Infected SystemUI.apk on CUBOT Rainbow not detected by Malwarebytes

[gradinaruvasile]

Hi,

I have a cheap Chines phone (Cubot Rainbow) which after a month of purchase started to open unwanted web pages. This happened when Chrome was running or was just launched, or when the Store app was launched it opened with random unrequested apps focused. The most annoying was when using the Facebook Lite app it showed full screen app install nag pages that could be only escaped if you actually tapped a X sign on it - anything else is below it even if you open stuff from the drop down menu.

I did a logcat on the phone and it has some lines like this (various websites are opened):

03-20 21:04:42.310 23448 23722 I ActivityManager: START u0 {act=android.intent.action.VIEW dat=http://crapeta.com/... flg=0x10000000 pkg=com.android.chrome cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10022 from pid 23613 on display 0

The "uid" 10022 is the user id of the package that requested the action.

adb shell "dumpsys package | grep -A30 'userId=10022'"
userId=10022
sharedUser=SharedUserSetting{de1a2e5 android.uid.systemui/10022}
pkg=Package{ad251ba com.android.systemui}
codePath=/system/priv-app/SystemUI
resourcePath=/system/priv-app/SystemUI
legacyNativeLibraryDir=/system/priv-app/SystemUI/lib
primaryCpuAbi=null
secondaryCpuAbi=null
versionCode=23 targetSdk=23
versionName=6.0-1474361238
splits=[base]
applicationInfo=ApplicationInfo{aead9c8 com.android.systemui}
flags=[ SYSTEM HAS_CODE PERSISTENT ]
privateFlags=[ PRIVILEGED ]
pkgFlagsEx=[ ]
dataDir=/data/user/0/com.android.systemui
supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
timeStamp=2016-09-20 11:09:09
firstInstallTime=2016-09-20 11:09:09
lastUpdateTime=2016-09-20 11:09:09
signatures=PackageSignatures{4fa86b [4fd7fc8]}
installPermissionsFixed=false installStatus=1
pkgFlags=[ SYSTEM HAS_CODE PERSISTENT ]
declared permissions:
com.android.systemui.permission.SELF: prot=signature, INSTALLED
User 0: installed=true hidden=false stopped=false notLaunched=false enabled=0

I found the apk file on the phone and downloaded it and attached it to the post.

Also i loaded it in the virustotal.com page - attached below. 13 / 55 detection ratio but Malwarebytes did not detect it.

The "System UI" application can not be disabled and i suspect it is the actual system ui which manages the UI, taskbar, touch and whatnot. It does some data transfer - i am not sure if the system ui needs access to the internet. The phone was reset to factory defaults and there are no visible issues right now, but the app did make some data transfer.

I tried reflashing the phone but i am not sure it actually it worked because it did not took much to reset (the .zip downloaded contained another .zip with the actual data maybe i have to extract that...).  

 

 

SystemUI.apk.zip

[gradinaruvasile]

I installed the Net Guard appication and it seems that com.android.systemui tries to access an AWS instance:

sdk.asense.in (reverse DNS is ec2-54-169-134-231.ap-southeast-1.compute.amazonaws.com)

on port 80.

I did a curl on that address and it just returned the word "parbat".

Edit:

Logcat reports that the forward DNS is in fact sdk.asense.in which is the same IP address (54.169.134.231)

Edited March 24, 2017 by gradinaruvasile

[gradinaruvasile]

After some time other connections to more IPs were attempted. The list so far (don't know the forward DNS for all except the first):

54.169.134.231 ( sdk.asense.in )

54.255.162.237

54.255.144.219

52.76.189.231

52.220.124.195

[gradinaruvasile]

Other IPS:

52.220.106.161

52.74.171.223

47.88.85.201 (this IP is registered to Alibaba.com LLC (AL-3))

Looking at the connection attempt history the first IP address (sdk.asense.in) seems to be the primary, it is attempted connections every few minutes.

I exported a pcap packet capture from Net Guard (the rule is set to block the outgoing connections) it seems that these are only keepalive packets.

Also i looked into the asense.in domain, it is registered to "inter police", Sponsoring Registrar:Name.com LLC (R65-AFIN):

 

Domain ID:D9641135-AFIN
Domain Name:ASENSE.IN
Created On:11-Jul-2015 07:50:58 UTC
Last Updated On:19-Jun-2016 16:58:38 UTC
Expiration Date:11-Jul-2017 07:50:58 UTC
Sponsoring Registrar:Name.com LLC (R65-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Reason:
Registrant ID:nec08dzk96cxew8q
Registrant Name:inter police
Registrant Organization:
Registrant Street1:shanghai
Registrant Street2:
Registrant Street3:
Registrant City:shanghai
Registrant State/Province:shanghai
Registrant Postal Code:200000
Registrant Country:CN
Registrant Phone:+86.12345678
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:interpolice.2012@gmail.com

I was under the impression that .in domains normally mean India, but in this case name.com (which is a US domain name registrar) can sell .in domain names to others to resell to dubious Chinese organisations. BTW this email address is linked to other .in domains that have connections to Android malware.

netguard_20170331 (5).pcap.zip

[jaimepn]

 

On 3/23/2017 at 1:46 PM, gradinaruvasile said:

I have a cheap Chines phone (Cubot Rainbow) which after a month of purchase started to open unwanted web pages. This happened when Chrome was running or was just launched, or when the Store app was launched it opened with random unrequested apps focused.

I have a CUBOT Cheetah 2 and have the same problem (well, the symptoms are the same) with nothing wrong being reported by malware bytes.

[gradinaruvasile]

You could check with logcat, Cheetah might have different apps that do this thing.

A simple check for "System UI" is to check the data used by the app. It should not have any usage (look at the apps list and enable "show system" in the 3dot upper right menu ).

 

BTW i met someone who has also a Cubot Rainbow and it seems that it has no issues (no data used by System UI since 2 months or so). It also has an older firmware revision. And it seems it was purchased in UK originally.

[gradinaruvasile]

So, i pulled more logs from Net Guard.

It wants to connect to a multitude of sites. These connections were all blocked. I have no idea how it acquired  all this connection info in the first place, i doubt it has these all hardcoded. Maybe uses Google's ad network  and Net Guard lets something related slip through? Interesting arr those 123 port connections that arr usually NTP.

T4 - tcpv4 protocol

U4 - udpv4 protocol

The last number after the / - destination port number.

There may be some slight errors, this list was obtained via ocr ing some screenshots (Mainly extra spaces or misinterpreted - signs).

T4 >e02-54-169-134-231.ap-southeast-1 .compute.amazonaws.com/80
U4 >47.90.91.157/6607
T4 >211.151.121.41/443
T4 >e02-52-80-22-85.cn-north-1.compute.amazonaws.com.cn/443
U4 >47.90.91.157/6602
U4 >47.90.91.157/6606
U4 >47.90.91.157/6601
U4 >47.90.91.157/6604
U4 >47.90.91.157/6605
U4 >47.90.91.157/6608
T4 >e02-54-1 69-184-223.ap-southeast-1 .compute.amazonaws.com/80
T4 >e02-52-220-106-1 61.ap-southeast-1 .compute.amazonaws.com/80
U4 >47.90.91.157/6600
U4 >47.90.91.157/6603
T4 >ec2-54-222-186-106.cn-north-1 .compute.amazonaws.com.cn/443
T4 >ec2-54-222-149-204.cn-north-1 .compute.amazonaws.com.cn/443
U4 >153-128-30-125.compute.jp-e1.cloudn-service.com/123
U4 >209.58.185.100/123
U4 >ec2-34-198-99-183.compute—1.amazonaws.com/123
T4 >42.96.141.35/80
T4 >ec2-54-223-192-14.cn-north-1 .compute.amazonaws.com.cn/443
U4 >y.ns.gin.ntt.net/123
U4 >ip-243-189.datautama.net.id/123
U4 >darwin.kenyonralph.com/123
T4 >ec2-54-222-139-1 14.cn-north-1 .compute.amazonaws.com.cn/443
U4 >210.23.25.77/123
U4 >210.23.25.77/123
U4 >103-226-213-30-static.unigate.net.tw/123
U4 >61-216-153-105.HINET—IP.hinet.net/123
T4 >e02-52-76-189-231.ap-southeast-1 .compute.amazonaws.com/ 80
T4 >47.88.85.201/80
U4 >time2.isu.net.sa/123
U4 >b29.lumajangkab.go.id/123
U4 >ntp1.ams1.nl.leaseweb.net/123
T4 >e02-54-223-248-84.cn-north-1.compute.amazonaws.com.cn/443
U4 >218.189.210.3/123
U4 >61-216-153-106.HINET-IP.hinet.net/123
T4 >e02-54-222-193-107.cn-north-1 .compute.amazonaws.com.cn/443
T4 >e02-52-220-124-195.ap-southeast-1 .compute.amazonaws.com/80
U4 >139.59.240.152/123
U4 >61-216-153-104.HINET—IP.hinet.net/123
T4 >ec2—54-222—170-68.cn—north-1 .compute.amazonaws.com.cn/443
U4 >ngn-KAPnigatakML11.bb.kddi.ne.jp/123
U4 >dns1.synet.edu.cn/123
U4 >ntp3.flashdance.cx/123
U4 >timpany.srv.jre655.com/123
U4 >sjkBBML24.bb.kddi.ne.jp/123
T4 >47.90.91.157/1688
T4 >ec2—54-169-100-206.ap-southeast-1.compute.amazonaws.com/80
U4 >ntp.gnc.am/123
U4 >astoria.loreland.org/123

[Oceanic815]

Hi gardinaruavisle,

 

I have the same Phone and I'm pretty sure it is already sent out with malicious malware that is starting to trigger 1-2 month after you "activate" the phone.

 

I observed following behaviour after around 1 month after purchase

• Apps have been installed without my knowledge
• Ad Pop-Up started to occur when unlocking the phone or opening apps which do not have ad popups (e.g. WhatsApp). The ADs are usually for other Apps like Amazon, Wish, some free games.
• In Chrome I was redirected to malicious Sites like "You wan an iPhone 7" or "Make money really fast". The redirecting sometimes went to multiple pages (I opened Wikipedia, Chrome opend Page A, than immediatley page B and finally I landed on Page C). On time i tried to open an Article from Google News and Chrome was throwing an error that it could not open the site due to too much redirecting
• When opening Google Play Store I was automatically redirected to specific app pages for which i got ad popups previously (e.g. I launched google play stores home page and after 30 Second I was on the App Page of Amazon, Wish or some free games
• Mysterious Files in my download folder like "18320934AKDWek238xh"

 

That is what i tried:

• At first I used several Scanners. One told that SystemUI is infected, but the other Scanners found nothing.
• I did at least 3 Factory resets and every time the issues started exactly 1-2 month after the factory reset. There seem to be some time trigger. In the weeks before the issues occured, i have installed no new apps. Also i have only installed Apps from Google Play Stage from well known Companys (Microsoft) or with general many good ratings. Also I was not browsing on suspicious websites.

 

That is what I have researched:

• The Phone has also the FOTA PROVIDER from ADUPS which has been reported with serious security issues by Kaspersky as it can install unwanted Apps, execute remote commands and transmitt personally identifiable information without user consent or disclosure
• When you read through Amazon Reviews or even in the official Cubot Phones you can find several posts about malicious ROM; malicious YouTube App etc.
• I wrote my own Amazon Review (on german amazon) and I got at least 3 responses from other people that have exact the same problem as we have
• I read that many Scanners will not report System Apps because they think that the manufacturs are not installing malicious things on the phone.
   

That is what Cubot Told Me:

• When I reached auto to cubot they told me to install FOTA PATCH TOOL. After executing it i had newver version of System Update app. With NetGuard I also observed that System UI is constantly trying to connect to AWS Instances, so I blocked it and several other APPs I don't know or use. But now 1 month later the issues are starting again. I got a AD-PopUp yesterday and Chrome is constantly redirecting me to a site that tells me that I won an iPhone 7. I reached out to Cubot again, and they tell me to use a non-root-firewall. But what shall I block? I already used NetGuard and I have really limited Internet Access!

 

So this is my Conclusion:

• It really seems that this model (or Cubot Phones in general) is delivered purposley with maleware
• It seems to be well organized criminal energy because the malicious behaviour needs 1-2 month till it triggers so a general user would not thing that it is built in the phone and the Malware is soo deep hidden, that no Scanners can find a general User can't remove it.

This was my first Android phone. I'm really disappointed that Android can allow the manufacturs to build in such behaviour. This makes Android untrustworthy for me. It's sad that iOS has only expensive devices and is too "special" (no normal USB connection etc...) and that Windows Phone has a huge lack of App Availability so there is no real alternative to Android :/

I hope that this will all get some media attention and that the responsible companies will face legal responsibility for this bullshit :/

Edited April 22, 2017 by Oceanic815

[gradinaruvasile]

Hi,

I asked Cubot too. Well i got the Exact same answer you got (in an implicit admission):

-Some Fota upgrade or No Root firewall.

Now the Fota link they sent was not working. They seem to provide the Adups Fota data collection tool (which is built in the Wireless Update tool) that besides the actulal updates can do some presonal data collection. Note that this is done surreptitiously in the background and the data us sent to the same servers the updates come from. There was a scandal about it in the US where they stopped the data collection by an update (which BTW can just as well be reversed by them).

To block this you should block net access to the Wireless Update tool.

Now on the phone i had issues with (used by my wife) i reflashed the firmware (from their site, via the wireless update local update option) then reset to defaults.

But before giving it any net access i installed NetGuard from .apk (i compiled it from source but AFAIK the play store version .apk can be downloaded too) and disabled network access to system ui, wireless update and another shady package thad has the Opera Store description but has some chinese name.

No issues were since more than a month. And as you can see above System UI tried to connect to many sites since.

But these kind of issues have to be known to the world - the chinese (people?) brands lost any trust i had. Is there a site where we get these phones listed with links to reports like these for validation?

Chinese vendors i had interacted with on AliExpress, Ebay etc all had a "slippery" attitude when something was wrong with their merchandise (anyway i buy only cheaper stuff that i afford to lose my money over) . I get it, cultural differences and all but anyway.

Customer:

Guys, you have malware installed on the phones you sell and customers store private data on.

Chinese:

Please try disabling net access of our malware with a 3rd party tool (which, if some reason is stopped, will allow the malware to run).

What the #$##? Probably they are accustomed to no privacy over there they don't even understand what we want (BTW i lived my childhood under Communism and i know how it works). But they sell stuff to people that have other needs than them.

Is that hard to provide a firmware that has no crap in it???

BTW i remembered somebody posting on Amazon i believe a screencap about a conversation about this subject with a chinese dude that went something like:
 

Customer: you sold a phone that sent my personal data to China
Sales rep: your data is safe with us
Customer (i believe the exact words): You are seriously typing this??

PS: Malwarebytes still does not detect this (come on, even ClamAv detects it!).

[gradinaruvasile]

Well it started happening again. Now i don't know if there is another modified system/google component that has access, the systemui has built in stuff that does stuff regardless of net access or maybe NetGuard doesnt always work (after switching networks?) - one day about 2-3 weeks ago the NetGuard app probably crashed (no status icon) and for about 7 hours the phone was connected to the net with no limitations.

Today we saw that an apk was downloaded from somewhere and full screen messages started appearing.

I wonder that Chrome itself may be compromised too...

Anyway, this sucks. 

[khambrecht]

meanwhile this is found by Malwarebytes. However, there is less hope for getting a "clean" ROM  image from vendor. See this post about malware found in another device from Cubot:

http://forum.cubot.net/viewtopic.php?f=30&t=567&start=20

[gradinaruvasile]

I tried uploading it to virustotal and Malwarebytes does not detect it there. I would expect all mobile antivirus solutions to work with virustotal since we can get a better picture in a few seconds instead of installing a ton of anti malware apps.

BTW after the yesterday's "outbreak" i removed the "SYSTEM_ALERT_WINDOW" permission (that is the permission that lets a window cover everything permanently, used by this kind of malware to force the user to actually tap a button) from systemui and since then no more popups... May be a coincidence, may not. Will see.

adb shell pm revoke com.android.systemui android.permission.SYSTEM_ALERT_WINDOW

 

[Oceanic815]

 

 

On 12.5.2017 at 3:01 PM, gradinaruvasile said:

Well it started happening again. Now i don't know if there is another modified system/google component that has access, the systemui has built in stuff that does stuff regardless of net access or maybe NetGuard doesnt always work (after switching networks?) - one day about 2-3 weeks ago the NetGuard app probably crashed (no status icon) and for about 7 hours the phone was connected to the net with no limitations.

Today we saw that an apk was downloaded from somewhere and full screen messages started appearing.

I wonder that Chrome itself may be compromised too...

Anyway, this sucks. 

 

Thats exactly what i have observerd. I got the malicious redirects only in Chrome, but not in Opera Mini. I guess the Malware has some code which says on which app to trigger the System UI Manipulation. This seems to be the most common apps WhatsApp, Facebook, Chrome, PlayStore and the Google Search Bar.

I'm pretty sure that there are really high level cybercriminals behind that. You can tell that from how "well" the Trojan is designed and how undeletable/undetectable it is, even for Scanners for a long time. From how it works you can say it has been made by professionals. It's so hidden and in the ROM out of stock, but they are clever to trigger the Malware only one 1 month after purchase so that product testers do not realise it and customer wouldn't realize it fast enough to return the phone. Most users would probably think that it is their own fault because they might have downloaded some bad things. When I bought the phone on Amazon, it had really good ratings on Amazon. Only after I wrote the first review about the Malware on german amazon other customers have started to report the same thing. I can also see alot of reviews on amazon.co.uk complaining about the Malware now.

 

Cubot seems to have a history of this. There are reviews about other phones from Cubot with Malware too. I'm not sure if Cubot is the offender here or if Cubot is a victim itself. I mean there are not deleting the Malware Reports in their own official forum, but they are also not making a firmware update. But nevertheless, without taking any responsibility and action for this serious action you can't trust this Company. I will never buy a phone from them again. It's funny how they their own slogan is "Einfach & Vertrauensvoll" - translated this means "Simple & Trustworthy".

 

You really should rid get of this phone. You can't be sure what else it is doing - collecting password, buying things from your money? (see this Article https://securelist.com/blog/research/75894/how-trojans-manipulate-google-play/). In Germany we have a law that we can claim a free repair or refund if a product is defected or not liked described within 6 month after the purchase. So I have sent it back as it is for sure not matching local law to deliver phones with malware. Maybe you have some similiar laws in your country to.

I have sent my one back and bought a Wiko Sunny instead. At least this is a french company, so they could be sued if they are delivering harmful products. And the best thing about the Wiko ist that it seems to be the only 4 inch Marshmallow phone on the market, so it fit's your pocket! (really what are all the big companies thinking by only releasing phablets nowdays? As a guy I do not want to have a handbag so that I'll be able to transport my phone during summer time :D)

 

 

Edited May 13, 2017 by Oceanic815
Removed duplicated quote

[Oceanic815]

Ok, guys now this is REALLY strange.

 

I just inserted my SIM Card from the infected Cubot Phone to my new WIKO Sunny. I did NOT insert the old external SD card.

Than I was googled something in the search bar and than I was on androidcentral forum and I was IMMEDIATLEY redirected to a MALICIOUS "you wan an iphone" website. The same Website i have been redirected to when i was using the Cubot Phone?

How can this happen? Cant it bee that the Cubot Rainbow Phone has somehow transported Malware to a SIM Card??

[gradinaruvasile]

You never know. Maybe the WIKO has something installed too?

[Oceanic815]

I think this is more related to google ads.  After I cleared my Google Ad ID and deleted the Chrome cache the susicious adshave stopped immediatley. 

 

See discussion here https://androidforums.com/threads/android-chrome-redirection-virus-malware-adware.878655/page-2

Edited May 20, 2017 by Oceanic815

[khambrecht]

right now, Malwarebytes does not detect the infected SystemUI.apk anymore, as it did a couple of days before. However, it's still the same phone software, and other tools like McAfee Mobile still detect this.

Malwarebytes DB Version 2017.05.19.01

Malicious URL DB Version 2017.05.21.02

Last positive scan was 20/May/2017 - 00:21:32

[gradinaruvasile]

Well. It seems that a firmware update was released on 2017-05-26 and pushed via the wireless update, we noticed only now.

It has 2 items in changelog: a line colored red saying "Enhanced protection against malware" and some minor bug fixes. One can hope they mean that they removed this crap.

I will apply the update later when the phone is available and report back.

 

 

[gradinaruvasile]

I did the update. Good news.

The systemui apk file has 0/56 virustotal score!

Other than that they included some new software - Google Duo and Browser stands out at first glance.

Now i will have to see if something happens ...

Edited June 5, 2017 by gradinaruvasile

[khambrecht]

I also did update the phone and extracted the SystemUI app from the phone via adb for checking with desktop AV scanners. Previously both scanners (ClamAV and Sophos) did report SystemUI (the known infected one) as Virus. Now, both did not find an issue anymore. However, McAfee Mobile Security on the phone still reports SystemUI as suspicious app (like before). So not sure if should care about this ....

[gradinaruvasile]

You can upload it to virustotal.com, it will be checked with 56 scanners to date.

[jaimepn]

I need this for my Cheetah 2!!! No such update 

(I flashed my phone a few weeks ago and the flood of ads poping up all the time is starting all over again, despite me not having any dodgy apps whatsoever)

 

On 6/5/2017 at 8:22 AM, gradinaruvasile said:

Well. It seems that a firmware update was released on 2017-05-26 and pushed via the wireless update, we noticed only now.

It has 2 items in changelog: a line colored red saying "Enhanced protection against malware" and some minor bug fixes. One can hope they mean that they removed this crap.

I will apply the update later when the phone is available and report back.

 

 

 

Edited June 8, 2017 by jaimepn

[gradinaruvasile]

For the Rainbow the update came only via the Wireless Update app.

[khambrecht]

@jaimepn

I assume, they fixed only the Rainbow firmware. I had an email conversation with Cubot about the infected Rainbow firmware and they fixed this upon my request.

So it would be worth a try for you to also complain about your phone. Send me a PM so I will forward my conversation with Cubot to you, as a reference.

 

[gradinaruvasile]

45 minutes ago, khambrecht said:

@jaimepn

I assume, they fixed only the Rainbow firmware. I had an email conversation with Cubot about the infected Rainbow firmware and they fixed this upon my request.

So it would be worth a try for you to also complain about your phone. Send me a PM so I will forward my conversation with Cubot to you, as a reference.

 

And what did they say about this? Why was this malware there in the first place?