Wiko phones ship a File Manager developed by "Shenzhen UFO Technology Co., Limited". In december 2017 this file manager started to use massive amounts of mobile data:
I disassembled the code and found a trojan.
An update released on 2018-01-28 removed the trojan.
The Google Play store ratings reflect that strange behavior:
It uses 174 mb data in background. What the hell is it doing?
Lately the app uses a huge amount of Cpu, constantly running in the background and draining my battery. Unfortunately the app comes with my phone and it won't let me uninstall... I don't even use the app and now it will always show up on my app update list in the play store.
Recent update has a problem. Without ever opening it, the app was running in the background chewing up the battery, and sending / receiving data even when not connected to WiFi. I had to uninstall updates and go back to factory version.
Doubtful background Data (internet) Usage, also causing background Vibrations without any reason. We don't need any update.
Die bei Wiko-Telefonen vorinstallierte App hat im WLAN über 220 MB Daten geschickt sowie 100 MB im Mobilfunknetz. Wieso?!? Seit dem Update schaltet sich auch das WLAN ständig ab. [...]
Nur zu empfehlen! Top! Aber wieso verbraucht die App plötzlich mobiles Datenvolumen? 119MB im Hintergrund an einem Tag? Bitte sofort ändern ...
The permissions that this application requires from users are strange for a file manager:
Time to look at that, given that my wife was affected by that - her mobile data limit for January was reached on the 12th already.
After connecting the phone to my computer via USB, I could see the logging output and grepped for "filemanager":
D/ActivityThread( 3234): BDC-Calling onReceive: intent=Intent { act=android.intent.action.USER_PRESENT flg=0x24000010 cmp=com.ape.filemanager/.ad.TriggerReceiver }, receiver=com.ape.filemanager.ad.TriggerReceiver@3bfc8e6e D/ActivityThread( 3234): BDC-RECEIVER handled : 0 / ReceiverData{intent=Intent { act=android.intent.action.USER_PRESENT flg=0x24000010 cmp=com.ape.filemanager/.ad.TriggerReceiver } packageName=com.ape.filemanager resultCode=0 resultData=null resultExtras=null} D/ActivityThread( 3234): SVC-Calling onStartCommand: com.ape.filemanager.ad.DaemonService@1b3d070f, flags=0, startId=10 D/ActivityThread( 3234): SVC-SERVICE_ARGS handled : 0 / ServiceArgsData{token=android.os.BinderProxy@cdd346e startId=10 args=Intent { cmp=com.ape.filemanager/.ad.DaemonService }} D/Posix ( 3234): [Posix_connect Debug]Process com.ape.filemanager :80 W/ActivityManager( 706): Unable to start service Intent { flg=0x104 cmp=com.ape.filemanager/com.virgo.qao.hotfix.upgrade.UpgradeIntentService (has extras) } U=0: not found D/AlarmManager( 706): wakeup alarm = Alarm{1874ac3e type 2 when 25014622 com.ape.filemanager}; package = com.ape.filemanager V/ActivityManager( 706): Broadcast: Intent { act=com.virgo.trick.action flg=0x114 cmp=com.ape.filemanager/org.bi.track.ConnectionReceiver (has extras) } ordered=true userid=0 callerApp=null D/Launcher( 1340): Launcher, bindItems: start = 12, end = 15item = ShortcutInfo(title=Dateimanagerintent=Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.ape.filemanager/.FileManagerMainActivity }id=225 type=0 container=-100 screen=4 cellX=2 cellY=0 spanX=1 spanY=1 dropPos=null unreadNum= 0), this = com.android.launcher2.Launcher@1a9c01f7 D/MTKUnreadLoader( 1340): getUnreadNumberOfComponent = com.ape.filemanager
Suspicious strings here:
com.ape.filemanager/.ad.TriggerReceiver com.ape.filemanager/.ad.DaemonService com.ape.filemanager/com.virgo.qao.hotfix.upgrade.UpgradeIntentService com.ape.filemanager/org.bi.track.ConnectionReceiver
"ad" is probably short for "advertisements". What? In a file manager?
I backed up the app com.ape.filemanager (version 7.1.1) with adb backup and used ab2tar to convert that backup file to a usable archive.
I looked into version 7.1.1, but the current version 8.0.30.11 still contains the dark.silent code.
Then I decompiled the android package apps/com.ape.filemanager/a/base.apk with jadx and looked at the source code for the .ad. classes.
com.ape.filemanager.ad.TriggerReceiver has the following statement:
import dark.silent.ModsManager;
...
ModsManager.get(context).processIntent(intent);
There are no classes in the com.virgo.qao and org.bi.track namespace at all.
Let's have a look at dark.silent.ModsManager:
The code is obfuscated, so that it is hard to see what is actually happening:
this.c = Base64.decode("aHR0cHM6Ly9hcGkuaW5zbW9iaS5jb20vYWEvbmM=", 0);
// = https://api.insmobi.com/aa/nc
this.g = Base64.decode("Y29tLm1vZHMuTWFpbg==", 0);
// = com.mods.Main
The obfuscated code can be found on github.com/cweiske/dark.silent.
I loaded the code into Android Studio, inspected the classes and methods and renamed them one by one, until I could see what is being done here.
It is a trojan that downloads additional code from the internet and executes it without asking.
dark.silent's behavior is:
Send an app ID (com.xit.c002), an app key (5a001d8622cb35589dacc7bf) and the phone's brand to a remote server at https://api.insmobi.com/aa/nc.
If a payload has already been downloaded, send its MD5 hash (so that you can get updates!)
Parse the response JSON, download the file given in the url property and verify its hash with the one from the JSON (moast.zip).
Load that downloaded file as java archive and instantiate com.mods.Main from it.
Then call its wakeUp method.
The more-readable code can be found on github.com/cweiske/dark.silent: readable.
Note that this behavior has been built into the file manager on purpose by "Shenzhen UFO Technology" - the trojan is initialized by their file manager code, and they added the permission requests to the manifest file.
Here are the versions of the file manager that I know of:
Version number | Description | Contains trojan? |
---|---|---|
1.0.17.16_wiko | pre-installed on Rainbow Up | No |
7.1.1 | Update from Google Play | Yes |
8.0.30.11 | Update from Google Play | Yes |
8.0.30.50 | Update from Google Play | No |
According to the Google Play page, the file manager is installed on 5 to 10 million devices.
The changelog on Google Play is always a pointless
Optimizing function
that does not tell you anything about
the real changes.
The address of that "Shenzhen UFO Technology Co., Limited" shown on the Google play store is:
4/F, H-3 Building, OCT Eastern Industrial Park, NO.1 XiangShan East Road, Nan Shan District, Shenzhen, P.R.C
The french Wiko Mobile
company is owned by the Chinese
Tinno Mobile Technology Corp.
,
which has the following address:
4/F, H-3 Building, Qiao Cheng Eastern Industrial Park, Oversea Chinese Town, Nanshan District, Shenzhen, Guangdong Province, PRC
Same address, same company. The google play store developer e-mail address is swrd@tinno.com.
Did Tinno only buy Wiko to be able to push their trojans to european people?
In 2017-11, a french security researcher found out that Wiko phones contain two apps ApeSaleTracker and ApeStsMonths that
[...] send regularly and silently the user infos to a Chinese 3rd party called Tinno by HTTP or SMS without user consent
Two french press articles covered that:
Now we know why all those additional permissions are needed :/ This also explains why my wife's phone suddenly began to switch off WiFi automatically, and drain the battery.
A big problem is that that file manager is a system app on Wiko phones (at least on Wiko Rainbow Up and Wiko Pulp 4G) and cannot be removed - only deactivated.
It's probably worth to look at the actual payload and find out what it is doing.
Also on: Twitter
Yesterday Shenzen UFO Technology Co. released version 8.0.30.50 of their trojan-infested file manager Android app.
The first noticable change is that the .apk file size dropped from 2.3 MiB to 1.9 MiB.
AndroidManifest.xml does not require permissions ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION anymore. It also does not run in the background anymore.
And finally, I could not find a trace of the dark.silent trojan in their code anymore.
In my previous article I wrote that I used adb backup
to get a copy of the file manager for further analysis.
The Tinno/UFO people likely thought that havingfinding
trojans in their code is bad, and removed the
manifest's
android:allowBackup="true" application attribute.
Apart from that, the app still wants too many permissions:
At first I tried to contact Google Play Store support via the "Flag as inappropriate" link, which led me to a "Report Inappropriate Apps" form. I provided a description, the google play store link and my contact data.
The only thing I got back was an e-mail telling me that I probably don't know what I do and I should "Please provide a link to the application on http://play.google.com *". I already gave them this information, so I stopped here.
On 2018-01-13 I sent the then-listed email address "swrd@tinno.com" an email telling them that their file manager uses massive amount of mobile data. (I did not know about the trojan at that point).
I got an e-mail back stating
Sorry, we will fix this problem as soon as possible.
I sent them an e-mail on 2018-01-17 explaining that there is a trojan in their code. There was no response at all.
The saddest thing I did was contacting the German Wiko support. Here is the english translation of that "dialogue":
The default file manager of my Wiko Rainbow Up uses a massive amount of mobile data since mid of december (December: 340 MB and January (1.-12.) 437MB).
Why does that happen? A file manager should not open any internet connections.
Me, 2018-01-13
We're sorry bullshit etc.
To find out which application uses those data, open the settings -> data usage -> mobile data usage. [...]
We hope we could help you.
German Wiko Support, 2018-01-15
No, you did not help me. You did not even read my e-mail.
I already wrote that the file manager is the one using mobile data.
The question is why you are shipping a file manager that uses mobile data. So tell me why.
Me, 2018-01-16
The file manager is a program, with which you can list applications and files, that can be moved.
As we already told you, the file manager is not the one using mobile data, but some other application.
The way suggested by my colleague is the correct one to find out which application is that.
German Wiko Support, 2018-01-16
The file manager uses mobile data.
The file manager contains a trojan, which loads malicious code from the internet.I attached screenshots and analyzed that: https://cweiske.de/tagebuch/dark.silent.htm.
You will see that the file manager is responsible for the data usage.
Me, 2018-01-17
As we read from your e-mail, you are worrying that you have a trojana [yes, their writing!] on your device.
We would suggest that you re-flash your device. Here are the steps: [...]
If the update is successful and the error has been fixed, please do not download all applications back onto your device.
Perhaps an application installed by you is causing this problem. Load applications one by one onto your device to find the fauly app.
German Wiko Support, 2018-01-22
(shibboleth) [yes, I was desperate enough to try it]
I have followed the steps that you advised and reset the device to factory settings. I did not install any apps.
The file manager did not use any mobile data.
After getting the lateset file manager update via the Google Play Store, it began using mobile data again. Also, after the update sudden wifi disconnects started to appear.
Me, 2018-01-22
[empty e-mail]
German Wiko Support, 2018-01-23
That's it. Support hell.
After noticing myself that a new com.ape.filemanager version had been released, I saw that "Shenzhen UFO Technology Co.,Limited" had changed their Google Play profile. Their homepage is now ufomobi.com and their e-mail address is admin-googleplay@ufomobi.com.
On that new homepage, they list their clients:
Look at the Wiko logo: Share your identity
.
Given that their malicious trojan payload probably uploaded all the user's data to ad networks, that slogan told the truth - fully.
Earlier this year I wrote about Airtame's broken promise of "open source": In their hugely successful indiegogo campaign they promised to open source both their streaming protocol and their streaming software - but three years later, neither one is available.
Airtame is apparently shamed about their own actions and try to cover up by transitioning their previous community forums to a "release feedback and feature request" list:
We only need the forum to announce upcoming betas, discuss them and talk about feature requests.
The new forum will have no tolerance for unproductive feedback. Unnecessary comments will be removed and the user posting will receive one warning.
Short time before that announcement, they removed all categories and posts that do not fit into the new definition. I asked why they removed the open source category:
Such discussion is deemed unproductive now, and so the post is unavailable now:
Sorry, you don't have access to that topic!
Even though Airtame lied about open sourcing their code and protocol,
they do see the value of open source:
Their
web developer job offering
contains a Bonus point: Contributions to open source projects
As if the forum lockdown and their broken promise are not enough yet, Airtame decided to host a meetup in their office within the Kopenhagen Techfestival
Do you have an idea for an open source project or you are about to jump on an open source project? Want some tips on what steps to take first? Or do you have doubts if it will bring you value?
Join us for a panel about open source projects and get experienced insights from the gurus of the open source community! We’ll discuss why open sourcing is important and address questions like, what value does it bring to your organization? And how do you start the process of open sourcing?
Meetup description Meetup hosted by Airtame: Breaking the Barrier of Open Source , 2017-09-07 17:45. Eventbrite entry, Facebook event
I would have loved to take part in that discussion and ask Airtame about their stance to those questions. Unfortunately Kopenhagen is a bit too far away.
Unfortunately I did not find a video recording of that meetup.
End of 2014 I bought an AIRTAME dongle, right after their successful indiegogo campaign. Airtame promised an open source wireless streaming solution for all major desktop operating systems - Linux, OSX and Windows as well for iOS and Android devices. They even had an extended desktop feature - using the wirelessly connected TV as a second screen!
A bit after half a year I got my HDMI dongle device and was underwhelmed. Streaming was laggy and broke, audio stuttered or did not work. No extended desktop. No android screen sharing. No open source.
I bought the Airtame HDMI dongle for ~150€ (in 2017 it costs 300€) instead of a 35€ Chromecast or an equally cheap Miracast stick because they said their protocol and their firmware would be open source.
Here:
[...] The dongle runs our open source software which you also install on your computer from our homepage. Everything is built upon our own open protocol.
And here:
Everything is built upon our own open protocol. Users interact with the device through our open source software available through www.airtame.com
And there:
The dongle runs our open source software which you also install on your computer from our homepage. Everything is built upon our own open protocol.
Their Indiegogo campaign "AIRTAME: Wireless HDMI for Everyone" ended in 2014-01, and the first dongles were shipped 2014-11 to the backers and buyers.
Today is 2017-04, three years have passed. Neither the dongle firmware, nor the desktop or mobile phone software are open source. The protocol is not open either.
Airtame failed to keep their promise.
During their campaign they posted new "stretch goals" on 2013-12-05:
They reached the firmware stretch goal 2013-12-13 and wrote:
We'll now release the official firmware to the Raspberry Pi in March'ish together with the 'Hacker Special' perk!
There is no Raspberry Pi firmware anywhere to see today on their page.
The Airtame forum has a thread about open sourcing and they said:
We are still commited to open source once it makes sense, from the maturity of the product, the business and the community around it.
and then, a year later:
Since around the time this comment was posted we have been refactoring the core streaming elements of Airtame.
This means that releasing any source code related to this "outdated" code would be pointless as it would break the projects people create with the open source code.
We are almost done with this refactoring, coming in V2.0 and V2.1, and once it is completed we will begin releasing APIs.
We have three stages of "open source" now:
Airtame got over a million in funding on Indiegogo when they promised "all open source". Over the years they back off more and more, until now they are only promising to release APIs - which does not mean open source at all. It only means your open source code can interface with the Airtame, e.g. by using a closed binary library provided by them.
Airtame kept rewriting their software because they thought their initial version wasn't good enough. This was used as reason to not open source the code, which is a wrong reason.
Code it is never good enough. You either do open source and keep improving your code, or you do not open source. Airtame is, nearly 4 years later, not open source.
I believe they never will be because of business reasons. Their roadmap does not even mention source code releases.
Another reason they gave was that they want to be able to change fundamental things. It looks like in their eyes open sourcing the code would mean a stable interface and protocol - which is wrong. You can do anything you like even if you are open source. It just happens visibly for others.
Apart from the code being closed despite their promise in the funding campaign, the did also not document their streaming protocol which would have allowed to build third-party streaming applications. This was also because they wanted to be able to change the protocol.
The correct way would have been to document the protocol + open source the code, and put a big "work in progress. will break." sticker on it.
Airtame would have kept their promise, and people would have been happier than they are now.
Zum Empfangen von Fernsehen über Satellit habe ich uns Anfang 2008 eine Dreambox 7025+ von Dream Multimedia gekauft.
Sie war mit 529€ zwar ziemlich teuer, was aber durch die Funktionalität mehr als ausgeglichen wurde:
Ich selbst habe das Plugin CurlyTx gebaut, um mir Anrufe der Telefonanlage und Temperaturdaten aus dem ganzen Haus anzeigen zu lassen. Die Dreambox ist auch Streamingquelle für alle Internetradios im Haus.
Soweit alles Sonnenschein.
Ende November 2013 bemerkte ich beim Fernsehen starke Ruckler auf einigen dritten Programmen wie Arte, EinsPlus und EinsFestival. Ein Reboot der Box half nichts, das Problem blieb weiter bestehen. Anfang Dezember bestand das Problem immer noch, und ich begab mich auf die Suche nach der Ursache.
Es gab bereits eine Diskussion zu dem Thema im offiziellen Forum. Die Dreambox-Nutzer hatten folgendes zusammengetragen :
Ein paar Tage später war schrieb ein bei Dream Multimedia angestellter Entwickler folgendes :
Das ganze ist die Folge der Konfiguration in den neuen Muxxern der ARD die diese für die betroffenen Transponder gekauft hat.
Das Problem unsererseits ist nun dass der Fehler sich innerhalb eines Teiles befindet, dessen Sourcen/Quellcodes wir NICHT besitzen. Also auf den wir keinen Einfluss nehmen können. Diesen Teil haben wir nur als sog. Microcode damals von ATI erhalten (an sich ist das aber nicht ungewöhnlich und ist auch bei heutigen SOCs der Fall).
Nun ist es aber so dass ATI die STB-Sparte schon vor einigen Jahren verkauft hat, soweit ich informiert bin an AMD. Wir besitzen zur Zeit auch keinerlei Kontakte zu ATI/AMD. Aber auch dieses ist nach der langen Zeit nicht ungewöhnlich. Es wäre aber selbst mit Kontakten Fragwürdig ob nach der langen Zeit dort überhaupt noch eine Abteilung existiert, die die nötigen Quellcodes/Unterlagen besitzt.
Wir haben nun versucht das Problem in irgendeiner Form zu umgehen/zu beheben. Aber bisher leider ohne Erfolg.
Zu jedem Zeitpunkt zu dem wir Zugriff auf den Transportstream erhalten ist dieser leider schon defekt. Also der Fehler hat schon zugeschlagen.
Wir stehen aber parallel seit Anfang letzter Woche mit dem MDR und seit kurzem auch mit dem Playoutcenter der ARD in Kontakt und haben denen auch unsere detaillierte Analyse sowie mehrere, relativ einfach umzusetzende, mögliche Lösungsvorschläge mitgeteilt. Außerdem haben wir der ARD eine DM7025 zur Verfügung gestellt.
Unsere letzen Informationen seitens der ARD besagen nun, dass sie relativ Zeitnah das Problem mit dem Hersteller der neuen Muxxer durchsprechen werden.
Ghost, Dream Multimedia Developer
Unsere Dreambox, die mit 99% Open-Source-Software läuft, kann nicht dazu genutzt werden, bestimmte Fernsehprogramme zu empfangen. Eine Funktion, die bisher problemlos zu nutzen war.
Die Ursache - der geänderte Datenstrom - ist von uns nicht beeinflussbar.
Obwohl Entwickler vorhanden sind, die das Problem lösen können, kann es nicht behoben werden - weil der Quellcode eines einzigen Bauteils nicht verfügbar ist.
Wie es sich am 13.12. schon ankündigte , hat die ARD am 16. Dezember wieder die alten Encoder in Betrieb genommen . Damit funktionieren die Programme - erstmal - wieder.
Es gibt wieder Probleme; diesmal unter anderem mit MDR, RBB, arte und EinsFestival. Jemand hat an den MDR geschrieben und bekam folgende Antwort:
Betreff: MDR Technische Hotline - Fehlerberichte beim Sat-Empfang mit dem Receiver Dreambox
Sehr geehrter Herr .....
vielen Dank für Ihre Fehlerbeschreibung des Receivers Dreambox.
Leider hat sich in den letzten Tagen gezeigt, dass alle Receiver der Serie Dreambox DM7025 und Dreambox DM7025+ Probleme mit dem korrekten Decodieren und Aufnehmen/Abspulen der beiden im Multipexing umgestellen Transponder (85, 51) haben. Die Multiplexeerzeugung wurde auf neue Decoder im POC (Play Out Center) der ARD umgestellt. Der Receiver Dreambox DM8000 zeigt nur das Aufnahme-und Abspul-Probleme. Da die Ausspielung am Multiplexcenter der ARD nach standardisierten Vorgaben erfolgt, wurde zur lösungsorientierten Fehlersuche Kontakt zu dem Hersteller der Receiver aufgenommen. Bitte nehmen Sie auch direkt Kontakt zum Hersteller auf:
Dream Property GmbH
Pierbusch 30
44536 Lünen
Germany
Support Endkunden:
support@dream-multimedia-tv.de
Tel.: 0180-3 44 11 30 990
Fax: 0180-3 44 11 30 991
telefonisch erreichbar:
Mo - Fr. 09:00 - 15:00
0,09 Euro/min aus dem deutschen Festnetz, Mobilfunkpreise maximal 42 ct/min
Im offiziellen Forum gibt es auch einen Thread, aber mit noch weniger Informationen:
nein, die ör's haben was an der codierung ihres streams geändert, womit die box nicht mehr klar kommt. man könnte das mit passendem microcode für den prozessor wohl ändern, aber es gibt den hersteller ATI nicht mehr. der wurde von broadcom geschluckt und der support eingestellt. also keine unterstützung mehr, deshalb den umstieg zu hd ins auge fassen.
Die oben gezeigte Support-E-Mail deutet an, wohin das ganze führen wird: Die DVB-S-Streams entsprechen den Standards, aber der closed-source Chip in den Dreamboxen implementiert diesen Standard nicht komplett. Der Fehler liegt eindeutig bei den Receivern, und man wird diese in Zukunft wohl ignorieren. Das Bild auf den Receivern wird weiterhin ruckeln.
Ich für meinen Teil werde auf die DM7080HD umsteigen, die gestern angekündigt wurde.
I own a Nokia N900 smart phone that I bought because it uses a Debian/Linux-based operating system called Maemo, believing that it's hackable.
Unfortunately, all of the core applications on the phone are closed source. The settings, media player, image viewing, camera, phone and email applications - all proprietary software that was not open sourced by Nokia.
Now, 4 years after the purchase, I'm stuck with a broken note taking application: When loading a notes file with bullet lists, I get an empty item added after each "real" list item:
This bug is known since 2009 and has 4 duplicates, but since Nokia stopped the development on Maemo, the issue will never be fixed.
And again I am severely limited by the unavailability of the source code (look for osso-notes), forcing me to either abandon the phone or to find a replacement application.
After being annoyed about that bug for about two years, I searched the bug tracker, found that there is no fix and looked for an alternative. I found Conboy, a nifty little note taking application that can even be synced with the desktop.
Its file format is Tomboy's XML, which is - while not normal HTML as osso-notes wrote - still open enough to be useful when something really goes wrong.