Jump to content

gradinaruvasile

Members
  • Content Count

    23
  • Joined

  • Last visited

Everything posted by gradinaruvasile

  1. First you MUST reboot the phone, the malware is in memory. Then capture packets on the router and see if you have connections made to the above-mentioned 3 IP addresses. Other than that no idea, as the package does not show up in any GUI app. Maybe some native Android apps have the capacity to capture its packets, but i am not sure.
  2. Another thing to keep in mind: If the phone is reset to factory defaults this malware will re-deploy. So in that case do not connect it to any network until it is removed and the phone restarted.
  3. Well it seems it can be uninstalled using the method from here: https://www.reddit.com/r/Android/comments/6ftg72/want_to_completely_disableuninstall_those_pesky/ In this case the commands are these: adb shell pm uninstall -k --user 0 com.android.telephone adb shell pm uninstall -k --user 10 com.android.telephone In this device it was installed both for user '10' (Guest) and the current user '0'.
  4. So. BAD news again. THEY DID LISTEN! BUT NOT HOW WE THOUGHT ... It seems that in the new firmware they just replaced their SystemUI malware with a better one. Changelog should read: 1. Enhanced Protection Against Malware Probably they have an issue expressing themselves in English . Or this is a standard policy in China. So, new headline: Cubot Rainbow firmware-embedded malware (firmware version CUBOT_RAINBOW_E6021C_V01_20160517_210258) This malware is provided by a dedicated (i suppose) package which is hidden (it does not show up on any GUI, not
  5. Well i sent an email to them too asking for a firmware without ads after i started this thread. I even linked them this thread... It seems that they do listen sometimes...
  6. I did the update. Good news. The systemui apk file has 0/56 virustotal score! Other than that they included some new software - Google Duo and Browser stands out at first glance. Now i will have to see if something happens ...
  7. Well. It seems that a firmware update was released on 2017-05-26 and pushed via the wireless update, we noticed only now. It has 2 items in changelog: a line colored red saying "Enhanced protection against malware" and some minor bug fixes. One can hope they mean that they removed this crap. I will apply the update later when the phone is available and report back.
  8. I tried uploading it to virustotal and Malwarebytes does not detect it there. I would expect all mobile antivirus solutions to work with virustotal since we can get a better picture in a few seconds instead of installing a ton of anti malware apps. BTW after the yesterday's "outbreak" i removed the "SYSTEM_ALERT_WINDOW" permission (that is the permission that lets a window cover everything permanently, used by this kind of malware to force the user to actually tap a button) from systemui and since then no more popups... May be a coincidence, may not. Will see. adb shell pm revoke com.
  9. Well it started happening again. Now i don't know if there is another modified system/google component that has access, the systemui has built in stuff that does stuff regardless of net access or maybe NetGuard doesnt always work (after switching networks?) - one day about 2-3 weeks ago the NetGuard app probably crashed (no status icon) and for about 7 hours the phone was connected to the net with no limitations. Today we saw that an apk was downloaded from somewhere and full screen messages started appearing. I wonder that Chrome itself may be compromised too... Anyway, this su
  10. Hi, I asked Cubot too. Well i got the Exact same answer you got (in an implicit admission): -Some Fota upgrade or No Root firewall. Now the Fota link they sent was not working. They seem to provide the Adups Fota data collection tool (which is built in the Wireless Update tool) that besides the actulal updates can do some presonal data collection. Note that this is done surreptitiously in the background and the data us sent to the same servers the updates come from. There was a scandal about it in the US where they stopped the data collection by an update (which BTW can just as
  11. So, i pulled more logs from Net Guard. It wants to connect to a multitude of sites. These connections were all blocked. I have no idea how it acquired all this connection info in the first place, i doubt it has these all hardcoded. Maybe uses Google's ad network and Net Guard lets something related slip through? Interesting arr those 123 port connections that arr usually NTP. T4 - tcpv4 protocol U4 - udpv4 protocol The last number after the / - destination port number. There may be some slight errors, this list was obtained via ocr ing some screenshots (Mainly extra
  12. You could check with logcat, Cheetah might have different apps that do this thing. A simple check for "System UI" is to check the data used by the app. It should not have any usage (look at the apps list and enable "show system" in the 3dot upper right menu ). BTW i met someone who has also a Cubot Rainbow and it seems that it has no issues (no data used by System UI since 2 months or so). It also has an older firmware revision. And it seems it was purchased in UK originally.
  13. Other IPS: 52.220.106.161 52.74.171.223 47.88.85.201 (this IP is registered to Alibaba.com LLC (AL-3)) Looking at the connection attempt history the first IP address (sdk.asense.in) seems to be the primary, it is attempted connections every few minutes. I exported a pcap packet capture from Net Guard (the rule is set to block the outgoing connections) it seems that these are only keepalive packets. Also i looked into the asense.in domain, it is registered to "inter police", Sponsoring Registrar:Name.com LLC (R65-AFIN): Domain ID:D9641135-AFIN Domain Nam
  14. If you want to see what app initiated the fulscreen ads you can do it via adb logcat using the phone's USB debugging mode. Now the set up of ADB is your task please look it up, the method of finding the malware is described here: http://blog.teamleadnet.com/2015/06/how-to-remove-adware-browser-hijack-or.html Basicall you install ADB and USB drivers, launch logcat and reproduce the issue (stop logging with CTRL+C) then sift the logs (which are very detailed) for something like this (fullscreen ads might use WebView instead of Chrome): 03-20 21:04:42.310 23448 23722 I ActivityManag
  15. After some time other connections to more IPs were attempted. The list so far (don't know the forward DNS for all except the first): 54.169.134.231 ( sdk.asense.in ) 54.255.162.237 54.255.144.219 52.76.189.231 52.220.124.195
  16. I installed the Net Guard appication and it seems that com.android.systemui tries to access an AWS instance: sdk.asense.in (reverse DNS is ec2-54-169-134-231.ap-southeast-1.compute.amazonaws.com) on port 80. I did a curl on that address and it just returned the word "parbat". Edit: Logcat reports that the forward DNS is in fact sdk.asense.in which is the same IP address (54.169.134.231)
  17. Hi, I have a cheap Chines phone (Cubot Rainbow) which after a month of purchase started to open unwanted web pages. This happened when Chrome was running or was just launched, or when the Store app was launched it opened with random unrequested apps focused. The most annoying was when using the Facebook Lite app it showed full screen app install nag pages that could be only escaped if you actually tapped a X sign on it - anything else is below it even if you open stuff from the drop down menu. I did a logcat on the phone and it has some lines like this (various websites are opened):
  18. To pinpoint the app that opens these you should use adb and logcat: http://blog.teamleadnet.com/2015/06/how-to-remove-adware-browser-hijack-or.html It works. Now removing it is another thing, it might not be so simple. But at least you can see who is the culprit.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.