|
anonymousx (OP)
|
 |
November 29, 2015, 11:22:06 PM |
|
Confirmed pre-installed factory app on an unbranded MTK device that did steal my DATA folder including encrypted wallets, the app was a flashlight that can read:
Contacts
SD card
Microphone
network
gps
and literally it had permission for everything including NFC which I don't even have on phone, so it's a universal app that factory install on all of their devices.
This is a warning to anyone with unbranded phone that even if you be-careful and not install apps or malware it can be already on your phone from the factory.
The origin of this phone is a small brand from India manufactured in china, and no I am not on any of those countries this was imported here by merchants.
I would recommend you to read permissions for any of the apps that you suspect, also install network monitor and check which applications are using the network.
in my case the pre loaded flashlight was very active, since I am rooted I was able to trace an IP, the data was not even encrypted so thx god my wallet backups are, all data was being passed through port 80, which is a common port not only for web browsing but also for most botnets, because who is gonna suspect or block it? so yeah it's an HTTP botnet.
I will analyze the internals of the app to figure out more, for now I have frozen the app.
Again, please don't trust unbranded phones, I wonder how many was ripped off their wallets or personal information from this method.
|
|
|
|
|
|
|
|
|
|
The trust scores you see are subjective; they will change depending on who you have in your trust list. |
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
franky1
Legendary
 Online
Activity: 4214
Merit: 4475
|
|
November 29, 2015, 11:28:03 PM |
|
im guessing you also bought it via ebay.. as thats another way people get trojan riddled devices
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
|
anonymousx (OP)
|
|
November 29, 2015, 11:49:33 PM |
|
im guessing you also bought it via ebay.. as thats another way people get trojan riddled devices
Nope problem is it's factory sealed, all in place, even temper proof. |
|
|
|
|
Meuh6879
Legendary
 Offline
Activity: 1512
Merit: 1011
|
|
November 29, 2015, 11:59:26 PM |
|
unbranded phone do you release that 80% of the phone selled in China are "unbranded phone" ? 30% of this is export to europa since middle of 2014 ... too. |
|
|
|
|
|
anonymousx (OP)
|
|
November 30, 2015, 12:11:00 AM |
|
unbranded phone do you release that 80% of the phone selled in China are "unbranded phone" ? 30% of this is export to europa since middle of 2014 ... too. And most of those are MTK which is off the shelf and in reach of any person or factory, but I never ever though they would pre-load crap and think nobody will notice, they are taking that for granted! |
|
|
|
|
VirosaGITS
Legendary
Offline
Activity: 1302
Merit: 1068
|
|
November 30, 2015, 02:13:12 AM |
|
Confirmed pre-installed factory app on an unbranded MTK device that did steal my DATA folder including encrypted wallets, the app was a flashlight that can read:
Contacts
SD card
Microphone
network
gps
and literally it had permission for everything including NFC which I don't even have on phone, so it's a universal app that factory install on all of their devices.
This is a warning to anyone with unbranded phone that even if you be-careful and not install apps or malware it can be already on your phone from the factory.
The origin of this phone is a small brand from India manufactured in china, and no I am not on any of those countries this was imported here by merchants.
I would recommend you to read permissions for any of the apps that you suspect, also install network monitor and check which applications are using the network.
in my case the pre loaded flashlight was very active, since I am rooted I was able to trace an IP, the data was not even encrypted so thx god my wallet backups are, all data was being passed through port 80, which is a common port not only for web browsing but also for most botnets, because who is gonna suspect or block it? so yeah it's an HTTP botnet.
I will analyze the internals of the app to figure out more, for now I have frozen the app.
Again, please don't trust unbranded phones, I wonder how many was ripped off their wallets or personal information from this method.
I'd like some more information. So the phone came with malicious access software and what you did was put wallet software on it, or did it used as a backdoor to your internal network to access your computer, that has your wallet on it? |
|
|
|
|
anonymousx (OP)
|
|
November 30, 2015, 02:31:28 AM |
|
Confirmed pre-installed factory app on an unbranded MTK device that did steal my DATA folder including encrypted wallets, the app was a flashlight that can read:
Contacts
SD card
Microphone
network
gps
and literally it had permission for everything including NFC which I don't even have on phone, so it's a universal app that factory install on all of their devices.
This is a warning to anyone with unbranded phone that even if you be-careful and not install apps or malware it can be already on your phone from the factory.
The origin of this phone is a small brand from India manufactured in china, and no I am not on any of those countries this was imported here by merchants.
I would recommend you to read permissions for any of the apps that you suspect, also install network monitor and check which applications are using the network.
in my case the pre loaded flashlight was very active, since I am rooted I was able to trace an IP, the data was not even encrypted so thx god my wallet backups are, all data was being passed through port 80, which is a common port not only for web browsing but also for most botnets, because who is gonna suspect or block it? so yeah it's an HTTP botnet.
I will analyze the internals of the app to figure out more, for now I have frozen the app.
Again, please don't trust unbranded phones, I wonder how many was ripped off their wallets or personal information from this method.
I'd like some more information. So the phone came with malicious access software and what you did was put wallet software on it, or did it used as a backdoor to your internal network to access your computer, that has your wallet on it? The wallet is on the phone, but I noticed strange activity, high internet usage, battery dies fast so I decided to check what's going on and started monitoring each program and how much data it uses, than I started sniffing the app which was a "LED flash". Another thing, it was using port 80 to communicate with the server, please note that the LED flash needs no internet, have no ads, and is a system app that is spouses to have only one permission "Control LED and maximum it would have take pictures permission for compatibility with some phones", this one had all permissions you could ever imagine on a phone, there was permissions I never seen such as "Start and stop wimax communications" WTF is that an LED flash? really? |
|
|
|
|
VirosaGITS
Legendary
Offline
Activity: 1302
Merit: 1068
|
|
November 30, 2015, 02:40:59 AM |
|
Confirmed pre-installed factory app on an unbranded MTK device that did steal my DATA folder including encrypted wallets, the app was a flashlight that can read:
Contacts
SD card
Microphone
network
gps
and literally it had permission for everything including NFC which I don't even have on phone, so it's a universal app that factory install on all of their devices.
This is a warning to anyone with unbranded phone that even if you be-careful and not install apps or malware it can be already on your phone from the factory.
The origin of this phone is a small brand from India manufactured in china, and no I am not on any of those countries this was imported here by merchants.
I would recommend you to read permissions for any of the apps that you suspect, also install network monitor and check which applications are using the network.
in my case the pre loaded flashlight was very active, since I am rooted I was able to trace an IP, the data was not even encrypted so thx god my wallet backups are, all data was being passed through port 80, which is a common port not only for web browsing but also for most botnets, because who is gonna suspect or block it? so yeah it's an HTTP botnet.
I will analyze the internals of the app to figure out more, for now I have frozen the app.
Again, please don't trust unbranded phones, I wonder how many was ripped off their wallets or personal information from this method.
I'd like some more information. So the phone came with malicious access software and what you did was put wallet software on it, or did it used as a backdoor to your internal network to access your computer, that has your wallet on it? The wallet is on the phone, but I noticed strange activity, high internet usage, battery dies fast so I decided to check what's going on and started monitoring each program and how much data it uses, than I started sniffing the app which was a "LED flash". Another thing, it was using port 80 to communicate with the server, please note that the LED flash needs no internet, have no ads, and is a system app that is spouses to have only one permission "Control LED and maximum it would have take pictures permission for compatibility with some phones", this one had all permissions you could ever imagine on a phone, there was permissions I never seen such as "Start and stop wimax communications" WTF is that an LED flash? really? Okay, thanks. I don't put BTC on my cellphone, so i just wanted to make sure it didnt go beyond that. I'm guessing its just named that way so that a newbie overlook it as the flash for the phone. |
|
|
|
|
anonymousx (OP)
|
|
November 30, 2015, 03:00:08 AM |
|
Confirmed pre-installed factory app on an unbranded MTK device that did steal my DATA folder including encrypted wallets, the app was a flashlight that can read:
Contacts
SD card
Microphone
network
gps
and literally it had permission for everything including NFC which I don't even have on phone, so it's a universal app that factory install on all of their devices.
This is a warning to anyone with unbranded phone that even if you be-careful and not install apps or malware it can be already on your phone from the factory.
The origin of this phone is a small brand from India manufactured in china, and no I am not on any of those countries this was imported here by merchants.
I would recommend you to read permissions for any of the apps that you suspect, also install network monitor and check which applications are using the network.
in my case the pre loaded flashlight was very active, since I am rooted I was able to trace an IP, the data was not even encrypted so thx god my wallet backups are, all data was being passed through port 80, which is a common port not only for web browsing but also for most botnets, because who is gonna suspect or block it? so yeah it's an HTTP botnet.
I will analyze the internals of the app to figure out more, for now I have frozen the app.
Again, please don't trust unbranded phones, I wonder how many was ripped off their wallets or personal information from this method.
I'd like some more information. So the phone came with malicious access software and what you did was put wallet software on it, or did it used as a backdoor to your internal network to access your computer, that has your wallet on it? The wallet is on the phone, but I noticed strange activity, high internet usage, battery dies fast so I decided to check what's going on and started monitoring each program and how much data it uses, than I started sniffing the app which was a "LED flash". Another thing, it was using port 80 to communicate with the server, please note that the LED flash needs no internet, have no ads, and is a system app that is spouses to have only one permission "Control LED and maximum it would have take pictures permission for compatibility with some phones", this one had all permissions you could ever imagine on a phone, there was permissions I never seen such as "Start and stop wimax communications" WTF is that an LED flash? really? Okay, thanks. I don't put BTC on my cellphone, so i just wanted to make sure it didnt go beyond that. I'm guessing its just named that way so that a newbie overlook it as the flash for the phone. Yes, but that's actually a good idea, I mean it's possible if someone have access to your phone, to also have access to the complete network since he can sniff your wifi using airpcap driver which can be easily installed on the factory, so it's always recommended to use only SSL encrypted sites when dealing with bitcoin, or better use offline storage options and keep only the amount you are going to spend on a pc. Further analysis of the file shows that the SHA256 and MD5 hashes doesn't match the original program, so it's a modified version of an official app, the official app main task is "qualcomm.android.LEDFlashlight.LedFlashLightActivity" with no additional perms but flashlight, the spy app have permission on everything and have the same main activity. Anti virus have no idea wtf is this app: http://andrototal.org/sample/141f361a23c7931d4d2fea220c33f3d05fe15d918eca39c49e864bdbbcdc98e3and report it as safe, also the app prevent the antivirus/scanner from checking what permissions it take, unlike on the phone as you can see here:      |
|
|
|
|
|
anonymousx (OP)
|
|
November 30, 2015, 03:02:06 AM |
|
as u can see on the above virus scan I would like to add that the SHA and MD5 hashes of the APK doesn't exist online, it's a unique app for this factory and is modified.
|
|
|
|
|
Kakmakr
Legendary
Offline
Activity: 3444
Merit: 1957
Leading Crypto Sports Betting & Casino Platform
|
|
November 30, 2015, 06:09:29 AM |
|
It's not just with mobile phones, it happens with other hardware platforms too. Lenovo, the notebook manufacturer has been caught for the 3rd time, distributing spyware with new notebooks. The Superfish malware assists hackers to gain access to your computer. http://thehackernews.com/2015/09/lenovo-laptop-virus.html |
| ..Stake.com.. | | | ▄████████████████████████████████████▄
██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄
██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████
██ ██████████ ██ ██ ██████████ ██ ▀██▀
██ ██ ██ ██████ ██ ██ ██ ██ ██
██ ██████ ██ █████ ███ ██████ ██ ████▄ ██
██ █████ ███ ████ ████ █████ ███ ████████
██ ████ ████ ██████████ ████ ████ ████▀
██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
██ ▀▀▀▀▀▀▀▀▀▀ ██
▀█████████▀ ▄████████████▄ ▀█████████▀
▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄
██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█ ▄▀▄ █▀▀█▀▄▄
█ █▀█ █ ▐ ▐▌
█ ▄██▄ █ ▌ █
█ ▄██████▄ █ ▌ ▐▌
█ ██████████ █ ▐ █
█ ▐██████████▌ █ ▐ ▐▌
█ ▀▀██████▀▀ █ ▌ █
█ ▄▄▄██▄▄▄ █ ▌▐▌
█ █▐ █
█ █▐▐▌
█ █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀ ▐█▌ ▀█▄
██ ▐█▌ ██
████▄ ▄█████▄ ▄████
████████▄███████████▄████████
███▀ █████████████ ▀███
██ ███████████ ██
▀█▄ █████████ ▄█▀
▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀
▀███████ ███████▀
▀█████▄ ▄█████▀
▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
Yakamoto
Legendary
Offline
Activity: 1218
Merit: 1007
|
|
November 30, 2015, 06:20:40 AM |
|
It's not just with mobile phones, it happens with other hardware platforms too. Lenovo, the notebook manufacturer has been caught for the 3rd time, distributing spyware with new notebooks. The Superfish malware assists hackers to gain access to your computer. http://thehackernews.com/2015/09/lenovo-laptop-virus.html Well, it can always be a government conspiracy for the NSA to gain backdoor access points in your computer, don't you understand!!1!1! * adjusts tin foil hat* In all seriousness, however, how do we know it isn't an inside job being performed by an IT tech or someone who has something to gain from this? I only skimmed through the article, but it doesn't seem like a huge corporate conspiracy at all, and, considering that Lenovo, along with other companies, use China as a manufacturing ground, and that pre-installed malware has come from China before directly from people on the assembly line (See malware toasters) in the past, is it all that hard to believe that it's people with low wages trying to make some illegitimate money? I could be completely missing the point, but that's what I'm thinking is probably happening. |
|
|
|
|
Amph
Legendary
Offline
Activity: 3206
Merit: 1069
|
|
November 30, 2015, 08:56:37 AM |
|
im guessing you also bought it via ebay.. as thats another way people get trojan riddled devices
Nope problem is it's factory sealed, all in place, even temper proof. it's mean that in the factory where they produce this, someone can actually install malicious thing so easily at this point someone should put a small amout first on any new device and try if those get stolen |
|
|
|
|
lite
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
November 30, 2015, 05:19:48 PM |
|
You should use firewall to block unwanted apps and use known roms like cyanogenmod etc..
|
|
|
|
|
|
topiOleg
|
|
November 30, 2015, 05:55:07 PM |
|
as u can see on the above virus scan I would like to add that the SHA and MD5 hashes of the APK doesn't exist online, it's a unique app for this factory and is modified.
But can you be sure this modified app comes right from factory or the app was modified later? I mean, unless you check the SHA and MD5 hashes of the APK right when you receive new phone, you can never be sure later... |
|
|
|
|
anonymousx (OP)
|
|
November 30, 2015, 08:03:13 PM |
|
I am sure it comes from the factory, I noticed this activity from day 1, guy in the shop promised to bring me a new phone to test it out of the pack and disappeared on me, my problem is solved by freezing that app but I would pretty much want to know where is my data is residing right now, I will open the apk archive and inspect the code carefully tonight, I also have the IP address of the master but once you visit it redirects you to google.com.
so I will watch packets of this apk on a virtual device, to see if there is a condition that would let the botnet access the server, and possibly get some of the commands, or better gain access and see whats going on.
Regards
|
|
|
|
|
spazzdla
Legendary
Offline
Activity: 1722
Merit: 1000
|
|
November 30, 2015, 08:38:32 PM |
|
We should be screaming using an offline wallet from the mountians...
Need more services to create offline wallets.. humz..
|
|
|
|
|
Yakamoto
Legendary
Offline
Activity: 1218
Merit: 1007
|
|
November 30, 2015, 08:45:25 PM |
|
We should be screaming using an offline wallet from the mountians...
Need more services to create offline wallets.. humz..
The thing is offline wallets are not easily divisible, at this point. We don't have paper denominations of 1 mBTC or other values; it's just having it stored away so it is infinitely more difficult to hack or steal. That's probably not what you are getting at, but it is an issue I've had with offline wallets. |
|
|
|
|
spazzdla
Legendary
Offline
Activity: 1722
Merit: 1000
|
|
November 30, 2015, 08:51:27 PM |
|
We should be screaming using an offline wallet from the mountians...
Need more services to create offline wallets.. humz..
The thing is offline wallets are not easily divisible, at this point. We don't have paper denominations of 1 mBTC or other values; it's just having it stored away so it is infinitely more difficult to hack or steal. That's probably not what you are getting at, but it is an issue I've had with offline wallets. I don't get what you mean.. I mean creating a wallet... on a harddrive that is not connected to the web nor will never connect again. Make several wallets, when you need the coins import them to your "spending" wallet and send what you don't want to use back to an offline. Although I do agree this is tedious. |
|
|
|
|
Yakamoto
Legendary
Offline
Activity: 1218
Merit: 1007
|
|
November 30, 2015, 08:55:14 PM |
|
We should be screaming using an offline wallet from the mountians...
Need more services to create offline wallets.. humz..
The thing is offline wallets are not easily divisible, at this point. We don't have paper denominations of 1 mBTC or other values; it's just having it stored away so it is infinitely more difficult to hack or steal. That's probably not what you are getting at, but it is an issue I've had with offline wallets. I don't get what you mean.. I mean creating a wallet... on a harddrive that is not connected to the web nor will never connect again. Make several wallets, when you need the coins import them to your "spending" wallet and send what you don't want to use back to an offline. Although I do agree this is tedious. I see what you mean now, forgive me for missing the point before. I'm fairly tired from the past few nights and not all of my posts will make complete sense. I wonder if there's a company out there that's working on quicker offline-online wallet exchanges though. I know some wallets can lock coins for a period of time, but that restricts people from being able to move their coins at any time. Would one solution be putting the various wallets on USB drives? |
|
|
|
|
|
