24% refer 5 or less people, 60% refer between 5 and 50 people and a few users refer more than 50.

High level participants of the “campaigning” scheme are labeled as “Mariscal”.

The following graphs how the number of “Referidos” increases as new members to the campaigning team “Equipo” are recruited

Who wrote Kontacto?

The application lacks any traces to its author, no (C) Copyright messages, e-mail or other form of contact details can be found in the App.

Contact details of the domain name kontactows.co point to “Jhonny Castano Munoz” that works with the company Trans Life SAS (NIT: 900244336 – 1) that in the past delivered the Census software “Sondeox” (2017) to the department of Risaralda, Colombia (where Pereira is capital).

By analyzing the Sondeox application from 2017, we could verify that it was written using the pcsoft development framework and contains similar internal code that Kontacto runs on.

Public records of the administration in Pereira including financial audits show that Trans Life SAS in the past worked with the municipality to deliver a Census of users of the public services offered by SERVICIUDAD E.I.CE E.S.P.

Temporary page of TRANS LIFE.

Conclusions

Kontacto is an Android Mobile application developed by Johnny Castaño from the company TRANS LIFE SAS. The application allows each user to register “new contacts” that will go to vote. The users act as political campaigners that registers their contacts (referidos) with their ID card (cedula) and their poling stations (puesto).

The application also provides global summarizes that inform the application owner the status of the “referral-pyramid” (Como Vamos).

In different parts of the application there are references to the national data protection law 1581/2012 so as to authorize the use of personal data. Unfortunately no real effort is made to protect such personal data and personal data is transferred to the central server without encryption.

During our review we discover several serious design flaws that puts the personal data at risk.

After our analysis, we believe that Kontacto not only engages in a “dubious” political campaigning ponzi scheme but also breaches many of the data protection principles required by the data protection law of Colombia.