InfoSec Write-ups – Medium–
Recovering a lost phone number using the hacker mindset
Recently I have lost an important phone number accidentally as a consequence of wiping the data partition of my Android device (due to an OS upgrade migrating from the official but unsupported LineageOS branch to my unofficial but up-to-date supported LineageOS builds). All of the data were backed up, but unfortunately, this one phone number was not, and it was important. So I had to recover it somehow.
Because the wiped data partition was encrypted and the encryption keys were lost, any forensics jobs on the wiped partition would have been extremely hard or almost impossible.
Where else could we find that number? It seems obvious to get it from the mobile network operator since they quite certainly log everything. Luckily, the (free) “electronic call detailing” service was enabled in my subscription profile, so I had the chance to get details of historic calls easily, online, accessing my historic invoices.
After a short thought, I was able to estimate a narrow timeframe when I initiated a call to my lost contact. I checked this timeframe of my outgoing calls in my online accessible invoices, filtered out the known numbers and only one left, which was almost surely the lost one I was looking for.
However, there was still a little issue: the network operator masks the last two digits of the numbers in the call logs due to privacy reasons, so the missing phone number looked like 3012345**, where ** was still unknown.
I gave it a try to ask the number directly from the operator, but they refused to provide it. (They lie that they do not even know it, what is obviously pseudo-privacy bullshit. 🙂 )
Another (hacker-style) option is brute-force. We have only 100 numbers to try, so this should work. But it can also be done wisely, for example without calling the invalid or foreign numbers. Our plan is some open-source intelligence (OSINT), trying to use the internal databases of popular messaging apps or cloud services like Google, Whatsapp, Viber.
In practice, we should upload the 100 phone number candidates to an Android phonebook, install and register to Whatsapp, Viber, etc. and let’s have a look at what data had been synced. For example, Google has contact names for numbers, Viber offers profile pictures even for pure numbers without names, so if we are lucky, we could obtain sufficient information to identify the lost contact.
To accomplish the investigation we need an Android phone, a Google account and a phone number (with a SIM card in practice) for registering the messenger apps.
Because I did not want to mix this open-source intelligence project with my real personal profile, I used a dedicated fake identity. I used an Android emulator instead of a real device, used a dedicated Google account and used a dedicated phone number (with a fresh prepaid SIM card). Using dedicated accounts for these kinds of projects is highly recommended for several reasons. For example, messaging apps may block your identity if it detects malicious usage, which should be avoided.
Getting a SIM card is never difficult, I simply got one for free. I have activated it in one of my +10 years old legacy dumb cell phone. The only service I needed was receiving the confirmation SMS for registrations.
Running an Android emulator on my Arch Linux OS is well documented, my preferred way is to use the Android SDK cmdline tools available in the AUR.
Installing the cmdline tools:
$ git clone https://aur.archlinux.org/android-sdk-cmdline-tools-latest.git
$ cd android-sdk-cmdline-tools-latest
$ makepkg -s
$ sudo pacman -U android-sdk-cmdline-tools-latest-2.1-1-x86_64.pkg.tar.zst
Grab a recent Android system image and create an Android Virtual Device:
$ sudo /opt/android-sdk/cmdline-tools/latest/bin/sdkmanager 'system-images;android-30;google_apis_playstore;x86_64'
$ /opt/android-sdk/cmdline-tools/latest/bin/avdmanager create avd -n osint -d 10 -k 'system-images;android-30;google_apis_playstore;x86_64'
For convenience, I usually add hardware keyboard support by adding hw.keyboard=yes to ~/.android/avd/osint.avd/config.ini.
Now it is possible to launch the emulator by the command:
$ ANDROID_SDK_ROOT=/opt/android-sdk /opt/android-sdk/emulator/emulator @osint
Meanwhile, I registered a dedicated Google account on my desktop (with my dedicated phone number above). It is good for the Android profile and also great for syncing and uploading the 100 phone number candidates to the Android device.
Let’s create the 100 phone number candidates (as a CSV suitable for importing in Google Contacts):
$ ( echo "Phone" ; for i in `seq 0 9`; do for j in `seq 0 9`; do echo "+363012345$i$j" ; done ; done ) > phone.csv
And now import the created phone.csv to contacts.google.com:
A couple of the numbers have been identified already, but unfortunately the one I was looking for still have not:
Let’s try the Android messaging apps. The imported phone numbers are available in the Android phonebook after syncing (with the same Google account):
After installing Viber from Google Play and registering with a phone number (using the SIM card in my legacy dump cell phone), the contacts (phone numbers) in the phonebook get synced.
After syncing, profile pictures matching the phone numbers with Viber accounts were available:
Luckily, one of the profile pictures matched and I recognized my lost contact, so I found the lost phone number. 😉
Note, that using Android Contact apps is a well-known OSINT technique for getting information about phone numbers. Here is one for reference and further reading by Aric Toler from Bellingcat.
Recovering a lost phone number using hacker mindset was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.