gradinaruvasile

Members
  • Content count

    18
  • Joined

  • Last visited

About gradinaruvasile

  • Rank
    New Member
  1. Well i sent an email to them too asking for a firmware without ads after i started this thread. I even linked them this thread... It seems that they do listen sometimes...
  2. And what did they say about this? Why was this malware there in the first place?
  3. For the Rainbow the update came only via the Wireless Update app.
  4. You can upload it to virustotal.com, it will be checked with 56 scanners to date.
  5. I did the update. Good news. The systemui apk file has 0/56 virustotal score! Other than that they included some new software - Google Duo and Browser stands out at first glance. Now i will have to see if something happens ...
  6. Well. It seems that a firmware update was released on 2017-05-26 and pushed via the wireless update, we noticed only now. It has 2 items in changelog: a line colored red saying "Enhanced protection against malware" and some minor bug fixes. One can hope they mean that they removed this crap. I will apply the update later when the phone is available and report back.
  7. You never know. Maybe the WIKO has something installed too?
  8. I tried uploading it to virustotal and Malwarebytes does not detect it there. I would expect all mobile antivirus solutions to work with virustotal since we can get a better picture in a few seconds instead of installing a ton of anti malware apps. BTW after the yesterday's "outbreak" i removed the "SYSTEM_ALERT_WINDOW" permission (that is the permission that lets a window cover everything permanently, used by this kind of malware to force the user to actually tap a button) from systemui and since then no more popups... May be a coincidence, may not. Will see. adb shell pm revoke com.android.systemui android.permission.SYSTEM_ALERT_WINDOW
  9. Well it started happening again. Now i don't know if there is another modified system/google component that has access, the systemui has built in stuff that does stuff regardless of net access or maybe NetGuard doesnt always work (after switching networks?) - one day about 2-3 weeks ago the NetGuard app probably crashed (no status icon) and for about 7 hours the phone was connected to the net with no limitations. Today we saw that an apk was downloaded from somewhere and full screen messages started appearing. I wonder that Chrome itself may be compromised too... Anyway, this sucks.
  10. Hi, I asked Cubot too. Well i got the Exact same answer you got (in an implicit admission): -Some Fota upgrade or No Root firewall. Now the Fota link they sent was not working. They seem to provide the Adups Fota data collection tool (which is built in the Wireless Update tool) that besides the actulal updates can do some presonal data collection. Note that this is done surreptitiously in the background and the data us sent to the same servers the updates come from. There was a scandal about it in the US where they stopped the data collection by an update (which BTW can just as well be reversed by them). To block this you should block net access to the Wireless Update tool. Now on the phone i had issues with (used by my wife) i reflashed the firmware (from their site, via the wireless update local update option) then reset to defaults. But before giving it any net access i installed NetGuard from .apk (i compiled it from source but AFAIK the play store version .apk can be downloaded too) and disabled network access to system ui, wireless update and another shady package thad has the Opera Store description but has some chinese name. No issues were since more than a month. And as you can see above System UI tried to connect to many sites since. But these kind of issues have to be known to the world - the chinese (people?) brands lost any trust i had. Is there a site where we get these phones listed with links to reports like these for validation? Chinese vendors i had interacted with on AliExpress, Ebay etc all had a "slippery" attitude when something was wrong with their merchandise (anyway i buy only cheaper stuff that i afford to lose my money over) . I get it, cultural differences and all but anyway. Customer: Guys, you have malware installed on the phones you sell and customers store private data on. Chinese: Please try disabling net access of our malware with a 3rd party tool (which, if some reason is stopped, will allow the malware to run). What the #$##? Probably they are accustomed to no privacy over there they don't even understand what we want (BTW i lived my childhood under Communism and i know how it works). But they sell stuff to people that have other needs than them. Is that hard to provide a firmware that has no crap in it??? BTW i remembered somebody posting on Amazon i believe a screencap about a conversation about this subject with a chinese dude that went something like: Customer: you sold a phone that sent my personal data to China Sales rep: your data is safe with us Customer (i believe the exact words): You are seriously typing this?? PS: Malwarebytes still does not detect this (come on, even ClamAv detects it!).
  11. So, i pulled more logs from Net Guard. It wants to connect to a multitude of sites. These connections were all blocked. I have no idea how it acquired all this connection info in the first place, i doubt it has these all hardcoded. Maybe uses Google's ad network and Net Guard lets something related slip through? Interesting arr those 123 port connections that arr usually NTP. T4 - tcpv4 protocol U4 - udpv4 protocol The last number after the / - destination port number. There may be some slight errors, this list was obtained via ocr ing some screenshots (Mainly extra spaces or misinterpreted - signs). T4 >e02-54-169-134-231.ap-southeast-1 .compute.amazonaws.com/80 U4 >47.90.91.157/6607 T4 >211.151.121.41/443 T4 >e02-52-80-22-85.cn-north-1.compute.amazonaws.com.cn/443 U4 >47.90.91.157/6602 U4 >47.90.91.157/6606 U4 >47.90.91.157/6601 U4 >47.90.91.157/6604 U4 >47.90.91.157/6605 U4 >47.90.91.157/6608 T4 >e02-54-1 69-184-223.ap-southeast-1 .compute.amazonaws.com/80 T4 >e02-52-220-106-1 61.ap-southeast-1 .compute.amazonaws.com/80 U4 >47.90.91.157/6600 U4 >47.90.91.157/6603 T4 >ec2-54-222-186-106.cn-north-1 .compute.amazonaws.com.cn/443 T4 >ec2-54-222-149-204.cn-north-1 .compute.amazonaws.com.cn/443 U4 >153-128-30-125.compute.jp-e1.cloudn-service.com/123 U4 >209.58.185.100/123 U4 >ec2-34-198-99-183.compute—1.amazonaws.com/123 T4 >42.96.141.35/80 T4 >ec2-54-223-192-14.cn-north-1 .compute.amazonaws.com.cn/443 U4 >y.ns.gin.ntt.net/123 U4 >ip-243-189.datautama.net.id/123 U4 >darwin.kenyonralph.com/123 T4 >ec2-54-222-139-1 14.cn-north-1 .compute.amazonaws.com.cn/443 U4 >210.23.25.77/123 U4 >210.23.25.77/123 U4 >103-226-213-30-static.unigate.net.tw/123 U4 >61-216-153-105.HINET—IP.hinet.net/123 T4 >e02-52-76-189-231.ap-southeast-1 .compute.amazonaws.com/ 80 T4 >47.88.85.201/80 U4 >time2.isu.net.sa/123 U4 >b29.lumajangkab.go.id/123 U4 >ntp1.ams1.nl.leaseweb.net/123 T4 >e02-54-223-248-84.cn-north-1.compute.amazonaws.com.cn/443 U4 >218.189.210.3/123 U4 >61-216-153-106.HINET-IP.hinet.net/123 T4 >e02-54-222-193-107.cn-north-1 .compute.amazonaws.com.cn/443 T4 >e02-52-220-124-195.ap-southeast-1 .compute.amazonaws.com/80 U4 >139.59.240.152/123 U4 >61-216-153-104.HINET—IP.hinet.net/123 T4 >ec2—54-222—170-68.cn—north-1 .compute.amazonaws.com.cn/443 U4 >ngn-KAPnigatakML11.bb.kddi.ne.jp/123 U4 >dns1.synet.edu.cn/123 U4 >ntp3.flashdance.cx/123 U4 >timpany.srv.jre655.com/123 U4 >sjkBBML24.bb.kddi.ne.jp/123 T4 >47.90.91.157/1688 T4 >ec2—54-169-100-206.ap-southeast-1.compute.amazonaws.com/80 U4 >ntp.gnc.am/123 U4 >astoria.loreland.org/123
  12. You could check with logcat, Cheetah might have different apps that do this thing. A simple check for "System UI" is to check the data used by the app. It should not have any usage (look at the apps list and enable "show system" in the 3dot upper right menu ). BTW i met someone who has also a Cubot Rainbow and it seems that it has no issues (no data used by System UI since 2 months or so). It also has an older firmware revision. And it seems it was purchased in UK originally.
  13. Other IPS: 52.220.106.161 52.74.171.223 47.88.85.201 (this IP is registered to Alibaba.com LLC (AL-3)) Looking at the connection attempt history the first IP address (sdk.asense.in) seems to be the primary, it is attempted connections every few minutes. I exported a pcap packet capture from Net Guard (the rule is set to block the outgoing connections) it seems that these are only keepalive packets. Also i looked into the asense.in domain, it is registered to "inter police", Sponsoring Registrar:Name.com LLC (R65-AFIN): Domain ID:D9641135-AFIN Domain Name:ASENSE.IN Created On:11-Jul-2015 07:50:58 UTC Last Updated On:19-Jun-2016 16:58:38 UTC Expiration Date:11-Jul-2017 07:50:58 UTC Sponsoring Registrar:Name.com LLC (R65-AFIN) Status:CLIENT TRANSFER PROHIBITED Reason: Registrant ID:nec08dzk96cxew8q Registrant Name:inter police Registrant Organization: Registrant Street1:shanghai Registrant Street2: Registrant Street3: Registrant City:shanghai Registrant State/Province:shanghai Registrant Postal Code:200000 Registrant Country:CN Registrant Phone:+86.12345678 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:interpolice.2012@gmail.com I was under the impression that .in domains normally mean India, but in this case name.com (which is a US domain name registrar) can sell .in domain names to others to resell to dubious Chinese organisations. BTW this email address is linked to other .in domains that have connections to Android malware. netguard_20170331 (5).pcap.zip
  14. If you want to see what app initiated the fulscreen ads you can do it via adb logcat using the phone's USB debugging mode. Now the set up of ADB is your task please look it up, the method of finding the malware is described here: http://blog.teamleadnet.com/2015/06/how-to-remove-adware-browser-hijack-or.html Basicall you install ADB and USB drivers, launch logcat and reproduce the issue (stop logging with CTRL+C) then sift the logs (which are very detailed) for something like this (fullscreen ads might use WebView instead of Chrome): 03-20 21:04:42.310 23448 23722 I ActivityManager: START u0 {act=android.intent.action.VIEW dat=http://crapeta.com/... flg=0x10000000 pkg=com.android.chrome cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10022 from pid 23613 on display 0 Take the uid number and adb shell "dumpsys package | grep -A6 'userId=UIDNUMBER'" This will return something like this: userId=10022 sharedUser=SharedUserSetting{de1a2e5 android.uid.systemui/10022} pkg=Package{ad251ba com.android.systemui} codePath=/system/priv-app/SystemUI resourcePath=/system/priv-app/SystemUI legacyNativeLibraryDir=/system/priv-app/SystemUI/lib And that is the package that initiated the ads. Now you can go into the codePath and see what is there with "adb shell ls -al thecontentsofcodepath". If you see an .apk file there you can download it with "adb pull filenamewithfullpath" to your computer and you can upload it to virustotal. Now in case of fullscreen ads i suppose you don't know the exact URL but searching for the "START u0" or "dat=http://" string you probably find it somewhere. The above while taken from a valid case might and probably IS different from your issue.
  15. After some time other connections to more IPs were attempted. The list so far (don't know the forward DNS for all except the first): 54.169.134.231 ( sdk.asense.in ) 54.255.162.237 54.255.144.219 52.76.189.231 52.220.124.195