Pre-installed Malware on Lifeline phones

[Concerned_Citizen]

I have been researching the issues with the pre-installed malware on the government funded "LifeLine" phones for over two years and have noticed that MalwareBytes has written two articles about this.

 

If you decompile the adware/malware to it's Java source code you will find that all malware samples share similar code to connect to servers on GoDaddy registered to Alibaba. 

 

Here is a snippet from that shared code:

public static String d = "Tu45R_77Kie_YiTiv"

 

The fake "CleanMaster" app that was installed to many devices hides it's icon from the user to try and avoid deletion and uses various open-source projects found on GitHub:

https://githubDOTcom/asLody/VirtualApp

https://githubDOTcom/TalkingData

and hides some of it's processes using Base64 encoding,

For instance, the app checks to see if it's running on an emulator or a VM by running the command "/system/bin/cat /proc/cpuinfo" and can be seen in LogCat logs under "xoxo"

Some of the apps that were installed by themselves:

com.concreteroom.thenorthpole-1.apk
26333a6d48deddd3305c07b5ee00bb6e  

com.democratizing.casualness-1.apk
82ecf170914d360992e230e0929fc0b8

com.spidmes.peaus-1.apk
fde7346273d4561b306828615412899d  

com.bird.aa01.apk
3f9cb3284cfb560ea59f6a4d895ee0a5 

 

The preinstalled Gallery app on an earlier uMax phone has a signed cert from Telepoch and has two encrypted .jar files in it's assets directory disquised as TrueType fonts.

Gallery2.apk
e7a6854e7bdd61207100bde3a9cc3f73  

 

This app appeared after several weeks and had never been uploaded to VirusTotal until I had submitted it.

It took a month before one of the detection engines (ESET) flagged it as a Trojan Agent.

com.tesla.eo.xsdfa.apk
3332c30b6e4823135c984c57e11512ef

It is heavy obfuscated and had connected to a PHP server that downloaded an IP address from a private address block

 

I have been reporting all this to both Assurance Wireless and Access Wireless and I have several dozen emails communicating with them over the last two years.

I also brought one of the infected devices to my States Attorney Generals office to file a complaint last year but was only sent home with a generic complaint form for robo-calls.

I filed another written complaint to the Attorney Generals office in person this year as well but whenever I call to check the status of my complaint(s) the person at the attorney generals office tells me that the cannot confirm nor deny they are doing anything about it and they would contact me if they needed any further information.

I had even reached out to the owner of the marketing company that has been distributing these infected devices last year and was stonewalled by the owner when asking where the devices were coming from.

The supervisor for this marketing company had set up a tent just outside the local veterans hospital to distibute the devices.

I also have several packet captures taken from one of the infected uMax devices which shows the apps communicating with both Russian and Chinese servers.

[mbam_mtbr]

Hi @Concerned_Citizen,

Sounds like you've done some deep research on this.  Which model was the phone?  I assume you had the UMX (Unimax)?

Yes, that sounds like the same behavior I observed for "CleanMaster" myself.  Base64 and emulator/VM aware is also common among Android/Trojan.HiddenAds variants.  These are also HiddenAds:

com.concreteroom.thenorthpole-1.apk
26333a6d48deddd3305c07b5ee00bb6e  

com.democratizing.casualness-1.apk
82ecf170914d360992e230e0929fc0b8

com.spidmes.peaus-1.apk
fde7346273d4561b306828615412899d 

There are many, many variants of HiddenAds being cycled and downloaded/installed by pre-installed malware.  These are just a few samples you listed.

This appears to be Android/Trojan.Dropper.Agent.hfn:

com.bird.aa01.apk
3f9cb3284cfb560ea59f6a4d895ee0a5 

I have also observed com.android.gallery3d infected with pre-installed malware.  In fact, I'm seeing two other variants of com.android.gallery3d using the same teleepoch digital certificate infected with malware similar to Android/Trojan.Downloader.Wotby.SEK found in the com.android.settings I wrote about.  I'll look deeper into this.  Keep in mind though that not everything signed with teleepoch is necessarily pre-installed malware.  They make/sign many legitimate system apps as well. 

You are also correct on com.tesla.eo.xsdfa.  It appears we've been detecting it as Android/Trojan.Agent.AXW for nearly a year.

I hear your frustrations along with all the other Lifeline customers.  Luckily there are patrons like you that are tech savvy enough to grasp what's going on here more thoroughly.  Our hope is that through our writings we can advocate change in these companies.  We were successful in doing so with UMX (Unimax) on the U683CL.  We are hoping ANS/TeleEpoch will do the same.

Nathan

[Concerned_Citizen]

Thank you for your reply Nathan and for the reports so that this matter (hoepefully) gets the attention it needs to protect our most vulnerable citizens.

I am a member and advocate for vulnerable people in my community and as such I have had access to several Android devices being distibuted by the government funded Lifeline program.

Most of my friends in this community rely on these phones as their only source of communication to make appoinments with their doctors, case managers and housing officials or crisis response teams.

The adware/malware that was installed without user intervention made these devices unusable.
Many of the phones I've looked at would crash repeatedly, were hot to the touch and batteries would fail within a month due to the excessive adware.

I also found the "wiz.txt" file that you mentioned in your article that listed apps from a third-party app store. 

But on the version I extracted it shows another download source further down on the list that is registered anonymously through a registrar that has a long history of hosting malware.
(NAMECHEAP)

What is most unusual is that when the news about the pre-installed malware first became public several months ago, Assurance Wireless responded as if it was the first they had heard of it.
But I have archived Virgin Mobiles own website where many users had notified the representatives of the problems with adware and apps that installed by themselves that dates back to April of 2018.
(However, it appears these web pages may have been taken down recently)

Here is just one of many complaints from users to a Virgin Mobile employee from April 2018 regarding their ANS UL40 device:

"The pop-up ads come with the phone and start popping up as soon as the phone gets set up, even before adding any apps.  It also randomly downloads apps on its own without asking.  It's all built-in."

I found a unique identifier hidden on the SDcard of a newer ANS device that allowed any app with access to the phones storage to track the user regardless of what privacy settings had been made.
The SD card also had the "Wish" apk located in: /Android/data/com.ironsource.appcloud.oobe/files directory.
com.contextlogic.wish
4969dd5c75a5d78e8033947366d9f99a

Another one of my friends was having problems with their ANS device and I found more adware apps that were installed by themselves:

com.journalism.newspaper-1.apk
a7ad96619ff91426b04088d3ca75de24

(After 6 weeks)
com.hinedey.empoy-1
c6985f3e451912f1b0bafe0078587f79

com.abbreviation.civilization-1
aa87825bfc905965fb1751dd6ac82ab5 
(contains "blacklist" and "whitelist" in the /res/raw directory
that blacklists many security and AV apps including: "org.malwarebytes.antimalware")

I mispoke on my earlier post where I stated:
"This app appeared after several weeks and had never been uploaded to VirusTotal until I had submitted it. It took a month before one of the detection engines (ESET) flagged it as a Trojan Agent."

The app in question was NOT the "com.tesla.eo.xsdfa.apk" that was heavily obfuscated, it was:
Plays_com.android.eo.plays.apk
432feebad71938963100e4571be0a6ed

A homeless friend had an ANS device that he was unable to use because of the fake Clean Master app mentioned before:
5a5ab39960d3b96be2b8bbea99477e6f

I have uploaded one of the decrypted packet captures showing the "com.democratizing.casualness" app downloading executable scripts from Russia's Yandex servers.

yandex-cap.txt

[Concerned_Citizen]

[Concerned_Citizen]

While searching the web for the code snippet that is present in all the malware I came across this excellent breakdown of the com.fota.wirelessupdate.apk backdoor by researcher Niji:

https://wuffs.org/blog/digitime-tech-fota-backdoors

Niji's very in-depth research into this helps tie many of things myself and others have found on the infected devices including the unique identifiers I had found and mentioned in my second post.

I think the most disturbing part of Ninji's findings are this statement:

"This service offers one hilariously powerful method, orgYGM, which allows any Android permission to be silently granted to any app (regardless of whether it defines that permission in its manifest), by delving into the state of the PackageManagerService using copious amounts of Java reflection." 

So to summarize, we have apps that are being installed on our phones remotely from Chinese owned servers which run with SYSTEM priviledges and can be granted permissions from other apps that have dangerous permissions (like the fake CleanMaster app) even if the apps that get installed don't list any permissions at all in ther Manifest.

Here are the permissions listed in the fake CleanMaster app:

<uses-permission
      name='android.permission.ACCESS_COARSE_LOCATION'>
  </uses-permission>
  <uses-permission
      name='android.permission.BROADCAST_STICKY'>
  </uses-permission>
  <uses-permission
      name='android.permission.REORDER_TASKS'>
  </uses-permission>
  <uses-permission
      name='com.google.android.c2dm.permission.RECEIVE'>
  </uses-permission>
  <uses-permission
      name='android.permission.READ_EXTERNAL_STORAGE'>
  </uses-permission>
  <uses-permission
      name='android.permission.WRITE_EXTERNAL_STORAGE'>
  </uses-permission>
  <uses-permission
      name='android.permission.READ_PHONE_STATE'>
  </uses-permission>
  <uses-permission
      name='android.permission.BLUETOOTH'>
  </uses-permission>
  <uses-permission
      name='android.permission.CAMERA'>
  </uses-permission>
  <uses-permission
      name='android.permission.INTERNET'>
  </uses-permission>
  <uses-permission
      name='android.permission.ACCESS_NETWORK_STATE'>
  </uses-permission>
  <uses-permission
      name='android.permission.WAKE_LOCK'>
  </uses-permission>
  <uses-permission
      name='com.yonder.robi.permission.C2D_MESSAGE'>
  </uses-permission>
  <uses-permission
      name='android.permission.ACCESS_WIFI_STATE'>
  </uses-permission>
  <uses-permission
      name='android.permission.RECEIVE_BOOT_COMPLETED'>
  </uses-permission>
  <uses-permission
      name='android.permission.VIBRATE'>
  </uses-permission>
  <uses-permission
      name='com.google.android.providers.gsf.permission.READ_GSERVICES'>
  </uses-permission>
  <uses-permission
      name='android.permission.BLUETOOTH_ADMIN'>
  </uses-permission>
  <uses-permission
      name='android.permission.GET_ACCOUNTS'>
  </uses-permission>
  <uses-permission
      name='android.Manifest.permission.ACCESS_COARSE_LOCATION'>
  </uses-permission>
  <uses-permission
      name='android.Manifest.permission.ACCESS_FINE_LOCATION'>
  </uses-permission>
  <uses-permission
      name='android.permission.WRITE_SETTINGS'>
  </uses-permission>
  <uses-permission
      name='android.permission.PERSISTENT_ACTIVITY'>
  </uses-permission>
  <uses-permission
      name='android.permission.CHANGE_WIFI_STATE'>
  </uses-permission>
  <uses-permission
      name='android.permission.READ_LOGS'>
  </uses-permission>
  <uses-permission
      name='android.permission.GET_PACKAGE_SIZE'>
  </uses-permission>
  <uses-permission
      name='android.permission.GET_TASKS'>
  </uses-permission>
  <uses-permission
      name='android.permission.SYSTEM_ALERT_WINDOW'>
  </uses-permission>
  <uses-permission
      name='android.permission.SET_WALLPAPER'>
  </uses-permission>
  <uses-permission
      name='android.permission.EXPAND_STATUS_BAR'>
  </uses-permission>
  <uses-permission
      name='android.permission.CHANGE_NETWORK_STATE'>
  </uses-permission>
  <uses-permission
      name='android.permission.DISABLE_KEYGUARD'>
  </uses-permission>
  <uses-permission
      name='android.permission.READ_SYNC_STATS'>
  </uses-permission>
  <uses-permission
      name='android.permission.AUTHENTICATE_ACCOUNTS'>
  </uses-permission>
  <uses-permission
      name='dianxin.permission.ACCESS_LAUNCHER_DATA'>
  </uses-permission>
  <uses-permission
      name='android.permission.SET_WALLPAPER_HINTS'>
  </uses-permission>
  <uses-permission
      name='android.permission.ACCESS_BLUETOOTH_SHARE'>
  </uses-permission>
  <uses-permission
      name='android.permission.MOUNT_UNMOUNT_FILESYSTEMS'>
  </uses-permission>
  <uses-permission
      name='android.permission.MODIFY_AUDIO_SETTINGS'>
  </uses-permission>
  <uses-permission
      name='com.goibibo.permission.MAPS_RECEIVE'>
  </uses-permission>
  <uses-permission
      name='android.permission.RUN_INSTRUMENTATION'>
  </uses-permission>
  <uses-permission
      name='android.permission.WRITE_CONTACTS'>
  </uses-permission>
  <uses-permission
      name='android.permission.MANAGE_ACCOUNTS'>
  </uses-permission>
  <uses-permission
      name='com.android.vending.BILLING'>
  </uses-permission>
  <uses-permission
      name='com.android.vending.INSTALL_REFERRER'>
  </uses-permission>
  <uses-permission
      name='com.android.alarm.permission.SET_ALARM'>
  </uses-permission>
  <uses-permission
      name='android.permission.USE_FINGERPRINT'>
  </uses-permission>
  <uses-permission
      name='android.permission.NFC'>
  </uses-permission>
  <uses-permission
      name='com.android.launcher.permission.INSTALL_SHORTCUT'>
  </uses-permission>
  <uses-permission
      name='android.permission.WRITE_SYNC_SETTINGS'>

Niji also states:

"The abilities to grant any app arbitrary permissions and to read/write files as the system user mean that any app running on a system with Digitime's fo_sl_enhance service has a ridiculous amount of power. I was able to use this to dump the Android accounts database (including auth tokens) and to even disable the SystemFota system app, all from an un-privileged app that declared no permissions."

This is as bad as it gets!

This means that a malicious app can grab the users authentication tokens to log in to Google, Facebook or other accounts (banking?) as if they were the user.

 

The CleanMaster app is unusual in that it contains a the VirtualApp module for installing apps within the CleanMaster app itself in a sandbox.

And from the GitHub page of VirtulApp it states:

"and the ability to run APK without installing it opens up unlimited possibilities -- which depend on your imagination."

I can imagine a few possibilties...

From simply installing apps in the background to commit advertising fraud...

Or worse, installing an app in the background and using the stolen authentication token(s) of the user to log in to the hidden app as the user themselves.

How many websites or apps let you log in using your Google or Facebook credentials?

I was wondering if anyone at MalwareBytes is going to do an in-depth breakdown of the fake CleanMaster app?

[Concerned_Citizen]

uploaded a packet capture of Digitimetech;s fota app I grabbed from a uMax device

fota_packet_capture.txt

[mbam_mtbr]

Hi @Concerned_Citizen,

Thanks for all the info!  

8 hours ago, Concerned_Citizen said:

I was wondering if anyone at MalwareBytes is going to do an in-depth breakdown of the fake CleanMaster app?

Not at this time, but I'll look into it.  It takes a lot of resources to do deep dives on malware.

Also, here are the detections we have in place for mentioned APKs:

Android/Trojan.HiddenAds.ForeSpot
com.journalism.newspaper-1.apk
a7ad96619ff91426b04088d3ca75de24

Android/Trojan.HiddenAds.POT
com.hinedey.empoy-1
c6985f3e451912f1b0bafe0078587f79

Android/Trojan.HiddenAds.CIT
com.abbreviation.civilization-1
aa87825bfc905965fb1751dd6ac82ab5 

Android/Trojan.Dropper.Agent.DBW
Plays_com.android.eo.plays.apk
432feebad71938963100e4571be0a6ed

Nathan

Edited July 15, 2020 by mbam_mtbr

[Concerned_Citizen]

" It takes a lot of resources to do deep dives on malware."

I fully understand and agree that it is very time consuming.

But I do appreciate the fact that you and MalwareBytes took the time to bring this into the light and getting the manufacturers to push out firmware updates that (hopefully) fixes these issues to protect users privacy and security.

Myself and others have been trying to get these problems resolved for over two years and nothing was done until you and your company took the time and resources to bring this to the worlds attention and for that I am deeply appreciative and owe a debt of gratitude.

The "Plays_com.android.eo.plays.apk" is very time consuming indeed as it appears to be much more obfuscated than the other samples.

The Java class names are specifically designed to confuse someone trying to make heads or tails of it and it uses several techniques to hide it's functions.

For instance, the  public class Ol1Q0l contains:

 

public static final byte[] QOIlQ1 = { 76, 121, 53, 108, 99, 110, 73, 52, 76, 109, 120, 118, 90, 121, 119, 118, 76, 109, 85, 53, 76, 109, 112, 104, 99, 105, 119, 118, 76, 109, 85, 53, 76, 109, 82, 108, 101, 67, 120, 106, 98, 50, 48, 117, 101, 106, 69, 117, 89, 50, 70, 115, 98, 67, 120, 115, 98, 50, 70, 107, 81, 50, 120, 104, 99, 51, 77, 115, 97, 109, 70, 50, 89, 83, 53, 115, 89, 87, 53, 110, 76, 107, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 82, 71, 86, 52, 81, 50, 120, 104, 99, 51, 78, 77, 98, 50, 70, 107, 90, 88, 73, 115, 76, 71, 100, 108, 100, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 70, 117, 90, 72, 74, 118, 97, 87, 81, 117, 89, 50, 57, 117, 100, 71, 86, 117, 100, 67, 53, 68, 98, 50, 53, 48, 90, 88, 104, 48, 76, 71, 82, 108, 101, 69, 86, 115, 90, 87, 49, 108, 98, 110, 82, 122, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 81, 109, 70, 122, 90, 85, 82, 108, 101, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 72, 66, 104, 100, 71, 104, 77, 97, 88, 78, 48, 76, 71, 120, 112, 89, 106, 73, 115, 98, 71, 108, 105, 99, 121, 119, 118, 76, 109, 56, 117, 97, 109, 70, 121, 76, 72, 78, 116, 89, 87, 120, 115, 76, 110, 82, 48, 90, 103, 61, 61 };
 
Which is a decimal representation of the ASCII string of:

Ly5lcnI4LmxvZywvLmU5LmphciwvLmU5LmRleCxjb20uejEuY2FsbCxsb2FkQ2xhc3MsamF2YS5sYW5nLkNsYXNzTG9hZGVyLGRhbHZpay5zeXN0ZW0uRGV4Q2xhc3NMb2FkZXIsLGdldENsYXNzTG9hZGVyLGFuZHJvaWQuY29udGVudC5Db250ZXh0LGRleEVsZW1lbnRzLGRhbHZpay5zeXN0ZW0uQmFzZURleENsYXNzTG9hZGVyLHBhdGhMaXN0LGxpYjIsbGlicywvLm8uamFyLHNtYWxsLnR0Zg==

Which is Base64 which decodes to:

/.err8.log,/.e9.jar,/.e9.dex,com.z1.call,loadClass,java.lang.ClassLoader,dalvik.system.DexClassLoader,,getClassLoader,android.content.Context,dexElements,dalvik.system.BaseDexClassLoader,pathList,lib2,libs,/.o.jar,small.ttf

Which is very interesting indeed as it mentions the fake True Type font "small.ttf" found in the assets of the Gallery3D app which is signed by Teleepoch and shows that all these malicious apps work in unison with each other to completely compromise the device.

I took another look at the "com.fota.wirelessupdate.apk" and it appears that the researcher "Niji" I linked to in my other post is correct on all counts.

I believe that the "com.fota.wirelessupdate.apk" should be detected by AV apps as something worse than just a PUP and should be flagged for what it is, a Trojan RAT Backdoor.

I would also go as far as saying that I believe any accounts or apps the user has signed on to has been compromised as well given the capabilities and from Niji's own tests. 

[mbam_mtbr]

Hi @Concerned_Citizen,

On 7/16/2020 at 7:19 PM, Concerned_Citizen said:

The "Plays_com.android.eo.plays.apk" is very time consuming indeed as it appears to be much more obfuscated than the other samples.

The Java class names are specifically designed to confuse someone trying to make heads or tails of it and it uses several techniques to hide it's functions.

For instance, the  public class Ol1Q0l contains:

public static final byte[] QOIlQ1 = { 76, 121, 53, 108, 99, 110, 73, 52, 76, 109, 120, 118, 90, 121, 119, 118, 76, 109, 85, 53, 76, 109, 112, 104, 99, 105, 119, 118, 76, 109, 85, 53, 76, 109, 82, 108, 101, 67, 120, 106, 98, 50, 48, 117, 101, 106, 69, 117, 89, 50, 70, 115, 98, 67, 120, 115, 98, 50, 70, 107, 81, 50, 120, 104, 99, 51, 77, 115, 97, 109, 70, 50, 89, 83, 53, 115, 89, 87, 53, 110, 76, 107, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 82, 71, 86, 52, 81, 50, 120, 104, 99, 51, 78, 77, 98, 50, 70, 107, 90, 88, 73, 115, 76, 71, 100, 108, 100, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 70, 117, 90, 72, 74, 118, 97, 87, 81, 117, 89, 50, 57, 117, 100, 71, 86, 117, 100, 67, 53, 68, 98, 50, 53, 48, 90, 88, 104, 48, 76, 71, 82, 108, 101, 69, 86, 115, 90, 87, 49, 108, 98, 110, 82, 122, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 81, 109, 70, 122, 90, 85, 82, 108, 101, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 72, 66, 104, 100, 71, 104, 77, 97, 88, 78, 48, 76, 71, 120, 112, 89, 106, 73, 115, 98, 71, 108, 105, 99, 121, 119, 118, 76, 109, 56, 117, 97, 109, 70, 121, 76, 72, 78, 116, 89, 87, 120, 115, 76, 110, 82, 48, 90, 103, 61, 61 };
 
Which is a decimal representation of the ASCII string of:

Ly5lcnI4LmxvZywvLmU5LmphciwvLmU5LmRleCxjb20uejEuY2FsbCxsb2FkQ2xhc3MsamF2YS5sYW5nLkNsYXNzTG9hZGVyLGRhbHZpay5zeXN0ZW0uRGV4Q2xhc3NMb2FkZXIsLGdldENsYXNzTG9hZGVyLGFuZHJvaWQuY29udGVudC5Db250ZXh0LGRleEVsZW1lbnRzLGRhbHZpay5zeXN0ZW0uQmFzZURleENsYXNzTG9hZGVyLHBhdGhMaXN0LGxpYjIsbGlicywvLm8uamFyLHNtYWxsLnR0Zg==

Which is Base64 which decodes to:

/.err8.log,/.e9.jar,/.e9.dex,com.z1.call,loadClass,java.lang.ClassLoader,dalvik.system.DexClassLoader,,getClassLoader,android.content.Context,dexElements,dalvik.system.BaseDexClassLoader,pathList,lib2,libs,/.o.jar,small.ttf

Which is very interesting indeed as it mentions the fake True Type font "small.ttf" found in the assets of the Gallery3D app which is signed by Teleepoch and shows that all these malicious apps work in unison with each other to completely compromise the device.

Nice find there!  Yes, small.tff appears to be a library to be loaded at runtime.  I have seen it in several related malware as well.  There is even more obfuscated code in there I noticed.  If you are decent with coding, you can sometimes successfully write your own small java program replicating the code found to decompile some of the strings.  Also, sometimes it's easier to just run the malware in an emulator and see what it's doing via analysis software.  Trust me, I'd love to have the time to dig deeper into things like these.  But with new variants of HiddenAds coming in daily along with thousands of other mobile malware the higher priority is to get these detected by our client.  You find anything else, keep them coming!

 

On 7/16/2020 at 7:19 PM, Concerned_Citizen said:

I took another look at the "com.fota.wirelessupdate.apk" and it appears that the researcher "Niji" I linked to in my other post is correct on all counts.

I believe that the "com.fota.wirelessupdate.apk" should be detected by AV apps as something worse than just a PUP and should be flagged for what it is, a Trojan RAT Backdoor.

I would also go as far as saying that I believe any accounts or apps the user has signed on to has been compromised as well given the capabilities and from Niji's own tests. 

com.fota.wirelessupdate.apk is a tough one as there are clean variants as well.  You have to remember that it's sole purpose is to update the mobile device.  Thus, it needs quite a bit of privileges to due so.  But yes, you are probably right that it could be called blatant malware with Trojan categorization.  I've nearly changed the name several times.  Once again though, users are still reliant on it to update the OS with critical updates.  Thus, we keep it as a PUP Riskware.  You have to realize that most users don't know that PUP isn't straight malware anyway.

Once again, thanks for all the feedback,

Nathan

[Concerned_Citizen]

Hello johnmarky7.

I'm not sure if you meant to post in this comment thread related to pre-installed malware on the government funded LifeLine phones or not?

 

But a friendly word of advice would be to avoid the techsguide website that you link to.

I see that the site recommends some cleaners including the excellent adwcleaner for Windows machines (which can be found on MalwareBytes main page)  but the techsquide site link for the adwcleaner executable takes the user offsite to a dead link at BleepingComputer.

There are other things about that site which may be cause for concern that I won't post of here.

[Concerned_Citizen]

I've found somthing interesting while poking around one of the apps that had been remotely installed on to the LifeLine funded Android devices.

One of the apps that was using Clean Masters icon (com.tesla.eo.xsdfa) may have shared source code from an app called "LEO Privacy Guard" and it's RSA cert even had "leo" in it.

So, to help me figure out more of what is going on inside I download an actual app of the same name from the web "leo-privacy-guard-6-0-2.apk" to see if it's source code was similar to the app extracted from the LifeLine phones.

Now to be clear, the app I got from the internet is from a third-party site but uploading the MD5 hash of the app to VirusTotal shows that it is "clean", meaning no AV engines flagged it as malicious.

86dd9d1ecb90c1c8d4264dc7c8dbecf4

But while looking at the apps source code I could see that the app had some code that waited 24 hours and 5 minutes after the app was  installed and then did a GET to a remote URL to pull down some data to be added to the app.

I used wget to pull the data from the web address and it showed as a compressed .zip file on my laptop but it would throw an error when I tried to extract the data.

Using a hex editor I could see that it was partial piece of an APK file but it was incomplete.

Looking at the decompiled apps assets showed a folder named "pzp" containg 5 sub-folders each containg a 1 Megabyte data file called "patch 1", "patch 2" etc.

On a hunch I figured that that these files were all the missing pieces to the partial APK file i had pulled from the web so I combined them all into one file using the "cat" command and VIOLA!

I now had a full, working APK app that had never been uploaded to Virus Total before:

9f2c052b3f58f692edce0ca7433d081f

 

Running openssl on the RSA certificate shows that it signed by the same developer.

 

I'm still digging in to the "newly created" app but so far it has been very interesting indeed.

 

(More to follow)

[Concerned_Citizen]

So, I installed the "newly combined" APK to a testing device (Nexus tablet running Lineage OS) and it appears that it is a control panel of sorts which allowed me to download and push ads to the notifications area, fullcreen and others.

It would have also taken me to the Google Play Store to download some "Battery saver" but there are no Google related apps on my Nexus.

I ran the packet sniffer "tcpdump" on my Nexus and captured packets from the app connecting to Baidu and pulling down a certificate from GlobalSign-nv.

(This is the same cert that was used when my Alcatel device I had bought decided to go adware on me)

https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/

Most all of the data is sent over plain text and I even captured an AES encryption key and IV being sent over plain text.

There is encrypted data being sent off to Facebook even though there is Facebook or other third-party apps installed other than the malicious apps I pulled from the infected LifeLine phones.

The most disturbing thing (so far) however was when I used ADB to pull the apps databases and caches to my laptop with:

"adb pull /data/data/com.leo.theme.cupcake/"

Take a look at the SQLite database I have uploaded.

It captures all auto-filled data from WebView to include:

Names, phone number, email profiles, credit card data etc.

Not good!

(More to follow)

Web Data.zip

[Concerned_Citizen]

Sorry for the confusion @rhjbheavy, the app that I was looking at in my last post was not Cheetah Mobile's "Clean Master" app.