Jump to content

Concerned_Citizen

Members
  • Content Count

    12
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Concerned_Citizen

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Sorry for the confusion @rhjbheavy, the app that I was looking at in my last post was not Cheetah Mobile's "Clean Master" app.
  2. So, I installed the "newly combined" APK to a testing device (Nexus tablet running Lineage OS) and it appears that it is a control panel of sorts which allowed me to download and push ads to the notifications area, fullcreen and others. It would have also taken me to the Google Play Store to download some "Battery saver" but there are no Google related apps on my Nexus. I ran the packet sniffer "tcpdump" on my Nexus and captured packets from the app connecting to Baidu and pulling down a certificate from GlobalSign-nv. (This is the same cert that was used when my Alcatel device
  3. I've found somthing interesting while poking around one of the apps that had been remotely installed on to the LifeLine funded Android devices. One of the apps that was using Clean Masters icon (com.tesla.eo.xsdfa) may have shared source code from an app called "LEO Privacy Guard" and it's RSA cert even had "leo" in it. So, to help me figure out more of what is going on inside I download an actual app of the same name from the web "leo-privacy-guard-6-0-2.apk" to see if it's source code was similar to the app extracted from the LifeLine phones. Now to be clear, the app I got fro
  4. Hello johnmarky7. I'm not sure if you meant to post in this comment thread related to pre-installed malware on the government funded LifeLine phones or not? But a friendly word of advice would be to avoid the techsguide website that you link to. I see that the site recommends some cleaners including the excellent adwcleaner for Windows machines (which can be found on MalwareBytes main page) but the techsquide site link for the adwcleaner executable takes the user offsite to a dead link at BleepingComputer. There are other things about that site which may be cause fo
  5. " It takes a lot of resources to do deep dives on malware." I fully understand and agree that it is very time consuming. But I do appreciate the fact that you and MalwareBytes took the time to bring this into the light and getting the manufacturers to push out firmware updates that (hopefully) fixes these issues to protect users privacy and security. Myself and others have been trying to get these problems resolved for over two years and nothing was done until you and your company took the time and resources to bring this to the worlds attention and for that I am deeply apprecia
  6. uploaded a packet capture of Digitimetech;s fota app I grabbed from a uMax device fota_packet_capture.txt
  7. While searching the web for the code snippet that is present in all the malware I came across this excellent breakdown of the com.fota.wirelessupdate.apk backdoor by researcher Niji: https://wuffs.org/blog/digitime-tech-fota-backdoors Niji's very in-depth research into this helps tie many of things myself and others have found on the infected devices including the unique identifiers I had found and mentioned in my second post. I think the most disturbing part of Ninji's findings are this statement: "This service offers one hilariously powerful method, orgYGM, which allows a
  8. Thank you for your reply Nathan and for the reports so that this matter (hoepefully) gets the attention it needs to protect our most vulnerable citizens. I am a member and advocate for vulnerable people in my community and as such I have had access to several Android devices being distibuted by the government funded Lifeline program. Most of my friends in this community rely on these phones as their only source of communication to make appoinments with their doctors, case managers and housing officials or crisis response teams. The adware/malware that was installed without user
  9. Uploading the site to "urlscan(.)io" shows there are a few scripts running on that site. There is a script for cookie consent, another script which tries to fingerprint the users device, another script for serving ads and I also see a script for mobile push notifications. A few scanners on VirusTotal have flagged the "invoke.js" script as being malicious but JavaScript has a high false positive rate on VT from what I've seen. https://www.virustotal.com/gui/url/e573aeb48acc65910bbba3d5b8df7f1c0161400077b7b88ed4e00a36d9390cc5/detection (OVH also has a pretty bad reputation.)
  10. I have been researching the issues with the pre-installed malware on the government funded "LifeLine" phones for over two years and have noticed that MalwareBytes has written two articles about this. If you decompile the adware/malware to it's Java source code you will find that all malware samples share similar code to connect to servers on GoDaddy registered to Alibaba. Here is a snippet from that shared code: public static String d = "Tu45R_77Kie_YiTiv" The fake "CleanMaster" app that was installed to many devices hides it's icon from the user to tr
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.