Bitcoin Forum

Confirmed pre-installed factory app on an unbranded MTK device that did steal my DATA folder including encrypted wallets, the app was a flashlight that can read:

Contacts
SD card
Microphone
network
gps

and literally it had permission for everything including NFC which I don't even have on phone, so it's a universal app that factory install on all of their devices.

This is a warning to anyone with unbranded phone that even if you be-careful and not install apps or malware it can be already on your phone from the factory.

The origin of this phone is a small brand from India manufactured in china, and no I am not on any of those countries this was imported here by merchants.

I would recommend you to read permissions for any of the apps that you suspect, also install network monitor and check which applications are using the network.

in my case the pre loaded flashlight was very active, since I am rooted I was able to trace an IP, the data was not even encrypted so thx god my wallet backups are, all data was being passed through port 80, which is a common port not only for web browsing but also for most botnets, because who is gonna suspect or block it? so yeah it's an HTTP botnet.
I will analyze the internals of the app to figure out more, for now I have frozen the app.

Again, please don't trust unbranded phones, I wonder how many was ripped off their wallets or personal information from this method.

im guessing you also bought it via ebay.. as thats another way people get trojan riddled devices

Nope problem is it's factory sealed, all in place, even temper proof.

do you release that 80% of the phone selled in China are "unbranded phone" ?
30% of this is export to europa since middle of 2014 ... too.

And most of those are MTK which is off the shelf and in reach of any person or factory, but I never ever though they would pre-load crap and think nobody will notice, they are taking that for granted!

I'd like some more information. So the phone came with malicious access software and what you did was put wallet software on it, or did it used as a backdoor to your internal network to access your computer, that has your wallet on it?

The wallet is on the phone, but I noticed strange activity, high internet usage, battery dies fast so I decided to check what's going on and started monitoring each program and how much data it uses, than I started sniffing the app which was a "LED flash".

Another thing, it was using port 80 to communicate with the server, please note that the LED flash needs no internet, have no ads, and is a system app that is spouses to have only one permission "Control LED and maximum it would have take pictures permission for compatibility with some phones", this one had all permissions you could ever imagine on a phone, there was permissions I never seen such as "Start and stop wimax communications" WTF is that an LED flash? really?

Okay, thanks. I don't put BTC on my cellphone, so i just wanted to make sure it didnt go beyond that.

I'm guessing its just named that way so that a newbie overlook it as the flash for the phone.

Yes, but that's actually a good idea, I mean it's possible if someone have access to your phone, to also have access to the complete network since he can sniff your wifi using airpcap driver which can be easily installed on the factory, so it's always recommended to use only SSL encrypted sites when dealing with bitcoin, or better use offline storage options and keep only the amount you are going to spend on a pc.

Further analysis of the file shows that the SHA256 and MD5 hashes doesn't match the original program, so it's a modified version of an official app, the official app main task is "qualcomm.android.LEDFlashlight.LedFlashLightActivity" with no additional perms but flashlight, the spy app have permission on everything and have the same main activity.

Anti virus have no idea wtf is this app:
http://andrototal.org/sample/141f361a23c7931d4d2fea220c33f3d05fe15d918eca39c49e864bdbbcdc98e3

and report it as safe, also the app prevent the antivirus/scanner from checking what permissions it take, unlike on the phone as you can see here:
http://s15.postimg.org/yqqcpoyuf/Screenshot_2015_11_30_04_51_14.png (http://postimg.org/image/yqqcpoyuf/)

http://s15.postimg.org/4uuvgih5z/Screenshot_2015_11_30_04_51_19.png (http://postimg.org/image/4uuvgih5z/)

http://s15.postimg.org/9usbogmsn/Screenshot_2015_11_30_04_51_25.png (http://postimg.org/image/9usbogmsn/)

http://s15.postimg.org/4425aqesn/Screenshot_2015_11_30_04_51_30.png (http://postimg.org/image/4425aqesn/)

http://s15.postimg.org/qwl5qk1nr/Screenshot_2015_11_30_04_51_38.png (http://postimg.org/image/qwl5qk1nr/)

as u can see on the above virus scan I would like to add that the SHA and MD5 hashes of the APK doesn't exist online, it's a unique app for this factory and is modified.

It's not just with mobile phones, it happens with other hardware platforms too. Lenovo, the notebook manufacturer has been caught for the 3rd time, distributing spyware with new notebooks. The Superfish malware assists hackers to gain access to your computer.

http://thehackernews.com/2015/09/lenovo-laptop-virus.html 

Well, it can always be a government conspiracy for the NSA to gain backdoor access points in your computer, don't you understand!!1!1! *adjusts tin foil hat*

In all seriousness, however, how do we know it isn't an inside job being performed by an IT tech or someone who has something to gain from this? I only skimmed through the article, but it doesn't seem like a huge corporate conspiracy at all, and, considering that Lenovo, along with other companies, use China as a manufacturing ground, and that pre-installed malware has come from China before directly from people on the assembly line (See malware toasters) in the past, is it all that hard to believe that it's people with low wages trying to make some illegitimate money?

I could be completely missing the point, but that's what I'm thinking is probably happening.

it's mean that in the factory where they produce this, someone can actually install malicious thing so easily

at this point someone should put a small amout first on any new device and try if those get stolen

You should use firewall to block unwanted apps and use known roms like cyanogenmod etc..

But can you be sure this modified app comes right from factory or the app was modified later? I mean, unless you check the SHA and MD5 hashes of the APK right when you receive new phone, you can never be sure later...

I am sure it comes from the factory, I noticed this activity from day 1, guy in the shop promised to bring me a new phone to test it out of the pack and disappeared on me, my problem is solved by freezing that app but I would pretty much want to know where is my data is residing right now, I will open the apk archive and inspect the code carefully tonight, I also have the IP address of the master but once you visit it redirects you to google.com.
so I will watch packets of this apk on a virtual device, to see if there is a condition that would let the botnet access the server, and possibly get some of the commands, or better gain access and see whats going on.

Regards

We should be screaming using an offline wallet from the mountians... 

Need more services to create offline wallets.. humz..

The thing is offline wallets are not easily divisible, at this point. We don't have paper denominations of 1 mBTC or other values; it's just having it stored away so it is infinitely more difficult to hack or steal.

That's probably not what you are getting at, but it is an issue I've had with offline wallets.

I don't get what you mean..

I mean creating a wallet... on a harddrive that is not connected to the web nor will never connect again.   Make several wallets, when you need the coins import them to your "spending" wallet and send what you don't want to use back to an offline.

Although I do agree this is tedious.

I see what you mean now, forgive me for missing the point before. I'm fairly tired from the past few nights and not all of my posts will make complete sense.

I wonder if there's a company out there that's working on quicker offline-online wallet exchanges though. I know some wallets can lock coins for a period of time, but that restricts people from being able to move their coins at any time.

Would one solution be putting the various wallets on USB drives?

I dont understand if you mean you bought a phone which was already opened in the shop ? But if you bought one which was originally packed and unopened before you bought it, consider contacting manufacturer with the modified APK SHA and MD5 hashes to ask whether they can detect those in some of the ready to ship phones in order to catch the person who doing this inside job. And dont worry, manufacturer itselves would not do it so amateurisch and only to some phones, and it would be hardware solution most likely, not a software one.

Hard job, for good for large volume, you can use multisig aswell.

This is why I never either buy a phone that isn't from a trusted brand and from a trusted source (a shop and not some ebay seller unless its super verified) and I don't even store any Bitcoins in my phone beyond coffee type of money.