Trojan in highscreen, or as the phone began to work wonders
Good afternoon, Habr!
I want to tell you a story that almost provoked my graying, still young, head.
Prehistory
It all started with the fact that I bought myself a Highscreen Omega Prime S a couple of months ago, I was happy as an elephant, I could not get enough of this wonderful device, which worked smartly and almost without complaints. And everything would be great if I once did not see a bunch of notifications that looked something like this:
And I began to think - what is it, where did it come from, maybe my phone was broken, but how ?! But after a few seconds, the panic subsided, I squeezed one of the notifications, chose the item “Application Information”, and was very surprised to see that the notification was displayed by the Software Update application ...
I was even more surprised that this application requires permissions to send SMS, determine location, install shortcuts and pairing with Bluetooth devices.
While I was thinking about how to get rid of this application, I downloaded the utility for rutting and just thought about how this is possible at all - I got about 5 shortcircuits (or rather, I noticed their presence, they probably appeared along with the notifications):
I immediately dragged the APK file from the phone, disassembled it into its parts using the utilities apktool, dex2jar and jd-gui - and proceeded to the study.
')
The study began with an analysis of AndroidManifest.xml, and the second thing that confused me about it was the presence of services and receivers inside the com.gmobi.trade package (despite the fact that the application itself is in com.redbend.dmClient).
And here you can see a very suspicious receiver - why should an application that updates the system track the addition / removal of applications? As well as a quick scan of the code, it was discovered that ActionMonitor launches an ActionService, which in turn launches TradeService, which, in turn, launches something unknown and obfuscated. Unfortunately, most of the code that jd-gui issued to me is not amenable to analysis sober.
Yes, and the code for sending SMS in this application is available: from somewhere comes the JSON, from which the AlertDialog is created, and in the handler for pressing the positive button the SMS is sent. I am glad that at least this does not happen in the background. But it is still unclear why the utility to update the software in general to send SMS messages somewhere.
It's all more or less safe. Well, as “safe” ... the application just receives the bt-adapter's MAC address, receives geo-coordinates, checks whether Wi-Fi is turned on, receives the wifi-adapter's MAC address and sends this data into the unknown :)
The phone had to be ruined to remove this application. How to update the system now is unknown.
This application was a "junk box", it could not be removed or disabled. And I don’t install applications from sources that I don’t trust, so the likelihood that it all happened through my fault tends to zero.
All files are available for download here .
UPD1: Virustotal - www.virustotal.com/ru/file/108299c363e361d85b8e34676806373c7e445ae6731b3f3400d77cf947550b6c/analysis/1412500174
UPD2: As it turned out, highscreen acknowledged the problem, citing the fact that this is a GMobi error. Link: highscreen.org/babltrabl
But only there is one BUT: the highscreen referred to the FOTA-provider, but not a single update came to my device via OTA.
Thanks to Peyt for the info!
I want to tell you a story that almost provoked my graying, still young, head.
Prehistory
It all started with the fact that I bought myself a Highscreen Omega Prime S a couple of months ago, I was happy as an elephant, I could not get enough of this wonderful device, which worked smartly and almost without complaints. And everything would be great if I once did not see a bunch of notifications that looked something like this:
And I began to think - what is it, where did it come from, maybe my phone was broken, but how ?! But after a few seconds, the panic subsided, I squeezed one of the notifications, chose the item “Application Information”, and was very surprised to see that the notification was displayed by the Software Update application ...
I was even more surprised that this application requires permissions to send SMS, determine location, install shortcuts and pairing with Bluetooth devices.
Full list of permissions
<uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.READ_PHONE_STATE"/> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> <uses-permission android:name="android.permission.READ_LOGS"/> <uses-permission android:name="android.permission.SEND_SMS"/> <uses-permission android:name="android.permission.GET_TASKS"/> <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/> <uses-permission android:name="com.android.vending.BILLING"/> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/> <uses-permission android:name="android.permission.BLUETOOTH"/> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/> <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/> <uses-permission android:name="android.permission.SYSTEM_OVERLAY_WINDOW"/> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> <uses-permission android:name="android.permission.GET_ACCOUNTS"/> <uses-permission android:name="android.permission.INSTALL_PACKAGES"/> <uses-permission android:name="android.permission.WAKE_LOCK"/> <uses-permission android:name="android.permission.REBOOT"/> While I was thinking about how to get rid of this application, I downloaded the utility for rutting and just thought about how this is possible at all - I got about 5 shortcircuits (or rather, I noticed their presence, they probably appeared along with the notifications):
I immediately dragged the APK file from the phone, disassembled it into its parts using the utilities apktool, dex2jar and jd-gui - and proceeded to the study.
')
Study of
The study began with an analysis of AndroidManifest.xml, and the second thing that confused me about it was the presence of services and receivers inside the com.gmobi.trade package (despite the fact that the application itself is in com.redbend.dmClient).
The list of services and receivers
<activity android:name="com.gmobi.trade.ActionActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar"> <intent-filter> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </activity> <service android:name="com.gmobi.trade.ActionService"/> <receiver android:enabled="true" android:name="com.gmobi.trade.ActionMonitor"> <intent-filter> <action android:name="android.intent.action.PACKAGE_ADDED"/> <action android:name="android.intent.action.PACKAGE_REPLACED"/> <action android:name="android.intent.action.PACKAGE_REMOVED"/> <data android:scheme="package"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </receiver> And here you can see a very suspicious receiver - why should an application that updates the system track the addition / removal of applications? As well as a quick scan of the code, it was discovered that ActionMonitor launches an ActionService, which in turn launches TradeService, which, in turn, launches something unknown and obfuscated. Unfortunately, most of the code that jd-gui issued to me is not amenable to analysis sober.
SMS
Yes, and the code for sending SMS in this application is available: from somewhere comes the JSON, from which the AlertDialog is created, and in the handler for pressing the positive button the SMS is sent. I am glad that at least this does not happen in the background. But it is still unclear why the utility to update the software in general to send SMS messages somewhere.
SMS sending code
AlertDialog.Builder localBuilder2 = new AlertDialog.Builder(this); localBuilder2.setTitle(str14); localBuilder2.setMessage(str15); localBuilder2.setPositiveButton(str16, new DialogInterface.OnClickListener(locallqe, str1, str19, str18, localNotificationManager, i) { public final void onClick(DialogInterface paramDialogInterface, int paramInt) { bb(c, 3); SmsManager localSmsManager = SmsManager.getDefault(); dfe.a("Sending [" + d + "] to [" + e + "]"); localSmsManager.sendTextMessage(e, null, d, null, null); f.cancel(g); finish(); bb(c, 5); } }); localBuilder2.setNegativeButton(str17, new DialogInterface.OnClickListener(locallqe, str1) { public final void onClick(DialogInterface paramDialogInterface, int paramInt) { bb(c, 4); finish(); } }); localBuilder2.setCancelable(false); localBuilder2.create().show(); Bluetooth, geocoordinates, etc.
It's all more or less safe. Well, as “safe” ... the application just receives the bt-adapter's MAC address, receives geo-coordinates, checks whether Wi-Fi is turned on, receives the wifi-adapter's MAC address and sends this data into the unknown :)
Code to collect information
public final JSONObject f() { JSONObject localJSONObject1 = new JSONObject(); try { localJSONObject1.put("sdk", "go2sync"); localJSONObject1.put("sdk_v", "1.2"); localJSONObject1.put("sdk_b", "2014.03.06.1"); localJSONObject1.put("app", a.getPackageName()); localJSONObject1.put("ch", t); localJSONObject1.put("app_v", opt.e(a)); localJSONObject1.put("imsi", qj); localJSONObject1.put("imei", qk); localJSONObject1.put("wifi", k); localJSONObject1.put("gprs", l); localJSONObject1.put("brand", g()); localJSONObject1.put("sd", opt.c()); localJSONObject1.put("id", c()); azw.lqe.azw localazw = opt.c(a); StringBuilder localStringBuilder = new StringBuilder("ua:") .append(opt.a(false)) .append("|imei:") .append(localazw.a()) .append("|imsi:") .append(localazw.b()) .append("|wmac:") .append(opt.b(a)) .append("|bmac:"); localJSONObject1.put("cid", opt.a(opt.a() + "|sn:" + opt.a(a))) localJSONObject1.put("ua", opt.a(false)); localJSONObject1.put("os", "android"); localJSONObject1.put("os_v", opt.b()); localJSONObject1.put("lang", Locale.getDefault().getLanguage()) localJSONObject1.put("country", opt.h(a)); localJSONObject1.put("gp", qn); localJSONObject1.put("wmac", opt.b(a)); localJSONObject1.put("bmac", opt.a()); localJSONObject1.put("sn", opt.a(a)); localJSONObject1.put("sa", opt.g(a)); localJSONObject1.put("sw", opt.j(a)); localJSONObject1.put("sh", opt.k(a)); Location localLocation = opt.f(a); if (localLocation != null) { JSONObject localJSONObject2 = new JSONObject(); localJSONObject2.put("lng", localLocation.getLongitude()); localJSONObject2.put("lat", localLocation.getLatitude()); localJSONObject1.put("loc", localJSONObject2); } localJSONObject1.put("roaming", opt.o(a)); return localJSONObject1; } catch (JSONException localJSONException) { dfe.a(localJSONException); } return localJSONObject1; } Results
The phone had to be ruined to remove this application. How to update the system now is unknown.
PS
This application was a "junk box", it could not be removed or disabled. And I don’t install applications from sources that I don’t trust, so the likelihood that it all happened through my fault tends to zero.
All files are available for download here .
UPD1: Virustotal - www.virustotal.com/ru/file/108299c363e361d85b8e34676806373c7e445ae6731b3f3400d77cf947550b6c/analysis/1412500174
UPD2: As it turned out, highscreen acknowledged the problem, citing the fact that this is a GMobi error. Link: highscreen.org/babltrabl
But only there is one BUT: the highscreen referred to the FOTA-provider, but not a single update came to my device via OTA.
Thanks to Peyt for the info!
Source: https://habr.com/ru/post/239213/
All Articles