Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by Concerned_Citizen

  1. Hi Nathan. I don't mean to barge in on this conversation but I have some information regarding the fake virus warnings that this user and others (including myself) have been plagued with for years that I would like to share with you and the community. is there a way to send you a private message Nathan?
  2. Sorry for the confusion @rhjbheavy, the app that I was looking at in my last post was not Cheetah Mobile's "Clean Master" app.
  3. So, I installed the "newly combined" APK to a testing device (Nexus tablet running Lineage OS) and it appears that it is a control panel of sorts which allowed me to download and push ads to the notifications area, fullcreen and others. It would have also taken me to the Google Play Store to download some "Battery saver" but there are no Google related apps on my Nexus. I ran the packet sniffer "tcpdump" on my Nexus and captured packets from the app connecting to Baidu and pulling down a certificate from GlobalSign-nv. (This is the same cert that was used when my Alcatel device I had bought decided to go adware on me) https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/ Most all of the data is sent over plain text and I even captured an AES encryption key and IV being sent over plain text. There is encrypted data being sent off to Facebook even though there is Facebook or other third-party apps installed other than the malicious apps I pulled from the infected LifeLine phones. The most disturbing thing (so far) however was when I used ADB to pull the apps databases and caches to my laptop with: "adb pull /data/data/com.leo.theme.cupcake/" Take a look at the SQLite database I have uploaded. It captures all auto-filled data from WebView to include: Names, phone number, email profiles, credit card data etc. Not good! (More to follow) Web Data.zip
  4. I've found somthing interesting while poking around one of the apps that had been remotely installed on to the LifeLine funded Android devices. One of the apps that was using Clean Masters icon (com.tesla.eo.xsdfa) may have shared source code from an app called "LEO Privacy Guard" and it's RSA cert even had "leo" in it. So, to help me figure out more of what is going on inside I download an actual app of the same name from the web "leo-privacy-guard-6-0-2.apk" to see if it's source code was similar to the app extracted from the LifeLine phones. Now to be clear, the app I got from the internet is from a third-party site but uploading the MD5 hash of the app to VirusTotal shows that it is "clean", meaning no AV engines flagged it as malicious. 86dd9d1ecb90c1c8d4264dc7c8dbecf4 But while looking at the apps source code I could see that the app had some code that waited 24 hours and 5 minutes after the app was installed and then did a GET to a remote URL to pull down some data to be added to the app. I used wget to pull the data from the web address and it showed as a compressed .zip file on my laptop but it would throw an error when I tried to extract the data. Using a hex editor I could see that it was partial piece of an APK file but it was incomplete. Looking at the decompiled apps assets showed a folder named "pzp" containg 5 sub-folders each containg a 1 Megabyte data file called "patch 1", "patch 2" etc. On a hunch I figured that that these files were all the missing pieces to the partial APK file i had pulled from the web so I combined them all into one file using the "cat" command and VIOLA! I now had a full, working APK app that had never been uploaded to Virus Total before: 9f2c052b3f58f692edce0ca7433d081f Running openssl on the RSA certificate shows that it signed by the same developer. I'm still digging in to the "newly created" app but so far it has been very interesting indeed. (More to follow)
  5. Hello johnmarky7. I'm not sure if you meant to post in this comment thread related to pre-installed malware on the government funded LifeLine phones or not? But a friendly word of advice would be to avoid the techsguide website that you link to. I see that the site recommends some cleaners including the excellent adwcleaner for Windows machines (which can be found on MalwareBytes main page) but the techsquide site link for the adwcleaner executable takes the user offsite to a dead link at BleepingComputer. There are other things about that site which may be cause for concern that I won't post of here.
  6. " It takes a lot of resources to do deep dives on malware." I fully understand and agree that it is very time consuming. But I do appreciate the fact that you and MalwareBytes took the time to bring this into the light and getting the manufacturers to push out firmware updates that (hopefully) fixes these issues to protect users privacy and security. Myself and others have been trying to get these problems resolved for over two years and nothing was done until you and your company took the time and resources to bring this to the worlds attention and for that I am deeply appreciative and owe a debt of gratitude. The "Plays_com.android.eo.plays.apk" is very time consuming indeed as it appears to be much more obfuscated than the other samples. The Java class names are specifically designed to confuse someone trying to make heads or tails of it and it uses several techniques to hide it's functions. For instance, the public class Ol1Q0l contains: public static final byte[] QOIlQ1 = { 76, 121, 53, 108, 99, 110, 73, 52, 76, 109, 120, 118, 90, 121, 119, 118, 76, 109, 85, 53, 76, 109, 112, 104, 99, 105, 119, 118, 76, 109, 85, 53, 76, 109, 82, 108, 101, 67, 120, 106, 98, 50, 48, 117, 101, 106, 69, 117, 89, 50, 70, 115, 98, 67, 120, 115, 98, 50, 70, 107, 81, 50, 120, 104, 99, 51, 77, 115, 97, 109, 70, 50, 89, 83, 53, 115, 89, 87, 53, 110, 76, 107, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 82, 71, 86, 52, 81, 50, 120, 104, 99, 51, 78, 77, 98, 50, 70, 107, 90, 88, 73, 115, 76, 71, 100, 108, 100, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 70, 117, 90, 72, 74, 118, 97, 87, 81, 117, 89, 50, 57, 117, 100, 71, 86, 117, 100, 67, 53, 68, 98, 50, 53, 48, 90, 88, 104, 48, 76, 71, 82, 108, 101, 69, 86, 115, 90, 87, 49, 108, 98, 110, 82, 122, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 81, 109, 70, 122, 90, 85, 82, 108, 101, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 72, 66, 104, 100, 71, 104, 77, 97, 88, 78, 48, 76, 71, 120, 112, 89, 106, 73, 115, 98, 71, 108, 105, 99, 121, 119, 118, 76, 109, 56, 117, 97, 109, 70, 121, 76, 72, 78, 116, 89, 87, 120, 115, 76, 110, 82, 48, 90, 103, 61, 61 }; Which is a decimal representation of the ASCII string of: Ly5lcnI4LmxvZywvLmU5LmphciwvLmU5LmRleCxjb20uejEuY2FsbCxsb2FkQ2xhc3MsamF2YS5sYW5nLkNsYXNzTG9hZGVyLGRhbHZpay5zeXN0ZW0uRGV4Q2xhc3NMb2FkZXIsLGdldENsYXNzTG9hZGVyLGFuZHJvaWQuY29udGVudC5Db250ZXh0LGRleEVsZW1lbnRzLGRhbHZpay5zeXN0ZW0uQmFzZURleENsYXNzTG9hZGVyLHBhdGhMaXN0LGxpYjIsbGlicywvLm8uamFyLHNtYWxsLnR0Zg== Which is Base64 which decodes to: /.err8.log,/.e9.jar,/.e9.dex,com.z1.call,loadClass,java.lang.ClassLoader,dalvik.system.DexClassLoader,,getClassLoader,android.content.Context,dexElements,dalvik.system.BaseDexClassLoader,pathList,lib2,libs,/.o.jar,small.ttf Which is very interesting indeed as it mentions the fake True Type font "small.ttf" found in the assets of the Gallery3D app which is signed by Teleepoch and shows that all these malicious apps work in unison with each other to completely compromise the device. I took another look at the "com.fota.wirelessupdate.apk" and it appears that the researcher "Niji" I linked to in my other post is correct on all counts. I believe that the "com.fota.wirelessupdate.apk" should be detected by AV apps as something worse than just a PUP and should be flagged for what it is, a Trojan RAT Backdoor. I would also go as far as saying that I believe any accounts or apps the user has signed on to has been compromised as well given the capabilities and from Niji's own tests.
  7. uploaded a packet capture of Digitimetech;s fota app I grabbed from a uMax device fota_packet_capture.txt
  8. While searching the web for the code snippet that is present in all the malware I came across this excellent breakdown of the com.fota.wirelessupdate.apk backdoor by researcher Niji: https://wuffs.org/blog/digitime-tech-fota-backdoors Niji's very in-depth research into this helps tie many of things myself and others have found on the infected devices including the unique identifiers I had found and mentioned in my second post. I think the most disturbing part of Ninji's findings are this statement: "This service offers one hilariously powerful method, orgYGM, which allows any Android permission to be silently granted to any app (regardless of whether it defines that permission in its manifest), by delving into the state of the PackageManagerService using copious amounts of Java reflection." So to summarize, we have apps that are being installed on our phones remotely from Chinese owned servers which run with SYSTEM priviledges and can be granted permissions from other apps that have dangerous permissions (like the fake CleanMaster app) even if the apps that get installed don't list any permissions at all in ther Manifest. Here are the permissions listed in the fake CleanMaster app: <uses-permission name='android.permission.ACCESS_COARSE_LOCATION'> </uses-permission> <uses-permission name='android.permission.BROADCAST_STICKY'> </uses-permission> <uses-permission name='android.permission.REORDER_TASKS'> </uses-permission> <uses-permission name='com.google.android.c2dm.permission.RECEIVE'> </uses-permission> <uses-permission name='android.permission.READ_EXTERNAL_STORAGE'> </uses-permission> <uses-permission name='android.permission.WRITE_EXTERNAL_STORAGE'> </uses-permission> <uses-permission name='android.permission.READ_PHONE_STATE'> </uses-permission> <uses-permission name='android.permission.BLUETOOTH'> </uses-permission> <uses-permission name='android.permission.CAMERA'> </uses-permission> <uses-permission name='android.permission.INTERNET'> </uses-permission> <uses-permission name='android.permission.ACCESS_NETWORK_STATE'> </uses-permission> <uses-permission name='android.permission.WAKE_LOCK'> </uses-permission> <uses-permission name='com.yonder.robi.permission.C2D_MESSAGE'> </uses-permission> <uses-permission name='android.permission.ACCESS_WIFI_STATE'> </uses-permission> <uses-permission name='android.permission.RECEIVE_BOOT_COMPLETED'> </uses-permission> <uses-permission name='android.permission.VIBRATE'> </uses-permission> <uses-permission name='com.google.android.providers.gsf.permission.READ_GSERVICES'> </uses-permission> <uses-permission name='android.permission.BLUETOOTH_ADMIN'> </uses-permission> <uses-permission name='android.permission.GET_ACCOUNTS'> </uses-permission> <uses-permission name='android.Manifest.permission.ACCESS_COARSE_LOCATION'> </uses-permission> <uses-permission name='android.Manifest.permission.ACCESS_FINE_LOCATION'> </uses-permission> <uses-permission name='android.permission.WRITE_SETTINGS'> </uses-permission> <uses-permission name='android.permission.PERSISTENT_ACTIVITY'> </uses-permission> <uses-permission name='android.permission.CHANGE_WIFI_STATE'> </uses-permission> <uses-permission name='android.permission.READ_LOGS'> </uses-permission> <uses-permission name='android.permission.GET_PACKAGE_SIZE'> </uses-permission> <uses-permission name='android.permission.GET_TASKS'> </uses-permission> <uses-permission name='android.permission.SYSTEM_ALERT_WINDOW'> </uses-permission> <uses-permission name='android.permission.SET_WALLPAPER'> </uses-permission> <uses-permission name='android.permission.EXPAND_STATUS_BAR'> </uses-permission> <uses-permission name='android.permission.CHANGE_NETWORK_STATE'> </uses-permission> <uses-permission name='android.permission.DISABLE_KEYGUARD'> </uses-permission> <uses-permission name='android.permission.READ_SYNC_STATS'> </uses-permission> <uses-permission name='android.permission.AUTHENTICATE_ACCOUNTS'> </uses-permission> <uses-permission name='dianxin.permission.ACCESS_LAUNCHER_DATA'> </uses-permission> <uses-permission name='android.permission.SET_WALLPAPER_HINTS'> </uses-permission> <uses-permission name='android.permission.ACCESS_BLUETOOTH_SHARE'> </uses-permission> <uses-permission name='android.permission.MOUNT_UNMOUNT_FILESYSTEMS'> </uses-permission> <uses-permission name='android.permission.MODIFY_AUDIO_SETTINGS'> </uses-permission> <uses-permission name='com.goibibo.permission.MAPS_RECEIVE'> </uses-permission> <uses-permission name='android.permission.RUN_INSTRUMENTATION'> </uses-permission> <uses-permission name='android.permission.WRITE_CONTACTS'> </uses-permission> <uses-permission name='android.permission.MANAGE_ACCOUNTS'> </uses-permission> <uses-permission name='com.android.vending.BILLING'> </uses-permission> <uses-permission name='com.android.vending.INSTALL_REFERRER'> </uses-permission> <uses-permission name='com.android.alarm.permission.SET_ALARM'> </uses-permission> <uses-permission name='android.permission.USE_FINGERPRINT'> </uses-permission> <uses-permission name='android.permission.NFC'> </uses-permission> <uses-permission name='com.android.launcher.permission.INSTALL_SHORTCUT'> </uses-permission> <uses-permission name='android.permission.WRITE_SYNC_SETTINGS'> Niji also states: "The abilities to grant any app arbitrary permissions and to read/write files as the system user mean that any app running on a system with Digitime's fo_sl_enhance service has a ridiculous amount of power. I was able to use this to dump the Android accounts database (including auth tokens) and to even disable the SystemFota system app, all from an un-privileged app that declared no permissions." This is as bad as it gets! This means that a malicious app can grab the users authentication tokens to log in to Google, Facebook or other accounts (banking?) as if they were the user. The CleanMaster app is unusual in that it contains a the VirtualApp module for installing apps within the CleanMaster app itself in a sandbox. And from the GitHub page of VirtulApp it states: "and the ability to run APK without installing it opens up unlimited possibilities -- which depend on your imagination." I can imagine a few possibilties... From simply installing apps in the background to commit advertising fraud... Or worse, installing an app in the background and using the stolen authentication token(s) of the user to log in to the hidden app as the user themselves. How many websites or apps let you log in using your Google or Facebook credentials? I was wondering if anyone at MalwareBytes is going to do an in-depth breakdown of the fake CleanMaster app?
  9. Thank you for your reply Nathan and for the reports so that this matter (hoepefully) gets the attention it needs to protect our most vulnerable citizens. I am a member and advocate for vulnerable people in my community and as such I have had access to several Android devices being distibuted by the government funded Lifeline program. Most of my friends in this community rely on these phones as their only source of communication to make appoinments with their doctors, case managers and housing officials or crisis response teams. The adware/malware that was installed without user intervention made these devices unusable. Many of the phones I've looked at would crash repeatedly, were hot to the touch and batteries would fail within a month due to the excessive adware. I also found the "wiz.txt" file that you mentioned in your article that listed apps from a third-party app store. But on the version I extracted it shows another download source further down on the list that is registered anonymously through a registrar that has a long history of hosting malware. (NAMECHEAP) What is most unusual is that when the news about the pre-installed malware first became public several months ago, Assurance Wireless responded as if it was the first they had heard of it. But I have archived Virgin Mobiles own website where many users had notified the representatives of the problems with adware and apps that installed by themselves that dates back to April of 2018. (However, it appears these web pages may have been taken down recently) Here is just one of many complaints from users to a Virgin Mobile employee from April 2018 regarding their ANS UL40 device: "The pop-up ads come with the phone and start popping up as soon as the phone gets set up, even before adding any apps. It also randomly downloads apps on its own without asking. It's all built-in." I found a unique identifier hidden on the SDcard of a newer ANS device that allowed any app with access to the phones storage to track the user regardless of what privacy settings had been made. The SD card also had the "Wish" apk located in: /Android/data/com.ironsource.appcloud.oobe/files directory. com.contextlogic.wish 4969dd5c75a5d78e8033947366d9f99a Another one of my friends was having problems with their ANS device and I found more adware apps that were installed by themselves: com.journalism.newspaper-1.apk a7ad96619ff91426b04088d3ca75de24 (After 6 weeks) com.hinedey.empoy-1 c6985f3e451912f1b0bafe0078587f79 com.abbreviation.civilization-1 aa87825bfc905965fb1751dd6ac82ab5 (contains "blacklist" and "whitelist" in the /res/raw directory that blacklists many security and AV apps including: "org.malwarebytes.antimalware") I mispoke on my earlier post where I stated: "This app appeared after several weeks and had never been uploaded to VirusTotal until I had submitted it. It took a month before one of the detection engines (ESET) flagged it as a Trojan Agent." The app in question was NOT the "com.tesla.eo.xsdfa.apk" that was heavily obfuscated, it was: Plays_com.android.eo.plays.apk 432feebad71938963100e4571be0a6ed A homeless friend had an ANS device that he was unable to use because of the fake Clean Master app mentioned before: 5a5ab39960d3b96be2b8bbea99477e6f I have uploaded one of the decrypted packet captures showing the "com.democratizing.casualness" app downloading executable scripts from Russia's Yandex servers. yandex-cap.txt
  10. Uploading the site to "urlscan(.)io" shows there are a few scripts running on that site. There is a script for cookie consent, another script which tries to fingerprint the users device, another script for serving ads and I also see a script for mobile push notifications. A few scanners on VirusTotal have flagged the "invoke.js" script as being malicious but JavaScript has a high false positive rate on VT from what I've seen. https://www.virustotal.com/gui/url/e573aeb48acc65910bbba3d5b8df7f1c0161400077b7b88ed4e00a36d9390cc5/detection (OVH also has a pretty bad reputation.) A good script blocker is a necessity these days.
  11. I have been researching the issues with the pre-installed malware on the government funded "LifeLine" phones for over two years and have noticed that MalwareBytes has written two articles about this. If you decompile the adware/malware to it's Java source code you will find that all malware samples share similar code to connect to servers on GoDaddy registered to Alibaba. Here is a snippet from that shared code: public static String d = "Tu45R_77Kie_YiTiv" The fake "CleanMaster" app that was installed to many devices hides it's icon from the user to try and avoid deletion and uses various open-source projects found on GitHub: https://githubDOTcom/asLody/VirtualApp https://githubDOTcom/TalkingData and hides some of it's processes using Base64 encoding, For instance, the app checks to see if it's running on an emulator or a VM by running the command "/system/bin/cat /proc/cpuinfo" and can be seen in LogCat logs under "xoxo" Some of the apps that were installed by themselves: com.concreteroom.thenorthpole-1.apk 26333a6d48deddd3305c07b5ee00bb6e com.democratizing.casualness-1.apk 82ecf170914d360992e230e0929fc0b8 com.spidmes.peaus-1.apk fde7346273d4561b306828615412899d com.bird.aa01.apk 3f9cb3284cfb560ea59f6a4d895ee0a5 The preinstalled Gallery app on an earlier uMax phone has a signed cert from Telepoch and has two encrypted .jar files in it's assets directory disquised as TrueType fonts. Gallery2.apk e7a6854e7bdd61207100bde3a9cc3f73 This app appeared after several weeks and had never been uploaded to VirusTotal until I had submitted it. It took a month before one of the detection engines (ESET) flagged it as a Trojan Agent. com.tesla.eo.xsdfa.apk 3332c30b6e4823135c984c57e11512ef It is heavy obfuscated and had connected to a PHP server that downloaded an IP address from a private address block I have been reporting all this to both Assurance Wireless and Access Wireless and I have several dozen emails communicating with them over the last two years. I also brought one of the infected devices to my States Attorney Generals office to file a complaint last year but was only sent home with a generic complaint form for robo-calls. I filed another written complaint to the Attorney Generals office in person this year as well but whenever I call to check the status of my complaint(s) the person at the attorney generals office tells me that the cannot confirm nor deny they are doing anything about it and they would contact me if they needed any further information. I had even reached out to the owner of the marketing company that has been distributing these infected devices last year and was stonewalled by the owner when asking where the devices were coming from. The supervisor for this marketing company had set up a tent just outside the local veterans hospital to distibute the devices. I also have several packet captures taken from one of the infected uMax devices which shows the apps communicating with both Russian and Chinese servers.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.