January 16, 2018
updated February 6, 2018

Tags

dark.silent Android trojan on Wiko phones

Wiko phones ship a File Manager developed by "Shenzhen UFO Technology Co., Limited". In december 2017 this file manager started to use massive amounts of mobile data:

Mobile data usage 2017-12 Mobile data usage 2018-01

I disassembled the code and found a trojan.

An update released on 2018-01-28 removed the trojan.

Play store ratings

The Google Play store ratings reflect that strange behavior:

It uses 174 mb data in background. What the hell is it doing?

Tawfiqur Rahman

Lately the app uses a huge amount of Cpu, constantly running in the background and draining my battery. Unfortunately the app comes with my phone and it won't let me uninstall... I don't even use the app and now it will always show up on my app update list in the play store.

Joseph Caswell

Recent update has a problem. Without ever opening it, the app was running in the background chewing up the battery, and sending / receiving data even when not connected to WiFi. I had to uninstall updates and go back to factory version.

Ethan Jorgensen

Doubtful background Data (internet) Usage, also causing background Vibrations without any reason. We don't need any update.

Sumit G

Die bei Wiko-Telefonen vorinstallierte App hat im WLAN über 220 MB Daten geschickt sowie 100 MB im Mobilfunknetz. Wieso?!? Seit dem Update schaltet sich auch das WLAN ständig ab. [...]

unknown

Nur zu empfehlen! Top! Aber wieso verbraucht die App plötzlich mobiles Datenvolumen? 119MB im Hintergrund an einem Tag? Bitte sofort ändern ...

Maurice Boeren

The permissions that this application requires from users are strange for a file manager:

Time to look at that, given that my wife was affected by that - her mobile data limit for January was reached on the 12th already.

adb logcat

After connecting the phone to my computer via USB, I could see the logging output and grepped for "filemanager": 

D/ActivityThread( 3234): BDC-Calling onReceive: intent=Intent { act=android.intent.action.USER_PRESENT flg=0x24000010 cmp=com.ape.filemanager/.ad.TriggerReceiver }, receiver=com.ape.filemanager.ad.TriggerReceiver@3bfc8e6e
D/ActivityThread( 3234): BDC-RECEIVER handled : 0 / ReceiverData{intent=Intent { act=android.intent.action.USER_PRESENT flg=0x24000010 cmp=com.ape.filemanager/.ad.TriggerReceiver } packageName=com.ape.filemanager resultCode=0 resultData=null resultExtras=null}
D/ActivityThread( 3234): SVC-Calling onStartCommand: com.ape.filemanager.ad.DaemonService@1b3d070f, flags=0, startId=10
D/ActivityThread( 3234): SVC-SERVICE_ARGS handled : 0 / ServiceArgsData{token=android.os.BinderProxy@cdd346e startId=10 args=Intent { cmp=com.ape.filemanager/.ad.DaemonService }}
D/Posix   ( 3234): [Posix_connect Debug]Process com.ape.filemanager :80 
W/ActivityManager(  706): Unable to start service Intent { flg=0x104 cmp=com.ape.filemanager/com.virgo.qao.hotfix.upgrade.UpgradeIntentService (has extras) } U=0: not found
D/AlarmManager(  706): wakeup alarm = Alarm{1874ac3e type 2 when 25014622 com.ape.filemanager}; package = com.ape.filemanager
V/ActivityManager(  706): Broadcast: Intent { act=com.virgo.trick.action flg=0x114 cmp=com.ape.filemanager/org.bi.track.ConnectionReceiver (has extras) } ordered=true userid=0 callerApp=null
D/Launcher( 1340): Launcher, bindItems: start = 12, end = 15item = ShortcutInfo(title=Dateimanagerintent=Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.ape.filemanager/.FileManagerMainActivity }id=225 type=0 container=-100 screen=4 cellX=2 cellY=0 spanX=1 spanY=1 dropPos=null unreadNum= 0), this = com.android.launcher2.Launcher@1a9c01f7
D/MTKUnreadLoader( 1340): getUnreadNumberOfComponent = com.ape.filemanager

Suspicious strings here: 

com.ape.filemanager/.ad.TriggerReceiver
com.ape.filemanager/.ad.DaemonService
com.ape.filemanager/com.virgo.qao.hotfix.upgrade.UpgradeIntentService
com.ape.filemanager/org.bi.track.ConnectionReceiver

"ad" is probably short for "advertisements". What? In a file manager?

I backed up the app com.ape.filemanager (version 7.1.1) with adb backup and used ab2tar to convert that backup file to a usable archive.

I looked into version 7.1.1, but the current version 8.0.30.11 still contains the dark.silent code.

Then I decompiled the android package apps/com.ape.filemanager/a/base.apk with jadx and looked at the source code for the .ad. classes.

com.ape.filemanager.ad.TriggerReceiver has the following statement: 

import dark.silent.ModsManager;
...
ModsManager.get(context).processIntent(intent);

There are no classes in the com.virgo.qao and org.bi.track namespace at all.

dark.silent

Let's have a look at dark.silent.ModsManager:

decompiled ModsManager in jadx-gui

The code is obfuscated, so that it is hard to see what is actually happening: 

this.c = Base64.decode("aHR0cHM6Ly9hcGkuaW5zbW9iaS5jb20vYWEvbmM=", 0);
// = https://api.insmobi.com/aa/nc
 
this.g = Base64.decode("Y29tLm1vZHMuTWFpbg==", 0);
// = com.mods.Main

The obfuscated code can be found on github.com/cweiske/dark.silent.

I loaded the code into Android Studio, inspected the classes and methods and renamed them one by one, until I could see what is being done here.

It is a trojan that downloads additional code from the internet and executes it without asking.

dark.silent's behavior is:

  1. Send an app ID (com.xit.c002), an app key (5a001d8622cb35589dacc7bf) and the phone's brand to a remote server at https://api.insmobi.com/aa/nc.

    If a payload has already been downloaded, send its MD5 hash (so that you can get updates!)

  2. Parse the response JSON, download the file given in the url property and verify its hash with the one from the JSON (moast.zip).

  3. Load that downloaded file as java archive and instantiate com.mods.Main from it.

    Then call its wakeUp method.

The more-readable code can be found on github.com/cweiske/dark.silent: readable.

Note that this behavior has been built into the file manager on purpose by "Shenzhen UFO Technology" - the trojan is initialized by their file manager code, and they added the permission requests to the manifest file.

Affected versions

Here are the versions of the file manager that I know of:

com.ape.filemanager versions
Version number Description Contains trojan?
1.0.17.16_wiko pre-installed on Rainbow Up No
7.1.1 Update from Google Play Yes
8.0.30.11 Update from Google Play Yes
8.0.30.50 Update from Google Play No

According to the Google Play page, the file manager is installed on 5 to 10 million devices.

The changelog on Google Play is always a pointless Optimizing function that does not tell you anything about the real changes.

Shenzen UFO? Tinno!

The address of that "Shenzhen UFO Technology Co., Limited" shown on the Google play store is:

4/F, H-3 Building, OCT Eastern Industrial Park, NO.1 XiangShan East Road, Nan Shan District, Shenzhen, P.R.C

The french Wiko Mobile company is owned by the Chinese Tinno Mobile Technology Corp., which has the following address:

4/F, H-3 Building, Qiao Cheng Eastern Industrial Park, Oversea Chinese Town, Nanshan District, Shenzhen, Guangdong Province, PRC

Same address, same company. The google play store developer e-mail address is swrd@tinno.com.

Did Tinno only buy Wiko to be able to push their trojans to european people?

In 2017-11, a french security researcher found out that Wiko phones contain two apps ApeSaleTracker and ApeStsMonths that

[...] send regularly and silently the user infos to a Chinese 3rd party called Tinno by HTTP or SMS without user consent

Two french press articles covered that:

Fin

Now we know why all those additional permissions are needed :/ This also explains why my wife's phone suddenly began to switch off WiFi automatically, and drain the battery.

A big problem is that that file manager is a system app on Wiko phones (at least on Wiko Rainbow Up and Wiko Pulp 4G) and cannot be removed - only deactivated.

It's probably worth to look at the actual payload and find out what it is doing.

Also on: Twitter

Written by Christian Weiske.

Comments? Please send an e-mail.