Jump to content

gradinaruvasile

Members
  • Content Count

    23
  • Joined

  • Last visited

About gradinaruvasile

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. First you MUST reboot the phone, the malware is in memory. Then capture packets on the router and see if you have connections made to the above-mentioned 3 IP addresses. Other than that no idea, as the package does not show up in any GUI app. Maybe some native Android apps have the capacity to capture its packets, but i am not sure.
  2. Another thing to keep in mind: If the phone is reset to factory defaults this malware will re-deploy. So in that case do not connect it to any network until it is removed and the phone restarted.
  3. Well it seems it can be uninstalled using the method from here: https://www.reddit.com/r/Android/comments/6ftg72/want_to_completely_disableuninstall_those_pesky/ In this case the commands are these: adb shell pm uninstall -k --user 0 com.android.telephone adb shell pm uninstall -k --user 10 com.android.telephone In this device it was installed both for user '10' (Guest) and the current user '0'.
  4. So. BAD news again. THEY DID LISTEN! BUT NOT HOW WE THOUGHT ... It seems that in the new firmware they just replaced their SystemUI malware with a better one. Changelog should read: 1. Enhanced Protection Against Malware Probably they have an issue expressing themselves in English . Or this is a standard policy in China. So, new headline: Cubot Rainbow firmware-embedded malware (firmware version CUBOT_RAINBOW_E6021C_V01_20160517_210258) This malware is provided by a dedicated (i suppose) package which is hidden (it does not show up on any GUI, not even 3rd party apps) named com.android.telephone (attached in a zip file). It does not seem to have any real function (it resembles the phone app's name but it is a different package). So, their enhancements (which are real, but not how we might interpret it): It evades NetGuard (and i suppose other similar software). At least it is not reported. At least on wif it aggressively pings their Amazon-based servers (sp2.l1181.com, alias of snowplow-collector-adv.us-east-1.elasticbeanstalk.com) draining the battery (and does some data transfer i sure hope not mic captures). It constantly givers itself the OP_WRITE_EXTERNAL_STORAGE(code 60 in App Ops) and OP_READ_EXTERNAL_STORAGE (code 59 in App Ops) permissions, every 2 seconds or so. I don't know the reason, maybe these permissions can be revoked and it wants to make sure it has them. It cannot be disabled, permissions cannot be changed (unless rooted i suppose). I saw many GPS-related lines in logcat even when the GPS was not enabled, but when i tried to replicate the results those were not there. So it MIGHT be able to log and send the location without graphical clues. How's that for improvements? Besides it does contain a similar payload, a file named KYOf4C6WrkKG80 (some probably encrypted executable, 3.9 MB in size) under the Assets dir in the package. It is detected currently by 12/55 in virustotal (again, not Malwarebytes). So, where is it? After sifting through logcat, i managed to pinpoint it's package name and userId. adb shell "dumpsys package | grep -A30 'userId=10090'" userId=10090 pkg=Package{380093d com.android.telephone} codePath=/system/priv-app/com.android.telephone resourcePath=/system/priv-app/com.android.telephone legacyNativeLibraryDir=/system/priv-app/com.android.telephone/lib primaryCpuAbi=armeabi secondaryCpuAbi=null versionCode=20205 targetSdk=23 versionName=2.02.05 splits=[base] applicationInfo=ApplicationInfo{481dc44 com.android.telephone} flags=[ SYSTEM HAS_CODE PERSISTENT ALLOW_CLEAR_USER_DATA ] privateFlags=[ PRIVILEGED ] pkgFlagsEx=[ ] dataDir=/data/user/0/com.android.telephone supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity] timeStamp=2017-06-05 21:33:45 firstInstallTime=2017-06-05 21:33:45 lastUpdateTime=2017-06-05 21:33:45 signatures=PackageSignatures{282b532 [b889283]} installPermissionsFixed=true installStatus=1 pkgFlags=[ SYSTEM HAS_CODE PERSISTENT ALLOW_CLEAR_USER_DATA ] install permissions: android.permission.RECEIVE_BOOT_COMPLETED: granted=true android.permission.INTERNET: granted=true android.permission.ACCESS_NETWORK_STATE: granted=true android.permission.READ_SYNC_SETTINGS: granted=true android.permission.ACCESS_WIFI_STATE: granted=true User 0: installed=true hidden=false stopped=false notLaunched=false enabled=0 gids=[3003] User 10: installed=true hidden=false stopped=false notLaunched=false enabled=0 Tcpdump output: 00:00:00.000000 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:00.000245 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388 00:00:00.129114 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 00:00:00.130475 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466 00:00:00.188804 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0 00:00:10.240304 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:10.240715 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:10.241246 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:10.241455 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 993 00:00:10.369663 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 00:00:10.370200 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 00:00:10.371541 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466 00:00:10.428865 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0 00:00:15.480075 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:15.480458 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388 00:00:15.609398 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 00:00:15.610960 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466 00:00:15.758869 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0 00:00:20.800264 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:20.800500 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388 00:00:20.929365 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 00:00:20.931021 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466 00:00:21.078883 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0 00:00:26.140024 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:26.140412 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388 00:00:26.269395 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 00:00:26.316547 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466 00:00:26.398944 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0 00:00:31.440057 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448 00:00:31.440395 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388 00:00:31.569329 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0 Some adb logcat output: 09-18 01:15:07.515 22412 3506 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.515 22412 3506 I System.out: [socket][4952] connection sp2.l1181.com/54.85.4.39:443;LocalPort=42907(30000) 09-18 01:15:07.515 22412 3506 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30 09-18 01:15:07.515 22412 3506 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.516 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.517 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.517 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.518 22412 3513 I System.out: [socket][4953:41409] exception 09-18 01:15:07.519 22412 3513 I System.out: close [socket][/:::41409] 09-18 01:15:07.519 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.520 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.520 22412 3513 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.520 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.520 22412 3513 I System.out: [socket][4953] connection sp2.l1181.com/52.20.51.182:443;LocalPort=45345(30000) 09-18 01:15:07.520 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.521 22412 3513 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30 09-18 01:15:07.521 22412 3513 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.521 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.523 22412 3510 I System.out: [socket][4954:51635] exception 09-18 01:15:07.523 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.523 22412 3510 I System.out: close [socket][/:::51635] 09-18 01:15:07.524 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.524 22412 3510 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.525 22412 3510 I System.out: [socket][4954] connection sp2.l1181.com/52.20.51.182:443;LocalPort=59994(30000) 09-18 01:15:07.525 22412 3510 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30 09-18 01:15:07.525 22412 3510 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.525 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.526 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.527 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.527 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.527 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.529 22412 3511 I System.out: [socket][4955:42142] exception 09-18 01:15:07.529 22412 3511 I System.out: close [socket][/:::42142] 09-18 01:15:07.530 22412 3511 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.531 22412 3511 I System.out: [socket][4955] connection sp2.l1181.com/52.20.51.182:443;LocalPort=60775(30000) 09-18 01:15:07.531 22412 3511 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30 09-18 01:15:07.531 22412 3511 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.531 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.531 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.532 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.532 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.532 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.533 22412 3506 I System.out: [socket][4956:42907] exception 09-18 01:15:07.534 22412 3506 I System.out: close [socket][/:::42907] 09-18 01:15:07.535 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.535 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.535 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.535 22412 3506 I System.out: [CDS][DNS] getAllByNameImpl netId = 0 09-18 01:15:07.536 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.536 22412 3506 D libc-netbsd: [getaddrinfo]: hostname=sp2.l1181.com; servname=(null); netid=0; mark=0 09-18 01:15:07.536 22412 3506 D libc-netbsd: [getaddrinfo]: ai_addrlen=0; ai_canonname=(null); ai_flags=4; ai_family=0 09-18 01:15:07.537 22412 3506 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.537 22412 3513 I System.out: [socket][4956:45345] exception 09-18 01:15:07.537 22412 3506 I System.out: [socket][4956] connection sp2.l1181.com/54.85.139.98:443;LocalPort=55435(30000) 09-18 01:15:07.537 22412 3506 I System.out: [CDS]connect[sp2.l1181.com/54.85.139.98:443] tm:30 09-18 01:15:07.537 22412 3506 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.538 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.538 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.538 22412 3513 I System.out: close [socket][/:::45345] 09-18 01:15:07.538 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.538 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.539 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.539 22412 3513 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.540 22412 3513 I System.out: [socket][4957] connection sp2.l1181.com/54.85.4.39:443;LocalPort=34817(30000) 09-18 01:15:07.540 22412 3513 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30 09-18 01:15:07.540 22412 3510 I System.out: [socket][4958:59994] exception 09-18 01:15:07.540 22412 3513 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.540 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.541 22412 3510 I System.out: close [socket][/:::59994] 09-18 01:15:07.541 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.542 22412 3510 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.542 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.542 22412 3510 I System.out: [socket][4958] connection sp2.l1181.com/54.85.4.39:443;LocalPort=47499(30000) 09-18 01:15:07.542 22412 3510 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30 09-18 01:15:07.542 22412 3510 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.542 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.544 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.544 22412 3511 I System.out: [socket][4959:60775] exception 09-18 01:15:07.544 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.545 22412 3511 I System.out: close [socket][/:::60775] 09-18 01:15:07.545 22412 3511 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.546 22412 3511 I System.out: [socket][4959] connection sp2.l1181.com/54.85.4.39:443;LocalPort=46965(30000) 09-18 01:15:07.546 22412 3511 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30 09-18 01:15:07.546 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.546 22412 3511 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.546 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.547 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.548 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.548 22412 3506 I System.out: [socket][4960:55435] exception 09-18 01:15:07.548 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.549 22412 3506 I System.out: close [socket][/:::55435] 09-18 01:15:07.549 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.550 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.550 22412 3506 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.550 22412 3506 I System.out: [socket][4960] connection sp2.l1181.com/52.20.51.182:443;LocalPort=56140(30000) 09-18 01:15:07.551 22412 3506 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30 09-18 01:15:07.551 22412 3506 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.551 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.552 22412 3513 I System.out: [socket][4961:34817] exception 09-18 01:15:07.552 22412 3513 I System.out: close [socket][/:::34817] 09-18 01:15:07.553 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.554 22412 3513 I System.out: [CDS][DNS] getAllByNameImpl netId = 0 09-18 01:15:07.554 22412 3513 D libc-netbsd: [getaddrinfo]: hostname=sp2.l1181.com; servname=(null); netid=0; mark=0 09-18 01:15:07.554 22412 3513 D libc-netbsd: [getaddrinfo]: ai_addrlen=0; ai_canonname=(null); ai_flags=4; ai_family=0 09-18 01:15:07.555 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.555 22412 3513 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.555 22412 3513 I System.out: [socket][4961] connection sp2.l1181.com/54.85.139.98:443;LocalPort=39542(30000) 09-18 01:15:07.555 22412 3513 I System.out: [CDS]connect[sp2.l1181.com/54.85.139.98:443] tm:30 09-18 01:15:07.555 22412 3513 D Posix : [Posix_connect Debug]Process com.android.telephone :443 09-18 01:15:07.556 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.556 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.556 22412 3510 I System.out: [socket][4962:47499] exception 09-18 01:15:07.556 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.557 22412 3510 I System.out: close [socket][/:::47499] 09-18 01:15:07.558 22412 3510 I System.out: [CDS][DNS] getAllByNameImpl netId = 0 09-18 01:15:07.558 22412 3510 D libc-netbsd: [getaddrinfo]: hostname=sp2.l1181.com; servname=(null); netid=0; mark=0 09-18 01:15:07.558 22412 3510 D libc-netbsd: [getaddrinfo]: ai_addrlen=0; ai_canonname=(null); ai_flags=4; ai_family=0 09-18 01:15:07.559 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.559 211 1013 D SocketClient: SocketClient sendData done: 09-18 01:15:07.559 22412 3510 I System.out: [CDS]rx timeout:30000 09-18 01:15:07.559 22412 3510 I System.out: [socket][4962] connection sp2.l1181.com/54.85.139.98:443;LocalPort=38415(30000) 09-18 01:15:07.560 22412 3510 I System.out: [CDS]connect[sp2.l1181.com/54.85.139.98:443] tm:30 09-18 01:15:07.561 11939 12022 D SQLiteDatabase: beginTransaction() 09-18 01:15:07.561 22412 3511 I System.out: [socket][4963:46965] exception 09-18 01:15:07.561 22412 3511 I System.out: close [socket][/:::46965] 09-18 01:15:07.562 11939 12022 D SQLiteDatabase: endTransaction() 09-18 01:15:07.563 22412 3511 I System.out: [CDS][DNS] getAllByNameImpl netId = 0 After this i'm officially done with them. It remains to be seen if the phone can be returned... com.android.telephone.apk.zip
  5. Hi, I have a cheap Chines phone (Cubot Rainbow) which after a month of purchase started to open unwanted web pages. This happened when Chrome was running or was just launched, or when the Store app was launched it opened with random unrequested apps focused. The most annoying was when using the Facebook Lite app it showed full screen app install nag pages that could be only escaped if you actually tapped a X sign on it - anything else is below it even if you open stuff from the drop down menu. I did a logcat on the phone and it has some lines like this (various websites are opened): 03-20 21:04:42.310 23448 23722 I ActivityManager: START u0 {act=android.intent.action.VIEW dat=http://crapeta.com/... flg=0x10000000 pkg=com.android.chrome cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10022 from pid 23613 on display 0 The "uid" 10022 is the user id of the package that requested the action. adb shell "dumpsys package | grep -A30 'userId=10022'" userId=10022 sharedUser=SharedUserSetting{de1a2e5 android.uid.systemui/10022} pkg=Package{ad251ba com.android.systemui} codePath=/system/priv-app/SystemUI resourcePath=/system/priv-app/SystemUI legacyNativeLibraryDir=/system/priv-app/SystemUI/lib primaryCpuAbi=null secondaryCpuAbi=null versionCode=23 targetSdk=23 versionName=6.0-1474361238 splits=[base] applicationInfo=ApplicationInfo{aead9c8 com.android.systemui} flags=[ SYSTEM HAS_CODE PERSISTENT ] privateFlags=[ PRIVILEGED ] pkgFlagsEx=[ ] dataDir=/data/user/0/com.android.systemui supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity] timeStamp=2016-09-20 11:09:09 firstInstallTime=2016-09-20 11:09:09 lastUpdateTime=2016-09-20 11:09:09 signatures=PackageSignatures{4fa86b [4fd7fc8]} installPermissionsFixed=false installStatus=1 pkgFlags=[ SYSTEM HAS_CODE PERSISTENT ] declared permissions: com.android.systemui.permission.SELF: prot=signature, INSTALLED User 0: installed=true hidden=false stopped=false notLaunched=false enabled=0 I found the apk file on the phone and downloaded it and attached it to the post. Also i loaded it in the virustotal.com page - attached below. 13 / 55 detection ratio but Malwarebytes did not detect it. The "System UI" application can not be disabled and i suspect it is the actual system ui which manages the UI, taskbar, touch and whatnot. It does some data transfer - i am not sure if the system ui needs access to the internet. The phone was reset to factory defaults and there are no visible issues right now, but the app did make some data transfer. I tried reflashing the phone but i am not sure it actually it worked because it did not took much to reset (the .zip downloaded contained another .zip with the actual data maybe i have to extract that...). SystemUI.apk.zip
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.