Jump to content

gradinaruvasile

Members
  • Content Count

    23
  • Joined

  • Last visited

Posts posted by gradinaruvasile


  1. 18 hours ago, Olivia said:

    Cubot have noticed this problem and the new App updated edition will be without adverting . there are totally two devices Cubot rainbow and cheetah have this problem , Cubot will continuously working for it and solve problems .any more question pls contact with the after sales staff : elva Tel:+ 86 - 755 83821787 - 807
    Email : cubot100@cubot.net

    This means we get another firmware update?


  2. 8 hours ago, khambrecht said:

    @gradinaruvasile: great job! Thanks.

    I have uninstalled the malicious app from user 0 (did not have user 10 or any other). Do I have any chance to prove if the phone now behaves as desired?

    First you MUST reboot the phone, the malware is in memory.

    Then capture packets on the router and see if you have connections made to the above-mentioned 3 IP addresses. Other than that no idea, as the package does not show up in any GUI app. Maybe some native Android apps have the capacity to capture its  packets, but i am not sure.


  3. Well it seems it can be uninstalled using the method from here:

    https://www.reddit.com/r/Android/comments/6ftg72/want_to_completely_disableuninstall_those_pesky/

    In this case the commands are these:

    adb shell pm uninstall -k --user 0 com.android.telephone
    adb shell pm uninstall -k --user 10 com.android.telephone

    In this device it was installed both for user '10' (Guest) and the current user '0'. 


  4. So. BAD news again.

    THEY DID LISTEN! 

    BUT NOT HOW WE THOUGHT :ph34r:...

    It seems that in the new firmware they just replaced their SystemUI malware with a better one.

    Changelog should read:

    1. Enhanced Protection Against Malware

    Probably they have an issue expressing themselves in English :rolleyes:. Or this is a standard policy in China.

    So, new headline:

    Cubot Rainbow firmware-embedded malware (firmware version CUBOT_RAINBOW_E6021C_V01_20160517_210258)

    This malware is provided by a dedicated (i suppose) package which is hidden (it does not show up on any GUI, not even 3rd party apps) named com.android.telephone (attached in a zip file). It does not seem to have any real function (it resembles the phone app's name but it is a different package).

    So, their enhancements (which are real, but not how we might interpret it):

    • It evades NetGuard (and i suppose other similar software). At least it is not reported.
    • At least on wif it aggressively pings their Amazon-based servers (sp2.l1181.com, alias of snowplow-collector-adv.us-east-1.elasticbeanstalk.com) draining the battery (and does some data transfer i sure hope not mic captures).
    • It constantly givers itself the OP_WRITE_EXTERNAL_STORAGE(code 60 in App Ops) and OP_READ_EXTERNAL_STORAGE (code 59 in App Ops) permissions, every 2 seconds or so. I don't know the reason, maybe these permissions can be revoked and it wants to make sure it has them.
    • It cannot be disabled, permissions cannot be changed (unless rooted i suppose).

    I saw many GPS-related lines in logcat even when the GPS was not enabled, but when i tried to replicate the results those were not there. So it MIGHT be able to log and send the location without graphical clues.

    How's that for improvements? :angry: Besides it does contain a similar payload, a file named KYOf4C6WrkKG80 (some probably encrypted executable, 3.9 MB in size) under the Assets dir in the package.

    It is detected currently by 12/55 in virustotal (again, not Malwarebytes).

    So, where is it? After sifting through logcat, i managed to pinpoint it's package name and userId.

    adb shell "dumpsys package | grep -A30 'userId=10090'"
    
        userId=10090
        pkg=Package{380093d com.android.telephone}
        codePath=/system/priv-app/com.android.telephone
        resourcePath=/system/priv-app/com.android.telephone
        legacyNativeLibraryDir=/system/priv-app/com.android.telephone/lib
        primaryCpuAbi=armeabi
        secondaryCpuAbi=null
        versionCode=20205 targetSdk=23
        versionName=2.02.05
        splits=[base]
        applicationInfo=ApplicationInfo{481dc44 com.android.telephone}
        flags=[ SYSTEM HAS_CODE PERSISTENT ALLOW_CLEAR_USER_DATA ]
        privateFlags=[ PRIVILEGED ]
        pkgFlagsEx=[ ]
        dataDir=/data/user/0/com.android.telephone
        supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
        timeStamp=2017-06-05 21:33:45
        firstInstallTime=2017-06-05 21:33:45
        lastUpdateTime=2017-06-05 21:33:45
        signatures=PackageSignatures{282b532 [b889283]}
        installPermissionsFixed=true installStatus=1
        pkgFlags=[ SYSTEM HAS_CODE PERSISTENT ALLOW_CLEAR_USER_DATA ]
        install permissions:
          android.permission.RECEIVE_BOOT_COMPLETED: granted=true
          android.permission.INTERNET: granted=true
          android.permission.ACCESS_NETWORK_STATE: granted=true
          android.permission.READ_SYNC_SETTINGS: granted=true
          android.permission.ACCESS_WIFI_STATE: granted=true
        User 0:  installed=true hidden=false stopped=false notLaunched=false enabled=0
          gids=[3003]
        User 10:  installed=true hidden=false stopped=false notLaunched=false enabled=0

     

    Tcpdump output:

    00:00:00.000000 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:00.000245 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388
     00:00:00.129114 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
     00:00:00.130475 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466
     00:00:00.188804 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0
     00:00:10.240304 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:10.240715 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:10.241246 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:10.241455 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 993
     00:00:10.369663 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
     00:00:10.370200 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
     00:00:10.371541 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466
     00:00:10.428865 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0
     00:00:15.480075 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:15.480458 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388
     00:00:15.609398 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
     00:00:15.610960 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466
     00:00:15.758869 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0
     00:00:20.800264 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:20.800500 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388
     00:00:20.929365 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
     00:00:20.931021 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466
     00:00:21.078883 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0
     00:00:26.140024 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:26.140412 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388
     00:00:26.269395 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
     00:00:26.316547 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 466
     00:00:26.398944 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 0
     00:00:31.440057 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1448
     00:00:31.440395 IP 192.168.101.10.60110 > 54.85.139.98.443: tcp 1388
     00:00:31.569329 IP 54.85.139.98.443 > 192.168.101.10.60110: tcp 0
    

     

    Some adb logcat output:

    09-18 01:15:07.515 22412  3506 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.515 22412  3506 I System.out: [socket][4952] connection sp2.l1181.com/54.85.4.39:443;LocalPort=42907(30000)
    09-18 01:15:07.515 22412  3506 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30
    09-18 01:15:07.515 22412  3506 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.516   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.517   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.517   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.518 22412  3513 I System.out: [socket][4953:41409] exception
    09-18 01:15:07.519 22412  3513 I System.out: close [socket][/:::41409]
    09-18 01:15:07.519   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.520 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.520 22412  3513 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.520   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.520 22412  3513 I System.out: [socket][4953] connection sp2.l1181.com/52.20.51.182:443;LocalPort=45345(30000)
    09-18 01:15:07.520 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.521 22412  3513 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30
    09-18 01:15:07.521 22412  3513 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.521   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.523 22412  3510 I System.out: [socket][4954:51635] exception
    09-18 01:15:07.523 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.523 22412  3510 I System.out: close [socket][/:::51635]
    09-18 01:15:07.524 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.524 22412  3510 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.525 22412  3510 I System.out: [socket][4954] connection sp2.l1181.com/52.20.51.182:443;LocalPort=59994(30000)
    09-18 01:15:07.525 22412  3510 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30
    09-18 01:15:07.525 22412  3510 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.525   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.526   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.527 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.527   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.527 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.529 22412  3511 I System.out: [socket][4955:42142] exception
    09-18 01:15:07.529 22412  3511 I System.out: close [socket][/:::42142]
    09-18 01:15:07.530 22412  3511 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.531 22412  3511 I System.out: [socket][4955] connection sp2.l1181.com/52.20.51.182:443;LocalPort=60775(30000)
    09-18 01:15:07.531 22412  3511 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30
    09-18 01:15:07.531 22412  3511 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.531 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.531   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.532   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.532   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.532 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.533 22412  3506 I System.out: [socket][4956:42907] exception
    09-18 01:15:07.534 22412  3506 I System.out: close [socket][/:::42907]
    09-18 01:15:07.535   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.535 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.535   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.535 22412  3506 I System.out: [CDS][DNS] getAllByNameImpl netId = 0
    09-18 01:15:07.536 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.536 22412  3506 D libc-netbsd: [getaddrinfo]: hostname=sp2.l1181.com; servname=(null); netid=0; mark=0
    09-18 01:15:07.536 22412  3506 D libc-netbsd: [getaddrinfo]: ai_addrlen=0; ai_canonname=(null); ai_flags=4; ai_family=0
    09-18 01:15:07.537 22412  3506 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.537 22412  3513 I System.out: [socket][4956:45345] exception
    09-18 01:15:07.537 22412  3506 I System.out: [socket][4956] connection sp2.l1181.com/54.85.139.98:443;LocalPort=55435(30000)
    09-18 01:15:07.537 22412  3506 I System.out: [CDS]connect[sp2.l1181.com/54.85.139.98:443] tm:30
    09-18 01:15:07.537 22412  3506 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.538   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.538   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.538 22412  3513 I System.out: close [socket][/:::45345]
    09-18 01:15:07.538 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.538   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.539 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.539 22412  3513 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.540 22412  3513 I System.out: [socket][4957] connection sp2.l1181.com/54.85.4.39:443;LocalPort=34817(30000)
    09-18 01:15:07.540 22412  3513 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30
    09-18 01:15:07.540 22412  3510 I System.out: [socket][4958:59994] exception
    09-18 01:15:07.540 22412  3513 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.540   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.541 22412  3510 I System.out: close [socket][/:::59994]
    09-18 01:15:07.541   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.542 22412  3510 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.542   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.542 22412  3510 I System.out: [socket][4958] connection sp2.l1181.com/54.85.4.39:443;LocalPort=47499(30000)
    09-18 01:15:07.542 22412  3510 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30
    09-18 01:15:07.542 22412  3510 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.542   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.544 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.544 22412  3511 I System.out: [socket][4959:60775] exception
    09-18 01:15:07.544 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.545 22412  3511 I System.out: close [socket][/:::60775]
    09-18 01:15:07.545 22412  3511 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.546 22412  3511 I System.out: [socket][4959] connection sp2.l1181.com/54.85.4.39:443;LocalPort=46965(30000)
    09-18 01:15:07.546 22412  3511 I System.out: [CDS]connect[sp2.l1181.com/54.85.4.39:443] tm:30
    09-18 01:15:07.546   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.546 22412  3511 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.546   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.547   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.548 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.548 22412  3506 I System.out: [socket][4960:55435] exception
    09-18 01:15:07.548 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.549 22412  3506 I System.out: close [socket][/:::55435]
    09-18 01:15:07.549   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.550   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.550 22412  3506 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.550 22412  3506 I System.out: [socket][4960] connection sp2.l1181.com/52.20.51.182:443;LocalPort=56140(30000)
    09-18 01:15:07.551 22412  3506 I System.out: [CDS]connect[sp2.l1181.com/52.20.51.182:443] tm:30
    09-18 01:15:07.551 22412  3506 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.551   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.552 22412  3513 I System.out: [socket][4961:34817] exception
    09-18 01:15:07.552 22412  3513 I System.out: close [socket][/:::34817]
    09-18 01:15:07.553   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.554 22412  3513 I System.out: [CDS][DNS] getAllByNameImpl netId = 0
    09-18 01:15:07.554 22412  3513 D libc-netbsd: [getaddrinfo]: hostname=sp2.l1181.com; servname=(null); netid=0; mark=0
    09-18 01:15:07.554 22412  3513 D libc-netbsd: [getaddrinfo]: ai_addrlen=0; ai_canonname=(null); ai_flags=4; ai_family=0
    09-18 01:15:07.555   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.555 22412  3513 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.555 22412  3513 I System.out: [socket][4961] connection sp2.l1181.com/54.85.139.98:443;LocalPort=39542(30000)
    09-18 01:15:07.555 22412  3513 I System.out: [CDS]connect[sp2.l1181.com/54.85.139.98:443] tm:30
    09-18 01:15:07.555 22412  3513 D Posix   : [Posix_connect Debug]Process com.android.telephone :443 
    09-18 01:15:07.556 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.556   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.556 22412  3510 I System.out: [socket][4962:47499] exception
    09-18 01:15:07.556 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.557 22412  3510 I System.out: close [socket][/:::47499]
    09-18 01:15:07.558 22412  3510 I System.out: [CDS][DNS] getAllByNameImpl netId = 0
    09-18 01:15:07.558 22412  3510 D libc-netbsd: [getaddrinfo]: hostname=sp2.l1181.com; servname=(null); netid=0; mark=0
    09-18 01:15:07.558 22412  3510 D libc-netbsd: [getaddrinfo]: ai_addrlen=0; ai_canonname=(null); ai_flags=4; ai_family=0
    09-18 01:15:07.559   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.559   211  1013 D SocketClient: SocketClient sendData done: 
    09-18 01:15:07.559 22412  3510 I System.out: [CDS]rx timeout:30000
    09-18 01:15:07.559 22412  3510 I System.out: [socket][4962] connection sp2.l1181.com/54.85.139.98:443;LocalPort=38415(30000)
    09-18 01:15:07.560 22412  3510 I System.out: [CDS]connect[sp2.l1181.com/54.85.139.98:443] tm:30
    09-18 01:15:07.561 11939 12022 D SQLiteDatabase: beginTransaction()
    09-18 01:15:07.561 22412  3511 I System.out: [socket][4963:46965] exception
    09-18 01:15:07.561 22412  3511 I System.out: close [socket][/:::46965]
    09-18 01:15:07.562 11939 12022 D SQLiteDatabase: endTransaction()
    09-18 01:15:07.563 22412  3511 I System.out: [CDS][DNS] getAllByNameImpl netId = 0

    After this i'm officially done with them. It remains to be seen if the phone can be returned...

    rainbow_android_v2_malware.png

    rainbowver.png

    com.android.telephone.apk.zip


  5. 45 minutes ago, khambrecht said:

    @jaimepn

    I assume, they fixed only the Rainbow firmware. I had an email conversation with Cubot about the infected Rainbow firmware and they fixed this upon my request.

    So it would be worth a try for you to also complain about your phone. Send me a PM so I will forward my conversation with Cubot to you, as a reference.

     

    And what did they say about this? Why was this malware there in the first place?


  6. Well. It seems that a firmware update was released on 2017-05-26 and pushed via the wireless update, we noticed only now.

    It has 2 items in changelog: a line colored red saying "Enhanced protection against malware" and some minor bug fixes. One can hope they mean that they removed this crap.

    I will apply the update later when the phone is available and report back.

     

     

    Screenshot_20170605-101729.png


  7. I tried uploading it to virustotal and Malwarebytes does not detect it there. I would expect all mobile antivirus solutions to work with virustotal since we can get a better picture in a few seconds instead of installing a ton of anti malware apps.

    BTW after the yesterday's "outbreak" i removed the "SYSTEM_ALERT_WINDOW" permission (that is the permission that lets a window cover everything permanently, used by this kind of malware to force the user to actually tap a button) from systemui and since then no more popups... May be a coincidence, may not. Will see.

    adb shell pm revoke com.android.systemui android.permission.SYSTEM_ALERT_WINDOW

     


  8. Well it started happening again. Now i don't know if there is another modified system/google component that has access, the systemui has built in stuff that does stuff regardless of net access or maybe NetGuard doesnt always work (after switching networks?) - one day about 2-3 weeks ago the NetGuard app probably crashed (no status icon) and for about 7 hours the phone was connected to the net with no limitations.

    Today we saw that an apk was downloaded from somewhere and full screen messages started appearing.

    I wonder that Chrome itself may be compromised too...

    Anyway, this sucks. 


  9. Hi,

    I asked Cubot too. Well i got the Exact same answer you got (in an implicit admission):

    -Some Fota upgrade or No Root firewall.

    Now the Fota link they sent was not working. They seem to provide the Adups Fota data collection tool (which is built in the Wireless Update tool) that besides the actulal updates can do some presonal data collection. Note that this is done surreptitiously in the background and the data us sent to the same servers the updates come from. There was a scandal about it in the US where they stopped the data collection by an update (which BTW can just as well be reversed by them).

    To block this you should block net access to the Wireless Update tool.


    Now on the phone i had issues with (used by my wife) i reflashed the firmware (from their site, via the wireless update local update option) then reset to defaults.

    But before giving it any net access i installed NetGuard from .apk (i compiled it from source but AFAIK the play store version .apk can be downloaded too) and disabled network access to system ui, wireless update and another shady package thad has the Opera Store description but has some chinese name.

    No issues were since more than a month. And as you can see above System UI tried to connect to many sites since.

    But these kind of issues have to be known to the world - the chinese (people?) brands lost any trust i had. Is there a site where we get these phones listed with links to reports like these for validation?

    Chinese vendors i had interacted with on AliExpress, Ebay etc all had a "slippery" attitude when something was wrong with their merchandise (anyway i buy only cheaper stuff that i afford to lose my money over) . I get it, cultural differences and all but anyway.

    Customer:

    Guys, you have malware installed on the phones you sell and customers store private data on.

    Chinese:

    Please try disabling net access of our malware with a 3rd party tool (which, if some reason is stopped, will allow the malware to run).

    What the #$##? Probably they are accustomed to no privacy over there they don't even understand what we want (BTW i lived my childhood under Communism and i know how it works). But they sell stuff to people that have other needs than them.

    Is that hard to provide a firmware that has no crap in it???

    BTW i remembered somebody posting on Amazon i believe a screencap about a conversation about this subject with a chinese dude that went something like:
     

    Customer: you sold a phone that sent my personal data to China
    Sales rep: your data is safe with us
    Customer (i believe the exact words): You are seriously typing this??
    

    PS: Malwarebytes still does not detect this (come on, even ClamAv detects it!).


  10. So, i pulled more logs from Net Guard.

    It wants to connect to a multitude of sites. These connections were all blocked. I have no idea how it acquired  all this connection info in the first place, i doubt it has these all hardcoded. Maybe uses Google's ad network  and Net Guard lets something related slip through? Interesting arr those 123 port connections that arr usually NTP.

    T4 - tcpv4 protocol

    U4 - udpv4 protocol

    The last number after the / - destination port number.

    There may be some slight errors, this list was obtained via ocr ing some screenshots (Mainly extra spaces or misinterpreted - signs).


    T4 >e02-54-169-134-231.ap-southeast-1 .compute.amazonaws.com/80
    U4 >47.90.91.157/6607
    T4 >211.151.121.41/443
    T4 >e02-52-80-22-85.cn-north-1.compute.amazonaws.com.cn/443
    U4 >47.90.91.157/6602
    U4 >47.90.91.157/6606
    U4 >47.90.91.157/6601
    U4 >47.90.91.157/6604
    U4 >47.90.91.157/6605
    U4 >47.90.91.157/6608
    T4 >e02-54-1 69-184-223.ap-southeast-1 .compute.amazonaws.com/80
    T4 >e02-52-220-106-1 61.ap-southeast-1 .compute.amazonaws.com/80
    U4 >47.90.91.157/6600
    U4 >47.90.91.157/6603
    T4 >ec2-54-222-186-106.cn-north-1 .compute.amazonaws.com.cn/443
    T4 >ec2-54-222-149-204.cn-north-1 .compute.amazonaws.com.cn/443
    U4 >153-128-30-125.compute.jp-e1.cloudn-service.com/123
    U4 >209.58.185.100/123
    U4 >ec2-34-198-99-183.compute—1.amazonaws.com/123
    T4 >42.96.141.35/80
    T4 >ec2-54-223-192-14.cn-north-1 .compute.amazonaws.com.cn/443
    U4 >y.ns.gin.ntt.net/123
    U4 >ip-243-189.datautama.net.id/123
    U4 >darwin.kenyonralph.com/123
    T4 >ec2-54-222-139-1 14.cn-north-1 .compute.amazonaws.com.cn/443
    U4 >210.23.25.77/123
    U4 >210.23.25.77/123
    U4 >103-226-213-30-static.unigate.net.tw/123
    U4 >61-216-153-105.HINET—IP.hinet.net/123
    T4 >e02-52-76-189-231.ap-southeast-1 .compute.amazonaws.com/ 80
    T4 >47.88.85.201/80
    U4 >time2.isu.net.sa/123
    U4 >b29.lumajangkab.go.id/123
    U4 >ntp1.ams1.nl.leaseweb.net/123
    T4 >e02-54-223-248-84.cn-north-1.compute.amazonaws.com.cn/443
    U4 >218.189.210.3/123
    U4 >61-216-153-106.HINET-IP.hinet.net/123
    T4 >e02-54-222-193-107.cn-north-1 .compute.amazonaws.com.cn/443
    T4 >e02-52-220-124-195.ap-southeast-1 .compute.amazonaws.com/80
    U4 >139.59.240.152/123
    U4 >61-216-153-104.HINET—IP.hinet.net/123
    T4 >ec2—54-222—170-68.cn—north-1 .compute.amazonaws.com.cn/443
    U4 >ngn-KAPnigatakML11.bb.kddi.ne.jp/123
    U4 >dns1.synet.edu.cn/123
    U4 >ntp3.flashdance.cx/123
    U4 >timpany.srv.jre655.com/123
    U4 >sjkBBML24.bb.kddi.ne.jp/123
    T4 >47.90.91.157/1688
    T4 >ec2—54-169-100-206.ap-southeast-1.compute.amazonaws.com/80
    U4 >ntp.gnc.am/123
    U4 >astoria.loreland.org/123


  11. You could check with logcat, Cheetah might have different apps that do this thing.

    A simple check for "System UI" is to check the data used by the app. It should not have any usage (look at the apps list and enable "show system" in the 3dot upper right menu ).

     

    BTW i met someone who has also a Cubot Rainbow and it seems that it has no issues (no data used by System UI since 2 months or so). It also has an older firmware revision. And it seems it was purchased in UK originally.


  12. Other IPS:

    52.220.106.161

    52.74.171.223

    47.88.85.201 (this IP is registered to Alibaba.com LLC (AL-3))

    Looking at the connection attempt history the first IP address (sdk.asense.in) seems to be the primary, it is attempted connections every few minutes.

    I exported a pcap packet capture from Net Guard (the rule is set to block the outgoing connections) it seems that these are only keepalive packets.

    Also i looked into the asense.in domain, it is registered to "inter police", Sponsoring Registrar:Name.com LLC (R65-AFIN):

     

    Domain ID:D9641135-AFIN
    Domain Name:ASENSE.IN
    Created On:11-Jul-2015 07:50:58 UTC
    Last Updated On:19-Jun-2016 16:58:38 UTC
    Expiration Date:11-Jul-2017 07:50:58 UTC
    Sponsoring Registrar:Name.com LLC (R65-AFIN)
    Status:CLIENT TRANSFER PROHIBITED
    Reason:
    Registrant ID:nec08dzk96cxew8q
    Registrant Name:inter police
    Registrant Organization:
    Registrant Street1:shanghai
    Registrant Street2:
    Registrant Street3:
    Registrant City:shanghai
    Registrant State/Province:shanghai
    Registrant Postal Code:200000
    Registrant Country:CN
    Registrant Phone:+86.12345678
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant Email:interpolice.2012@gmail.com
    

    I was under the impression that .in domains normally mean India, but in this case name.com (which is a US domain name registrar) can sell .in domain names to others to resell to dubious Chinese organisations. BTW this email address is linked to other .in domains that have connections to Android malware.

    netguard_20170331 (5).pcap.zip


  13. If you want to see what app initiated the fulscreen ads you can do it via adb logcat using the phone's USB debugging mode. Now the set up of ADB is your task please look it up, the method of finding the malware is described here:

    http://blog.teamleadnet.com/2015/06/how-to-remove-adware-browser-hijack-or.html

    Basicall you install ADB and USB drivers, launch logcat and reproduce the issue (stop logging with CTRL+C) then sift the logs (which are very detailed) for something like this (fullscreen ads might use WebView instead of Chrome):

    03-20 21:04:42.310 23448 23722 I ActivityManager: START u0 {act=android.intent.action.VIEW dat=http://crapeta.com/... flg=0x10000000 pkg=com.android.chrome cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10022 from pid 23613 on display 0

    Take the uid number and 

    adb shell "dumpsys package | grep -A6 'userId=UIDNUMBER'"

    This will return something like this:

    userId=10022
    sharedUser=SharedUserSetting{de1a2e5 android.uid.systemui/10022}
    pkg=Package{ad251ba com.android.systemui}
    codePath=/system/priv-app/SystemUI
    resourcePath=/system/priv-app/SystemUI
    legacyNativeLibraryDir=/system/priv-app/SystemUI/lib

    And that is the package that initiated the ads. Now you can go into the codePath and see what is there with "adb shell ls -al thecontentsofcodepath". If you see an .apk file there you can download it with "adb pull filenamewithfullpath" to your computer and you can upload it to virustotal.

     

    Now in case of fullscreen ads i suppose you don't know the exact URL but searching for the "START u0" or "dat=http://" string you probably find it somewhere.

    The above while taken from a valid case might and probably IS different from your issue.


  14. I installed the Net Guard appication and it seems that com.android.systemui tries to access an AWS instance:

    sdk.asense.in (reverse DNS is ec2-54-169-134-231.ap-southeast-1.compute.amazonaws.com)

    on port 80.

    I did a curl on that address and it just returned the word "parbat".

    Edit:

    Logcat reports that the forward DNS is in fact sdk.asense.in which is the same IP address (54.169.134.231)


  15. Hi,

    I have a cheap Chines phone (Cubot Rainbow) which after a month of purchase started to open unwanted web pages. This happened when Chrome was running or was just launched, or when the Store app was launched it opened with random unrequested apps focused. The most annoying was when using the Facebook Lite app it showed full screen app install nag pages that could be only escaped if you actually tapped a X sign on it - anything else is below it even if you open stuff from the drop down menu.

    I did a logcat on the phone and it has some lines like this (various websites are opened):

    03-20 21:04:42.310 23448 23722 I ActivityManager: START u0 {act=android.intent.action.VIEW dat=http://crapeta.com/... flg=0x10000000 pkg=com.android.chrome cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10022 from pid 23613 on display 0

    The "uid" 10022 is the user id of the package that requested the action.

    adb shell "dumpsys package | grep -A30 'userId=10022'"
    userId=10022
    sharedUser=SharedUserSetting{de1a2e5 android.uid.systemui/10022}
    pkg=Package{ad251ba com.android.systemui}
    codePath=/system/priv-app/SystemUI
    resourcePath=/system/priv-app/SystemUI
    legacyNativeLibraryDir=/system/priv-app/SystemUI/lib
    primaryCpuAbi=null
    secondaryCpuAbi=null
    versionCode=23 targetSdk=23
    versionName=6.0-1474361238
    splits=[base]
    applicationInfo=ApplicationInfo{aead9c8 com.android.systemui}
    flags=[ SYSTEM HAS_CODE PERSISTENT ]
    privateFlags=[ PRIVILEGED ]
    pkgFlagsEx=[ ]
    dataDir=/data/user/0/com.android.systemui
    supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
    timeStamp=2016-09-20 11:09:09
    firstInstallTime=2016-09-20 11:09:09
    lastUpdateTime=2016-09-20 11:09:09
    signatures=PackageSignatures{4fa86b [4fd7fc8]}
    installPermissionsFixed=false installStatus=1
    pkgFlags=[ SYSTEM HAS_CODE PERSISTENT ]
    declared permissions:
    com.android.systemui.permission.SELF: prot=signature, INSTALLED
    User 0: installed=true hidden=false stopped=false notLaunched=false enabled=0

    I found the apk file on the phone and downloaded it and attached it to the post.

    Also i loaded it in the virustotal.com page - attached below. 13 / 55 detection ratio but Malwarebytes did not detect it.

    The "System UI" application can not be disabled and i suspect it is the actual system ui which manages the UI, taskbar, touch and whatnot. It does some data transfer - i am not sure if the system ui needs access to the internet. The phone was reset to factory defaults and there are no visible issues right now, but the app did make some data transfer.

    I tried reflashing the phone but i am not sure it actually it worked because it did not took much to reset (the .zip downloaded contained another .zip with the actual data maybe i have to extract that...).  

     

     

    SystemUI.apk.zip

    systemui-vir.png

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.