October 5, 2014 at 12:38Trojan in highscreen, or how the phone began to work wonders
Good afternoon, Habr!
I want to tell you a story that almost provoked the graying of my head, still young.
Background
It all started with the fact that I bought Highscreen Omega Prime S a couple of months ago, was happy as an elephant, could not get enough of this wonderful device, which worked smartly and almost without complaints. And everything would be fine if I had not once seen a bunch of notifications that looked something like this:
And I started to think - what is it, where did it come from, maybe my phone was broken, but how ?! But after a few seconds the panic subsided, I squeezed one of the notifications, selected the "Application Information" item, and was very surprised to see that the "Software Update" application displayed the notifications ...
What surprised me even more is that this application requires permissions to send SMS, determine location, install shortcuts and pair with Bluetooth devices.
While I was thinking about how to get rid of this application, I downloaded the utility for rutting and just thought about how this is possible at all - I got about 5 shotrkats (more precisely, I noticed their presence, they probably appeared along with notifications):
I immediately removed the APK file from the phone, disassembled it into its component parts using the utilities apktool, dex2jar and jd-gui - and began to study.
The study began with the analysis of AndroidManifest.xml, and the second thing that confused me in it was the presence of services and receivers inside the com.gmobi.trade package (despite the fact that the application itself is in com.redbend.dmClient).
And here you can see a very suspicious receiver - why does an application that updates the system keep track of adding / removing applications? And also, during a quick look at the code, it was discovered that ActionMonitor launches an ActionService, which in turn launches a TradeService, which, in turn, launches something unknown and obfuscated. Unfortunately, most of the code that jd-gui has given me is not amenable to sober analysis.
Yes, there is a code for sending SMS in this application: JSON comes from somewhere, from which AlertDialog is created, and in the handler of pressing the positive button, SMS is sent. I am glad that this is happening at least not in the background. But it’s still unclear why the utility for updating the software generally send SMS messages somewhere.
Everything is more or less safe here. Well, how “safe” ... the application just gets the MAC address of the bt adapter, gets geocoordinates, checks if Wi-Fi is on, gets the MAC address of the wifi adapter and sends this data to the unknown :)
I had to ruin the phone to remove this application. How to update the system now is unknown.
This application was "sparks", it could not be removed or disabled. And I do not install applications from sources that I do not trust, so the likelihood that all this happened through my fault tends to zero.
All files are available for download here .
UPD1: Virustotal - www.virustotal.com/en/file/108299c363e361d85b8e34676806373c7e445ae6731b3f3400d77cf947550b6c/analysis/1412500174
UPD2: As it turned out, highscreen acknowledged the problem, citing that it was GM error Link: highscreen.org/babltrabl
But there is only one BUT: highscreen referred to the FOTA provider, but not a single update has arrived to my device through OTA yet.
Thanks Peyt for the info!
I want to tell you a story that almost provoked the graying of my head, still young.
Background
It all started with the fact that I bought Highscreen Omega Prime S a couple of months ago, was happy as an elephant, could not get enough of this wonderful device, which worked smartly and almost without complaints. And everything would be fine if I had not once seen a bunch of notifications that looked something like this:
And I started to think - what is it, where did it come from, maybe my phone was broken, but how ?! But after a few seconds the panic subsided, I squeezed one of the notifications, selected the "Application Information" item, and was very surprised to see that the "Software Update" application displayed the notifications ...
What surprised me even more is that this application requires permissions to send SMS, determine location, install shortcuts and pair with Bluetooth devices.
Full list of permissions
While I was thinking about how to get rid of this application, I downloaded the utility for rutting and just thought about how this is possible at all - I got about 5 shotrkats (more precisely, I noticed their presence, they probably appeared along with notifications):
I immediately removed the APK file from the phone, disassembled it into its component parts using the utilities apktool, dex2jar and jd-gui - and began to study.
The study
The study began with the analysis of AndroidManifest.xml, and the second thing that confused me in it was the presence of services and receivers inside the com.gmobi.trade package (despite the fact that the application itself is in com.redbend.dmClient).
List of services and receivers
And here you can see a very suspicious receiver - why does an application that updates the system keep track of adding / removing applications? And also, during a quick look at the code, it was discovered that ActionMonitor launches an ActionService, which in turn launches a TradeService, which, in turn, launches something unknown and obfuscated. Unfortunately, most of the code that jd-gui has given me is not amenable to sober analysis.
SMS
Yes, there is a code for sending SMS in this application: JSON comes from somewhere, from which AlertDialog is created, and in the handler of pressing the positive button, SMS is sent. I am glad that this is happening at least not in the background. But it’s still unclear why the utility for updating the software generally send SMS messages somewhere.
SMS sending code
AlertDialog.Builder localBuilder2 = new AlertDialog.Builder(this);
localBuilder2.setTitle(str14);
localBuilder2.setMessage(str15);
localBuilder2.setPositiveButton(str16, new DialogInterface.OnClickListener(locallqe, str1, str19, str18, localNotificationManager, i) {
public final void onClick(DialogInterface paramDialogInterface, int paramInt) {
b.b(c, 3);
SmsManager localSmsManager = SmsManager.getDefault();
dfe.a("Sending [" + d + "] to [" + e + "]");
localSmsManager.sendTextMessage(e, null, d, null, null);
f.cancel(g);
finish();
b.b(c, 5);
}
});
localBuilder2.setNegativeButton(str17, new DialogInterface.OnClickListener(locallqe, str1) {
public final void onClick(DialogInterface paramDialogInterface, int paramInt) {
b.b(c, 4);
finish();
}
});
localBuilder2.setCancelable(false);
localBuilder2.create().show();
Bluetooth, geo-coordinates and more
Everything is more or less safe here. Well, how “safe” ... the application just gets the MAC address of the bt adapter, gets geocoordinates, checks if Wi-Fi is on, gets the MAC address of the wifi adapter and sends this data to the unknown :)
Information Collection Code
public final JSONObject f() {
JSONObject localJSONObject1 = new JSONObject();
try {
localJSONObject1.put("sdk", "go2sync");
localJSONObject1.put("sdk_v", "1.2");
localJSONObject1.put("sdk_b", "2014.03.06.1");
localJSONObject1.put("app", a.getPackageName());
localJSONObject1.put("ch", t);
localJSONObject1.put("app_v", opt.e(a));
localJSONObject1.put("imsi", q.j);
localJSONObject1.put("imei", q.k);
localJSONObject1.put("wifi", k);
localJSONObject1.put("gprs", l);
localJSONObject1.put("brand", g());
localJSONObject1.put("sd", opt.c());
localJSONObject1.put("id", c());
azw.lqe.azw localazw = opt.c(a);
StringBuilder localStringBuilder = new StringBuilder("ua:")
.append(opt.a(false))
.append("|imei:")
.append(localazw.a())
.append("|imsi:")
.append(localazw.b())
.append("|wmac:")
.append(opt.b(a))
.append("|bmac:");
localJSONObject1.put("cid", opt.a(opt.a() + "|sn:" + opt.a(a)))
localJSONObject1.put("ua", opt.a(false));
localJSONObject1.put("os", "android");
localJSONObject1.put("os_v", opt.b());
localJSONObject1.put("lang", Locale.getDefault().getLanguage())
localJSONObject1.put("country", opt.h(a));
localJSONObject1.put("gp", q.n);
localJSONObject1.put("wmac", opt.b(a));
localJSONObject1.put("bmac", opt.a());
localJSONObject1.put("sn", opt.a(a));
localJSONObject1.put("sa", opt.g(a));
localJSONObject1.put("sw", opt.j(a));
localJSONObject1.put("sh", opt.k(a));
Location localLocation = opt.f(a);
if (localLocation != null) {
JSONObject localJSONObject2 = new JSONObject();
localJSONObject2.put("lng", localLocation.getLongitude());
localJSONObject2.put("lat", localLocation.getLatitude());
localJSONObject1.put("loc", localJSONObject2);
}
localJSONObject1.put("roaming", opt.o(a));
return localJSONObject1;
} catch (JSONException localJSONException) {
dfe.a(localJSONException);
}
return localJSONObject1;
}
Summary
I had to ruin the phone to remove this application. How to update the system now is unknown.
PS
This application was "sparks", it could not be removed or disabled. And I do not install applications from sources that I do not trust, so the likelihood that all this happened through my fault tends to zero.
All files are available for download here .
UPD1: Virustotal - www.virustotal.com/en/file/108299c363e361d85b8e34676806373c7e445ae6731b3f3400d77cf947550b6c/analysis/1412500174
UPD2: As it turned out, highscreen acknowledged the problem, citing that it was GM error Link: highscreen.org/babltrabl
But there is only one BUT: highscreen referred to the FOTA provider, but not a single update has arrived to my device through OTA yet.
Thanks Peyt for the info!