When the out-of-control pre-installation behavior extends to the licensed aircraft by improper means_Beijing Dingkai Pre-installed Flashing Data Statistics apk Analysis

When the out-of-control pre-installation behavior extends to the licensed aircraft by improper means_Beijing Dingkai Pre-installed Flashing Data Statistics apk Analysis

Passerby 2014/03/16 10:37

Author: 395B5B28E44BAAE80F68968A88ADC6CAD702851B

0x00 background

This report only represents personal views and has nothing to do with the company, team, or position. Due to personal safety considerations, this excerpt will be published anonymously by the wooyun knowledge base; the full text will be announced after consulting with relevant persons.

In August 2013, after a large e-commerce online purchase of Lenovo A820t (which is a mobile customized model), it was found that the pre-installed application was abnormal: logically, the machine should have an uninstallable mobile pre-installed application, but in reality There are not many other applications on it, but there are many other applications that cannot be uninstalled. After technical analysis, it is found that there is a connection with Dingkai. In the next few weeks, physical stores and online surveys were conducted continuously or sporadically, and about 50 pages of reports were formed and continuously fed back to CNVD.

After September 2013, the incident and the report were transferred to CNCERT and CNVD for disposal; 2014-2-14, ANVA made preliminary disposal disclosure ( www.anva.org.cn/webInfo/sho... ); 2014-3-15, CCTV Part of the 315 party was exposed. This article is an excerpt from the technical part of this report and the handling methods for ordinary users.

This report is grateful to the following people: CNCERT, CNVD related staff; dex2jar, apktool, jdgui authors; large urban public transportation systems (subway, bus, inter-county shuttle, etc.); mobile phone store employees; other related topic discussions and discussions on the Internet Netizens who ask questions.

This report does not hope to be the starting point for a new round of war of words, but also a post for everyone involved in the Internet business to reflect on themselves-in this battle to seize mobile Internet users and portals, everyone is guilty.

0x01 Application name, version, permission evolution history, channel distinction

com.android.tunkoo.scan is generally placed in the/system/app/directory, so this kind of licensed products that have been maliciously flashed cannot be uninstalled. Its name is camouflaged, and two have been discovered.

Application Nameversion numberFile sha1 value

Table: com.android.tunkoo.scan version history

Both versions of the apk are signed with "DINGKAI.RSA", and openssl prints the same information. Using the signature issuer "beijing dingkai" as a keyword search, it is preliminarily believed to be Beijing Dingkai United Information Technology Co., Ltd.

The permissions applied by the two are as follows, among which "SystemServer", as a higher version, applies for more contact and SMS reading permissions than "SystemScan". Starting from Android 3.1, to receive Android broadcasts (such as automatic startup on boot), the application must be run at least once by the user, and there is no "force stop" in the settings; but com.android.tunkoo.scan is placed in/system/app , So even if there is no entry for the user to start, you can ignore the regulations and automatically start up and run as a system application.

Table: com.android.tunkoo.scan requested permission list and evolution

In order to distinguish between different flashing channels, in the AndroidManifest.xml in each com.android.tunkoo.scan, use the UMENG_CHANNEL field of the Umeng SDK to define the flashing ROM identification string, and there is also a SHOP_ID field to identify the promotion channel id.

Figure: AndroidManifest.xml values of two samples

0x02 report analysis


In addition to using the Youmeng SDK for simple channel statistics, com.android.tunkoo.scan also has its own reporting mechanism, the main purpose of which is to continuously monitor user behavior and report. In order to avoid rapid sandbox detection, com.android.tunkoo.scan uses a combination of timer (Alarm), broadcast (Broadcast) and service (Service) mechanisms to delay or rotate the monitoring behavior; in order to prevent manual rapid analysis, these The reported information is stored in the mobile phone and sent to the server, using different symmetric encryption methods and keys.

By analyzing the log before sending encryption, the relevant report content is divided into three categories and sent to different statistical interfaces.

The first type is the reporting of basic mobile phone information. The timing of reporting is to insert the SIM card and connect to the network every time. The contents of the report include:

C.  root 
E.  ROMID shop_id device_IOS

The second category is the reporting of user behavior information. The reporting time is every two hours after connecting to the Internet or two hours after the mobile phone is turned on. The contents of the report include:

B.  ip 

The third category only exists in the "SystemServer", which is used for specific information mining and reporting. The reporting time is every two hours after connecting to the Internet or two hours after the mobile phone is turned on. The contents of the report include:

A. 15 
B. 11 

The following is a detailed explanation of its reporting timing, format and operating mechanism.

Mobile phone basic information report

This is the most basic content report for pre-installed statistics. According to various conditions, it is reported to one of the following URLs:

http://x.xxxx.com/api.aspx?t=1  SystemScan SystemServer 
http://xxxxxxx.xxxx.com/?p=daoda3  SystemServer 
http://x.xxxx.com/api.aspx?t=6  SystemScan 
http://xxxx.xxxx.com/rec.aspx?t=0&iszip=false  SystemScan SystemServer 

A complete report statistics format is as follows:

ROMID={ROMID}||device_IOS={device_IOS}||device_IMEI={device_IMEI}||MAC={MAC}||os_Version={ os_Version }||shop_id={ shop_id }||device_IMSI={device_IMSI}||device_Model={device_Model}||device_Number={device_Number}||device_app_list={device_app_list}||nettype={nettype}||isrooted={isrooted}||postdataindex={postdataindex}||allsendindex={ allsendindex}||TIME1={TIME1}||TIME2={TIME2}||TIME3={TIME3}||

Table: Meanings and example values of field names reported in basic mobile phone information

The main reporting logic is:

1.  SIM TelephonyManager.getSimState() != SIM_STATE_ABSENT wifi 
3.  null 
4.  3 2 20 2 

User behavior information reporting

This is a mechanism for continuously tracking and reporting user behavior. According to different versions, report to one of the following URLs:

http://xxxxxxx.xxxx.com/?p=caiji3 SystemServer 
http://x.xxxx.com/api.aspx?t=3 SystemScan 

When the user clicks to connect to the network (GPRS/WiFi), or the phone is turned on for two hours, such a report will be made every two hours. If the report fails, the content to be reported will be stored in the " /data/data/com.android.tunkoo.scan/files/s" directory in the form of digitally numbered files , and re-reported in the order of the files in the subsequent logic. Therefore, if the user frequently turns on and off the phone, or waits for a long time, a large amount of content to be reported will be accumulated in this directory.

Figure: User behavior report information cache file

An example of reporting statistics is as follows, which will vary according to different user behaviors collected at the reporting time:

TIME=2013-09-20 18:27:05||IOS=com.android.tunkoo.scan_3_8c81a411||IMEI=477777777777777||IMSI=83333333333333333333||SHOPID=8798||ROMID=8798_201308111529_471.0||MAC=00:0d:08:07:c6:a5||MODEL=Lenovo A820t||IP=||LA=0||LO=0||APPUSE=com.speedsoftware.rootexplorer,d2481498,2013-09-20 18:25:53,2013-09-20 18:26:26&&||APPFLOW=||NETTYPE=,WIFI,net,2013-09-20 18:25:51,2013-09-20 18:26:26&&||APPINSTALL=||IP=,2013-09-20 18:25:51&&||

Table: Meanings and example values of field names reported by user behavior

Because the frequency of each user behavior is different, the behavior collection frequency (timer setting interval) and storage location of some parameters are not consistent.

Table: Collection frequency, purpose and storage location of some field names reported by user behavior

Specific information mining and reporting (only in SystemServer)

This is the new information reporting category of "SystemServer". For this reason, this version adds request permissions "android.permission.READ_CONTACTS" (read contacts) and "android.permission.READ_SMS" (read SMS). When the user clicks to connect to the network (GPRS/WiFi) or the phone is turned on for two hours, a report test will be performed every two hours. If it is detected that the time between two reports is greater than 5 hours, the report will be sent to http://xxxxxxx.xxxx.com/?p=xincaiji3 Make an escalation.

An example of reported statistics is as follows:

IMEI=477777777777777||MAC=00:0d:08:07:c6:a5||MODEL=Lenovo A820t||Contact=1,0,0,0,0,0,0,0,0,0,0,||MSGSend=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,||MSGRec=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,||NumberFoldList=555555,||_HDList=AEEE,BEEE,||_THDList=KEEE,LEEE,

Table: The meanings and example values of field names reported by specific information mining

There are two key points in this report:

  1. The report involves reading the two strongly private information of mobile phone contacts and text messages, but it only reports the keyword count and does not report the specific content.

    When scanning the contact list, 11 keywords are used for the inclusion matching test and counting: "wife, baby, child, daughter, son, husband, father, mother, father, mother, teacher". For example, if the content reported by Contact is "1,0,0,0,0,0,0,0,0,0,0,", it means that among all contacts, there is a contact name with 1 number that contains The word "wife" did not hit any other keywords. In the scanning of sending and receiving short messages, in addition to the above 11 contact keywords, four new keywords were added specifically to match the content of the short message: "Mr., Ms., Consumption, Repayment". For example, if the content reported by MSGRec is "0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,", it means that the message has been received since the last report. 3 of the text messages contained the word "Mr.", and none of the other keywords were hit.

  2. The report is very concerned about the directory information of the mobile QQ software in the sdcard.

Since there are many files when mobile QQ is running, it is difficult to put them in the application directory corresponding to/data, so these files are put in the sdcard directory. However, the sdcard directory is allowed to be read by any application, so it can be scanned and reported by "SystemServer". It is guessed that this purpose is to try to collect the QQ usage habits and user preferences of the mobile phone user.

Picture: "SystemServer" scans the mobile phone QQ directory to obtain all logged-in QQ numbers

Picture: "SystemServer" scans the contact avatar cache file name list of mobile QQ

Picture: "SystemServer" scans the list of file names of group avatar caches of mobile QQ

0x03 Hazard and killing situation

The main hazard of com.android.tunkoo.scan lies in continuous monitoring and reporting, leaking various private information and behaviors of users. In this process, due to the extensive use of timers to scan and network connections, it will continue to consume power and network traffic; in particular, if you misuse GPRS to access the Internet without applying for an operator's data package, there will be a problem of deductions. In addition, in some cases, the system may be slow and unresponsive due to a large number of scans.

Figure: Questions about "SystemScan" traffic in Baidu Know

The checking and killing of com.android.tunkoo.scan was verified twice. The second verification was 2013-9. The "SystemServer" (original apk) scan test was performed on the test machine, but it still couldn't be detected. Screenshots from left to right: Tencent Mobile Manager (virus database 20130922B), Kingsoft Internet Security (library file version 2013.9.12.1947 + heuristic scan), LBE (virus database 20130918.f), 360 (virus database 20130922B). Here is a question about mobile drug tyrants, that is, no matter the "power-consuming software" (background self-starting application list) in the scan results or application behavior management, there is no "SystemServer" application to manage or disable.

Figure: 2013-9 on the "SystemServer" killing situation on the test machine

0x04 Dingkai's licensed flashing method

Dingkai s malicious flashing is to delete all applications in/system/vendor/operator/app/(customized applications in this directory can be uninstalled by users), and then put applications that cannot be uninstalled in/system/app.

Figure: Comparison of the/system/vendor/operator/app/directory before and after Lenovo A820t malicious flashing. Left: S115 manufacturer package; Right: problem phone

Figure: High-end mobile phone pre-installed alliance service process

In a search on Sina Weibo, the results of the search with "Dingkai Brushing" show that Dingkai seems to have become a public behind-the-scenes channel for licensed flashing, with a daily flashing volume of at least 50,000. Its initial main target was Samsung licensed (but later maybe It also operates other brands, such as Lenovo), and may have the participation of large Internet companies. And this information has existed since at least the end of last year, but it did not cause great repercussions.

Picture: Search for "Dingkai Brushing Machine" information on Weibo

According to the results of Baidu search, Dingkai has published recruitment information in different regions on Zhaopin, Ganji, 58.com and other websites since at least 2012, such as rom editors in Shenzhen, Guangdong (2013-08-22), and Henan The Android system flashing operation specialists in Zhengzhou (2012-05-29), Hebei Shijiazhuang (2013-08-22), Guangdong Shenzhen (2013-08-05) and other places obviously mentioned that the operation process of flashing needs to be "disassembled". "Package-encapsulation" and other acts that damage and forge the integrity of licensed packaging.

Picture: Dingkai recruits Android system flashing operation specialists in Shijiazhuang, and the flashing process mentioned in it

According to the article by Game Grape, there are other flashing companies besides Dingkai, which are distributed in different brands and price points; as for the flashing method, there is a complete set of mature automation tools.

Picture: Brushing company's tools

Based on the above information, it can be seen that the out-of-control pre-installation behavior has been extended to the licensed machine that has become more rational and consumers have always trusted in an improper way. From the perspective of Dingkai s cooperation model and flashing operation, it is certain that there is a great possibility of channel problems-some channel dealers illegally cooperated with the flashing merchants, privately unpacking the licensed goods and re-brushing them, and use the licensed seals after flashing. Stitching, no apparent movement, in order to deceive downstream distributors and end users. Such behavior has obviously damaged the rights and interests of consumers who purchase licensed goods.

0x05 Investigation of infection status and distribution based on the network and physical stores

In order to find out the scope and distribution of the affected devices, starting from August 2013, a week-long physical store survey was conducted in the urban-rural fringe area, and scattered surveys were also conducted intermittently during the subsequent weekends; at the same time; In this process, a targeted network search is carried out.

The results of the investigation are as follows:


0x06 Solutions for ordinary users

In order to allow users to determine whether they have suffered from Dingkai's flashing machine, the author developed an "application installation information report" (com.example.forensics.systemapp). The application can be installed on Android 2.2 and above machines. After entering the application, click the "Collect..." button and wait. If the result appears "[Important Notice!] Evidence of Suspected Dingkai Flashing Found" and "com.android.tunkoo.scan" or "com.easyandroid.widgets" appears in the installation package listed below (not judged yet Is it a system application?), then congratulations, there is a high probability of being recruited...

Figure: "Application Installation Information Report" running results

Table: Meaning of the result folder of "App Installation Information Report"

The simple way to solve this problem is to disable "SystemScan" or "SystemServer" in the settings; but the only most thorough method is to re-flash the machine. If you are not familiar with the machine, it is best to bring the invoice and go directly to the local one. After-sales service outlets are carried out. Even if you know how to flash your phone, you still need to back up your personal data (such as mobile phone address book, text messages, etc.). At the same time, you must also bear the risk of losing the warranty due to operating errors and increasing the number of roots or flashing machines. In addition:

1.  MTK MTK IMEI SN wifi mac mac 
2.   root  recovery    ODIN  CUSTOM BINARY DOWNLOAD    1 

In addition to refreshing the phone, consumers can also actively communicate and complain with the final purchase channel. If necessary, they can also consider reporting problems with this purchase channel to the mobile phone manufacturer.

For users who have not purchased a mobile phone, if they cannot bear the risks brought by online shopping, when buying in a physical store, they must go to a well-known local regular chain store to buy, and carefully examine the application lists in the various display machines in the store. , If you find a questionable application, you should consult in time; when purchasing, carefully inspect the packaging, check the application list after booting, and beware of store-based channel installation. Of course, compared to online shopping, physical stores will be more expensive due to various reasons-especially a mobile phone that has been on the market for a period of time. At this time, the online price will be lower than the price of physical retail stores, and it is likely to be very large. .

If you have trust in your online shopping ability, then please be sure not to be greedy for small bargains, and at the same time carefully read the online shopping reviews, especially the bad reviews, you may see some clues.

0x07 Appendix: Announcement on the theft of user information by implanting "mobile phone pre-installed horse" by flashing (2014-2-14) (excerpt)

Through continuous monitoring of the mobile phone pre-installed horse, as of January 2014, CNCERT found that the number of users infected with the mobile phone pre-installed horse reached 2,167,148 nationwide. The distribution of infected users by region and operator is shown in Figure 2 and Figure 3, respectively.

Figure 2 The distribution of users infected with "mobile phone pre-installed horses" by region

Figure 3 Distribution of users infected with "mobile phone pre-installed horses" according to operators

At present, CNCERT has coordinated domain name registrar China Wanwang to stop the resolution processing of the three server domain names x.xxxx.com, xxxxxxxxxx.xxxx.com, xxxxxx.xxxx.com used by "mobile phone pre-installed horse" to collect user information. And coordinate the telecom value-added enterprise Wangsu Technology to stop access processing on the IP address used by the server.

As the "mobile phone pre-installed horse" has obvious characteristics at runtime, Android phone users can check whether the current mobile phone process information contains the "SystemScan" process named "com.android.tunkoo.scan", if it contains the process, it will be explained The "mobile phone pre-installed horse" has been implanted in the mobile phone, and the user must uninstall the "SystemScan" application in time.

Figure 4 Information about malicious programs run by "mobile phone pre-installed horse"

At the same time, users can use the [email protected] and [email protected] information of the China Anti-Internet Virus Alliance ANVA (www.anva.org.cn), which is in charge of daily operations by CNCERT , so that CNCERT can carry out disposal work.

Detection APK: com.example.forensics.systemapp.zip