Some months ago I bought some cheap MIXC G7108 phones from well known online marketplace Alixpress. At $60 the price is really low, but this is somewhat compensated by the hardware problems on some of the devices.
MIXC is a big store located in China. They sell their own brand of Android devices, but lack access to the firmware for flashing it yourself, and the phones come without any documentation or system updates.
When they arrived…
The first thing that shocked me was the USB cable. The connector looked standard, but it was a bit longer than the generic ones. In fact, I modified a standard cable by cutting some plastic from the connector to make it fit inside the female plug of the device and all I got was just power charging.
The USB connector is composed of four cables, two for charging and two for data. This cable came with the data ones swapped out. So you will be only able to adb shell or access the mass storage with the original cable.
The phone comes in Chinese language by default, so the first thing I tried was to change that to English. After rooting it and trying to install a new language pack, it become a brick with a flipped Android logo on boot.
So I decided to ask for the firmware from the manufacturer. However, they refused that option and suggested I send the device back. I decided against that option and since I was still able to login as root via adb (the device wasnUt fully bricked), and bought two more phones and used them to deduce the differences in the file system and, finally, to bring the bricked device back to life.
After some months..
I noticed some strange behavior:
The device was enabling Wifi and 3G without my direct interaction. I decided to run some netstats on my Androids in order to observe the connections. I was surprised by the number of connections active even while the screen was off. I decided to check the filesystem for the latest written files, which pointed me to /sdcard/Data/data.txt, where I found some interesting logs sending JSON payloads to remote servers which seems to be a WAP communication used for SMS payment services and tracking.
The log clearly showed that the syslock market was sending the IMSI and IMEI, plus other information like the network operator, wifi mac address, and phone number. It also contained references to baidu. The rest of the log was just a bunch of sleep/start/delay/startsdk P basically just noise.
I then checked out the IPs that the device connected to with adb shell netstat: two from US (WhatsApp and Google) and one to China, so I decided to see what was in there connecting at the 83 port, like the spyware was doing. The server was only responding to some HTTP queries, like MP3 files under some specific directories. I was particularly curious about those files.
Suddenly, without interacting with the device I got an APK installation dialog:
By running pm list packages I found that the suspicious application was listed as com.yunlan.syslockmarket, but there was also another suspicious application named exam.fengyan.hunlianceshi-1. The app was a love test game in html, with some really suspicious permissions.
I wrote a small tool called r2dex that runs rabin2 -qzz zip://$1//AndroidManifest.xml | grep permission to get the list of permissions requested by each app, the same tool can be used to retrieve the intents by changing the grep.
Uploading that and other interesting APKs to VirusTotal showed the following, which pointed me to a new target: SystemLockMarket.
Android/SkyMobi was shipped in SystemLockMarket.apk
The description (ripped from the interwebs) of the two applications is the following:
At Android forums smsreg is described in more detail:
Android/smsreg is an Android app that may potentially be adware or may compromise your personal information. These safety risks should be considered before installing an app detected as Android/smsreg.Android/smsreg is currently ranked 693 in the world for mobile, online and PC malware, affecting 10,000 users.
There are two interpretations of the destination of this application. The first and most popular – a malicious program that is specifically integrated into the firmware for the pumping of money the user via SMS messages to premium rate numbers.
The second interpretation SMSreg.apk has a practical application. According to her this application contrary indispensable assistant and guardian. It allows you to send an SMS message when a new SIM card. That is, in the case of lost or stolen phone, you should receive an SMS with the IMEI number devaysa once the new RownerS insert your sim card
It’s riskware!
According to the permissions requested by the Manifest and reading the disassembly of classes.dex, the application can be a threat. It opens the door for attackers to remotely control the device, amass leaked information, track geolocation, send payment sms, remove notifications, and more.
Let’s name it as /Riskware/, a kind of malware that can turn into spyware, adware, ransomware or any other form as long as it’s multi-parted virus, which extends functionalities by installing newly infected applications.
The kind of applications infected by this riskware varies from games to utilities. The applications are downloaded in /sdcard/http/time*.apk, which can be later installed by fake shortcuts created by the SystemLock app. It may ask you to install them, or it may directly install them if it can get root privileges. On one of the devices, I found several time*.apk files with the same contents (verified with sha256), so there were some apks downloaded twice with different filenames.
It added up to a total of 16 different /infected/ apks, some of them by the same malware.
NOTE: A random hint for finding infected applications is to look at the certificate the apk was signed with. In this case, all Google apps seems to be fine Pnote that I have in the past purchased a tablet with the Google apps not signed by Google, in stock firmware. In that case, the Google apps didnUt receive updates because the signature didnUt match with the one in the market.
All the /infected/ applications I found were using proguard P not fully, but partially because the original application code is kept.
Checking out some of the URLs and permissions in the samples points out to code contained in platformanes github repository which are SDKs to perform mobile payment systems for Android.
Solution
I wanted to have a clean device and improve my battery life by allowing the device to stay in sleep mode and honor my airplane settings, therefore I decided to remove those apks.
As long as pm uninstall was not working, even by remounting all the partitions in readwrite with mount -o remount,rw /system reporting PERMISSION DENIED. I had to run as root via adb some rm lines removing all the files (dex, odex, apk, data, ..) referencing the name of the apks clearly suspicious starting by exam.fengyan and com.syslockmarket. And then a reboot.
Doing a factory reset doesn’t remove the threat because the infected app comes in the stock firmware and can only be deleted by rooting the phone.
Final Words
By googling a bit, I found some information regarding the issue I noticed. In short, Skymobi pre-installs applications on low-end devices in order to increase data usage (which benefits mobile operators with the data plans) and also tracks users in order to sell this information and install new applications according to their interests. Those newly installed applications come TinfectedU with the same riskware (or a variant).
You can read more about Skymobi.
