SonicWall Capture Labs Threats Research Team investigated the sample mentioned in the story that came up on Reddit. We blogged about it recently and to investigate further we ordered a Gretel A7 device and analyzed it to verify the presence of pre-installed malware.

A brief about /system/

Pre-installed apps on an Android devices are present in /system/app/ or /system/priv-app/ folders and are usually referred to as ‘system apps’. Apps present in these folders cannot be removed by the user as they do not have access to these folders. Another reason why apps installed from device manufacturers – typically referred to as ‘bloatware’ – is typically seen in one of these folders.

Pre-installed malware is also found in these folders thereby hiding their presence from the user and making it extremely difficult to remove them using conventional means.

Analysis on the actual Gretel Device

We extracted a list of all the apps present on the device, a total of 117 (including system apps). The malicious adware discussed in our previous blog on Gretel devices was not present in this list of installed apps for our device. Based on our analysis we verify that the adware mentioned in the previous blog was not a case of pre-installed malware.

However we wanted to verify if there were any other pre-installed malicious apps on our device. We paid close attention to apps present in the system folders as this is usually a good place to hide pre-installed malware. After a preliminary analysis of apps present in the system folder the apps below showed some malicious indicators which prompted us to analyze them further:

• com.android.service stored as /system/priv-app/com.android.service-9002_0711/com.android.service-9002_0711.apk
• com.ibingo.launcher3 stored as /system/priv-app/Launcher3_G_yisheng_A47_201705191558/Launcher3_G_yisheng_A47_201705191558.apk

Suspicious Network Activity

We kept an eye on the network activity on our device for a few days without installing any new apps, this helped us understand if the device exhibits any suspicious signs without any interference from a user’s side (in terms of new apps installed). The following network activities stood out during an observation period of 7 days:

 

The device brand and model number were sent in the packet above along with the package name responsible for this network activity – com.ibingo.launcher3

 

We observed network communication to the host alter.sbingo.net.cn as shown above, in one case IMEI number is leaked which is sensitive data for a device. VirusTotal investigation for this domain showed that this is connected with a number of apks with malicious detection on VT:

VirusTotal gave us a number of related sub-domains for sbingo.net.cn and the ones listed below have connected apks with malicious detection on VT:

1. uistorefee.sbingo.net.cn
2. download.sbingo.net.cn
3. 1906.sbingo.net.cn
4. alter.sbingo.net.cn
5. uistorebtz.sbingo.net.cn
6. app.sbingo.net.cn
7. cdnuistore2.sbingo.net.cn

After observing these packets we analyzed the installed app com.ibingo.launcher3 which is essentially the launcher used in Gretel A7 devices. Upon analyzing and running this app on a different device we observed the same network activity as shown above. We feel there are some suspicious indicators for this app and it leaks the IMEI of the device on which this app is installed.

 

statistics.flurrydata.com was contacted regularly during our analysis with packets similar to the one listed above. VirusTotal investigation gave us three related sub-domains for flurrydata.com:

1. statistics.flurrydata.com
2. developer.flurrydata.com
3. analyze.flurrydata.com

VirusTotal Relations showed statistics.flurrydata.com connected to a number of malicious apk files:

Also, we observed this domain was listed under a Mobile Ad Tracker tool on Github.

 

We saw another communication with a domain where the IMEI of our test device was leaked as shown above.

App analysis – com.android.service

We analysed the app com.android.service which was mentioned earlier, the following permissions are used by this app:

• Access network state
• Receive boot completed
• Wake lock
• Read external storage
• Write external storage
• Internet
• Read phone state
• Access wifi state
• System alert window
• Package usage stats
• Install packages
• Delete packages
• Access fine location
• Get tasks

There are a few dangerous permissions used by this app and it can have major implications on the device if misused:

• Install and Delete packages – The app can secretly download and install apps on the device, delete other apps as well
• System alert window – This can be used to how content on top of other apps, bankers and adware use this permission heavily

On execution the app reported to the domain iwtiger.com with the date and time of execution and the device model which is stored in a variable interestingly named pid:

Then it downloaded an apk from static.iwtiger whose package name is com.iwtiger.plugin.activity17 in its app_dex folder

The apk com.android.service contains code similar to code present in a Github repository about dynamic loading of an apk:

Play Protect to the rescue

During our analysis we saw the Google Play Protect notification about com.android.service being dangerous. Even though our Gretel device shipped with pre-installed malware, this threat was cleaned by Play Protect. When we tried to install this threat on a test Nexus device it was protected there as well:

Researching before buying a device

During our research we saw multiple stories where users have posted about their concerns regarding presence of malicious apps in Gretel devices:

• Malware related
• Malware related
• com.android.service related
• com.ibingo.launcher3 related

This highlights the importance of taking time to research about a device before purchasing it. The Android ecosystem is very dynamic, malicious apps and domains are often cleaned and the current state may be different from what was observed in the past.

Closing Thoughts

Overall during our analysis period of almost a week we saw suspicious network communication through our test device, IMEI data was also leaked in a few instances which raises a cause of concern. One of the system application has the dangerous permission to install and delete package and we saw it use these permissions where an apk file gets downloaded and executed via dynamic loading technique.

We did not see the adware that we analyzed in our previous blog on our Gretel A7 device, however we did see a number of suspicious pre-installed applications and suspicious network activity during our time analyzing this device. One such app was marked as malicious by Google Play Protect.

In some reported cases advertisements were seen after a number of days of purchasing the device, we did not see any advertisements but our analysis period was considerably short so we will keep an eye on our Gretel A7 device for any suspicious activity for the next few days to come and update our blog accordingly.

SonicWALL Capture Labs provides protection against this threat via the following signatures:

• AndroidOS.Gretel.SRV
• AndroidOS.Gretel.DYN

Indicators of compromise:

• com.android.service – 8a8a2f1c13d0d57186bc343af96abe87
  
• com.ibingo.launcher3 – 7dda8481973cec79416c9aa94d2176bc
  

Mobile devices and that applications run on mobile devices increasingly represent a source of threats to networks of all sizes. The SonicWall Capture Labs Threat Research Team therefore monitors numerous sources to identify new and emerging threats coming through mobile devices.

A common security tip for users of Android mobile devices is to install apps only from the official Google Play store. This is because apps in the Google Play store go through multiple layers of automated and manual security checks. Although malicious apps do still make their way onto the Google Play store on occasions, it generally is considered the safest option.

But what if a mobile device is infected even before the user starts using it? Cases of Android devices with pre-installed malware have cropped up from time-to-time. The SonicWall Capture Labs Threats Research Team came across a more recent story on Reddit where a user talked about how his new Android device was displaying unwanted ads and had new apps appear even though the user never installed them, all resulting in a slowdown of the operating system. The user suspected that malicious apps were pre-installed on his device, and eventually identified the app causing the slowdown. The user shared the findings with the community, and we took the opportunity to further analyze the app to better understand the potential threats. The following are our findings:

Sample Specifics

MD5: 79272fcfbcfe359d5f2f554f87e3cf06

Package Name: com.uctsadtxasch.quyry

Initial Observations

The following permissions are requested by the app during installation:

• access_coarse_location
• change_wifi_state
• internet
• read_phone_state
• write_external_storage
• access_network_state
• access_wifi_state
• change_network_state
• read_external_storage
• receive_boot_completed
• wake_lock
• write_settings

On installation of the app on our test device, the first thing we noticed was that this app’s icon is not visible in the device app drawer. Also on further examination we did not see a Main activity for the app in the AndroidManifest.xml file, for that matter there were no activities for this app, which means that the app does not present a screen to the user. The Main activity of an app is the first screen that is shown to the user once the app starts, and absence of activities indicates that the app operates in the background without showing any sort of screen/view to the user.

On further examination of the Manifest file we saw that a BroadcastReceiver com.uctsadtxasch.quyry.util.WkcRvc is registered to trigger at critical events:

• Boot Complete
• Connectivity change
• Timezone change

A receiver getting triggered on Boot complete ensures that the receiver is activated whenever a phone boots up, this is a common technique used by a number of malicious apps to make sure that the app starts as soon as the device starts.

Network Communication

Once we started the application, it contacted a URL for a text file – adv-package.oss-ap-southeast-1.aliyuncs.com/files/236.txt

Few of the .jar files visible above were then downloaded and stored on the device locally as seen below:

Contents of both the .jar files shows code related to adware components as visible below:

We did not see advertisements on our device during the analysis but we did see a number of URLs being contacted in the background, which have been marked as adware/malicious/phishing on VirusTotal:

• datastatis.coolook.org – IMEI is sent to this domain
• pv.sohu.com
• stats.adinsync.com
• ssphwapi.airmobill.com – IMEI, list of installed apps is sent to this domain
• offers-api.adflushlife.com
• click.howdoesin.net
• tknet.smardroid.com
• track.mob193.com
• tracking.volo-mobile.com
• offers-api.adflushlife.com
• 18.136.119.136
• 52.77.167.159
• click.trk-indexmobi.com
• tracking.lenzmx.com
• wathspap.com
• trk.iskyworker.com

Overall we confirm that the sample we analyzed is a malicious adware. Although we did not independently verify it, the user reported this app was not installed by him.

To further research this issue, we procured an actual Gretel A7 device and we will blog about our findings soon, so stay tuned!

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: AndroidOS.Gretel.PIN

Indicator of Compromise (IOC):

• 79272fcfbcfe359d5f2f554f87e3cf06