Trojan in highscreen, or how the phone began to work wonders

    Good afternoon, Habr!
    I want to tell you a story that almost provoked the graying of my head, still young.
    Background
    It all started with the fact that I bought Highscreen Omega Prime S a couple of months ago, was happy as an elephant, could not get enough of this wonderful device, which worked smartly and almost without complaints. And everything would be fine if I had not once seen a bunch of notifications that looked something like this:


    And I started to think - what is it, where did it come from, maybe my phone was broken, but how ?! But after a few seconds the panic subsided, I squeezed one of the notifications, selected the "Application Information" item, and was very surprised to see that the "Software Update" application displayed the notifications ...

    What surprised me even more is that this application requires permissions to send SMS, determine location, install shortcuts and pair with Bluetooth devices.
    Full list of permissions


    While I was thinking about how to get rid of this application, I downloaded the utility for rutting and just thought about how this is possible at all - I got about 5 shotrkats (more precisely, I noticed their presence, they probably appeared along with notifications):


    I immediately removed the APK file from the phone, disassembled it into its component parts using the utilities apktool, dex2jar and jd-gui - and began to study.

    The study

    The study began with the analysis of AndroidManifest.xml, and the second thing that confused me in it was the presence of services and receivers inside the com.gmobi.trade package (despite the fact that the application itself is in com.redbend.dmClient).
    List of services and receivers


    And here you can see a very suspicious receiver - why does an application that updates the system keep track of adding / removing applications? And also, during a quick look at the code, it was discovered that ActionMonitor launches an ActionService, which in turn launches a TradeService, which, in turn, launches something unknown and obfuscated. Unfortunately, most of the code that jd-gui has given me is not amenable to sober analysis.

    SMS

    Yes, there is a code for sending SMS in this application: JSON comes from somewhere, from which AlertDialog is created, and in the handler of pressing the positive button, SMS is sent. I am glad that this is happening at least not in the background. But it’s still unclear why the utility for updating the software generally send SMS messages somewhere.
    SMS sending code
    AlertDialog.Builder localBuilder2 = new AlertDialog.Builder(this);
    localBuilder2.setTitle(str14);
    localBuilder2.setMessage(str15);
    localBuilder2.setPositiveButton(str16, new DialogInterface.OnClickListener(locallqe, str1, str19, str18, localNotificationManager, i) {
        public final void onClick(DialogInterface paramDialogInterface, int paramInt) {
            b.b(c, 3);
            SmsManager localSmsManager = SmsManager.getDefault();
            dfe.a("Sending [" + d + "] to [" + e + "]");
            localSmsManager.sendTextMessage(e, null, d, null, null);
            f.cancel(g);
            finish();
            b.b(c, 5);
        }
    });
    localBuilder2.setNegativeButton(str17, new DialogInterface.OnClickListener(locallqe, str1) {
        public final void onClick(DialogInterface paramDialogInterface, int paramInt) {
            b.b(c, 4);
            finish();
        }
    });
    localBuilder2.setCancelable(false);
    localBuilder2.create().show();
    



    Bluetooth, geo-coordinates and more

    Everything is more or less safe here. Well, how “safe” ... the application just gets the MAC address of the bt adapter, gets geocoordinates, checks if Wi-Fi is on, gets the MAC address of the wifi adapter and sends this data to the unknown :)
    Information Collection Code
    public final JSONObject f() {
        JSONObject localJSONObject1 = new JSONObject();
        try {
            localJSONObject1.put("sdk", "go2sync");
            localJSONObject1.put("sdk_v", "1.2");
            localJSONObject1.put("sdk_b", "2014.03.06.1");
            localJSONObject1.put("app", a.getPackageName());
            localJSONObject1.put("ch", t);
            localJSONObject1.put("app_v", opt.e(a));
            localJSONObject1.put("imsi", q.j);
            localJSONObject1.put("imei", q.k);
            localJSONObject1.put("wifi", k);
            localJSONObject1.put("gprs", l);
            localJSONObject1.put("brand", g());
            localJSONObject1.put("sd", opt.c());
            localJSONObject1.put("id", c());
            azw.lqe.azw localazw = opt.c(a);
            StringBuilder localStringBuilder = new StringBuilder("ua:")
                    .append(opt.a(false))
                    .append("|imei:")
                    .append(localazw.a())
                    .append("|imsi:")
                    .append(localazw.b())
                    .append("|wmac:")
                    .append(opt.b(a))
                    .append("|bmac:");
            localJSONObject1.put("cid", opt.a(opt.a() + "|sn:" + opt.a(a)))
            localJSONObject1.put("ua", opt.a(false));
            localJSONObject1.put("os", "android");
            localJSONObject1.put("os_v", opt.b());
            localJSONObject1.put("lang", Locale.getDefault().getLanguage())
            localJSONObject1.put("country", opt.h(a));
            localJSONObject1.put("gp", q.n);
            localJSONObject1.put("wmac", opt.b(a));
            localJSONObject1.put("bmac", opt.a());
            localJSONObject1.put("sn", opt.a(a));
            localJSONObject1.put("sa", opt.g(a));
            localJSONObject1.put("sw", opt.j(a));
            localJSONObject1.put("sh", opt.k(a));
            Location localLocation = opt.f(a);
            if (localLocation != null) {
                JSONObject localJSONObject2 = new JSONObject();
                localJSONObject2.put("lng", localLocation.getLongitude());
                localJSONObject2.put("lat", localLocation.getLatitude());
                localJSONObject1.put("loc", localJSONObject2);
            }
            localJSONObject1.put("roaming", opt.o(a));
            return localJSONObject1;
        } catch (JSONException localJSONException) {
            dfe.a(localJSONException);
        }
        return localJSONObject1;
    }
    



    Summary

    I had to ruin the phone to remove this application. How to update the system now is unknown.

    PS

    This application was "sparks", it could not be removed or disabled. And I do not install applications from sources that I do not trust, so the likelihood that all this happened through my fault tends to zero.
    All files are available for download here .

    UPD1: Virustotal - www.virustotal.com/en/file/108299c363e361d85b8e34676806373c7e445ae6731b3f3400d77cf947550b6c/analysis/1412500174

    UPD2: As it turned out, highscreen acknowledged the problem, citing that it was GM error Link: highscreen.org/babltrabl
    But there is only one BUT: highscreen referred to the FOTA provider, but not a single update has arrived to my device through OTA yet.
    Thanks Peyt for the info!

    Also popular now: