$alvador
TD Member
so I got this Android phone not long ago, some off-brand Chinese job. One of the first things I did was cull the Google shit and bad widgets. the phone didn't come with any bloatware except Facecrook and Twatter apps, not weird QQ shit like expected. Later on I get an app called Network Log and randomly start logging network traffic. Since the Google apps were all removed there's little internet traffic just the regular network pings.
But wait, then I see some unknown process talking to a server in China. China?
Tiem to investigate. As it was looking, unknown process was making a brief connection with this server in Shanghai whenever I connected to a WiFi or 3G network. Details on the server.
Ok, so just a Chinese phone connecting to a Chinese server wouldn't normally be too suspicious. There's no CFW for this phone so I'm just using the stock firmware modified for root. Could be totally innocent, but maybe not. The only info the Network Log app seems to be able to give is source and destination IPs and what port was being used. Not enough. I put tcpdump on the phone and caught a connection in a pcap file then exported that shit out to Windoze and scoped it in Wireshark
oshitwatdefuckisdis
Wh...Why is it sending my IMSI in plain text across the internet?
But wait, I still don't know what de fuck is sending these messages, the process only identifies as a root application on Android. Tiem for more research.
The HTTP request included a domain, http://wlans.reallytek.com . It's safe to click, the whole site is literally <15 lines of static HTML. Actually, if you know Chinese it would be nice to know what the fuck that image says. Either way, fishy setup for a fishy shell company.
Back on the phone, I'm grepping on susp files and there's a bunch of shit about boot options in this one bitch:
Ok so this is already starting to look like something more substantial than just some oddball tracking program. Almost at the end here. After translating most of the binary to text, what emerged was the signs of a program that communicates with a mail server to send metadata and acquire unspecified, unmentioned firmware updates to quietly install in the background. There are some other [hidden] files being called too, I haven't looked into them yet but because of the prominence of the IMSI in the details I am wildly guessing that the primary purpose is to keep tabs on the phone's location and to install spyware payloads on the phone. All I can say is... it's kind of disturbing to know this software is routine in Chinese mobile devices.
Thanks for reading
But wait, then I see some unknown process talking to a server in China. China?
Tiem to investigate. As it was looking, unknown process was making a brief connection with this server in Shanghai whenever I connected to a WiFi or 3G network. Details on the server.
Ok, so just a Chinese phone connecting to a Chinese server wouldn't normally be too suspicious. There's no CFW for this phone so I'm just using the stock firmware modified for root. Could be totally innocent, but maybe not. The only info the Network Log app seems to be able to give is source and destination IPs and what port was being used. Not enough. I put tcpdump on the phone and caught a connection in a pcap file then exported that shit out to Windoze and scoped it in Wireshark
oshitwatdefuckisdis
Wh...Why is it sending my IMSI in plain text across the internet?
But wait, I still don't know what de fuck is sending these messages, the process only identifies as a root application on Android. Tiem for more research.
The HTTP request included a domain, http://wlans.reallytek.com . It's safe to click, the whole site is literally <15 lines of static HTML. Actually, if you know Chinese it would be nice to know what the fuck that image says. Either way, fishy setup for a fishy shell company.
Back on the phone, I'm grepping on susp files and there's a bunch of shit about boot options in this one bitch:
Code:
root@yourmomsbollocks:/ # grep -ar "wlans." /system
grep -ar "wlans." /system
/system/bin/wland: function_set.sh %s%s?action=funcset&project=%s http://wlans.reallytek.com:81 /data/.wlan/function_set
.sh %s%s?action=date /data/.wlan/boottime prop.boottime r /system/wlan/boottime prop.wlan.uid prop.sim%d.imsi %d-%d-%d %
d:%d:%d /system/wlan/uid w %04d%02d%02d%02d%02d%02d%s %s%s?action=push&uid=%s&pushid=%s %s%s?action=push&uid=%s&imsi=%s
%s%s?action=push&uid=%s /data/.wlan/bin/ #shell{-s} %s
/system/bin/wland: check core update check push command [ [[ test /service/wlansd the normal routine start sel
f update routine -cov core version: %d.%d.%d
/system/bin/wland: -upc -uce -upi -uie -upp -upf -pin ping -c4 -i1 -w10 wlans.reallytek.com -tst -sbt -wfs -rmw -rmo -tt
t -std -eld -edr -mdr -wkd -brq -pid -lts -ltd -scv -pls -md5 -gfs -api #update{-s -a} %s %s
/system/bin/wland: /service/wlans max_check_duration=%d http://www.reallytek.com:81 http://mail.reallytek.com:81 http://
27.115.63.14:81 waiting running succeed failed %lu %Y%m%d %d.%d.%d.%d .. . %s/%s failed to get file size copy_file(%s,%s
)Ok so this is already starting to look like something more substantial than just some oddball tracking program. Almost at the end here. After translating most of the binary to text, what emerged was the signs of a program that communicates with a mail server to send metadata and acquire unspecified, unmentioned firmware updates to quietly install in the background. There are some other [hidden] files being called too, I haven't looked into them yet but because of the prominence of the IMSI in the details I am wildly guessing that the primary purpose is to keep tabs on the phone's location and to install spyware payloads on the phone. All I can say is... it's kind of disturbing to know this software is routine in Chinese mobile devices.
Thanks for reading
