Baptiste Robert Profile picture
🇫🇷 Good Faith Hacker. Fight disinformation at @PredictaLabOff. #OSINT for good. For business inquiries my email is below👇

Nov 12, 2017, 25 tweets

<Thread> CM Browser is a very popular application (50M - 100M downloads) published by @CheetahMobile.

In the description it said "#1 antivirus engine (rated by AV-TEST)" which is a lie. The AV-TEST best android security 2016 award had been given to @Bitdefender and @Sophos.

Security Master is in their best antivirus for #Android list but it's not the same app and not #1:…

Virus Total score of the last CM Browser APK is 1/60. Detected as A.L.Rog.RedTubeSex by Alibaba 🤔

Description said "Ad Blocker: Block annoying pop-ups and ads, enjoy clear and clean browsing" but in the service list you can find

In the "Interesting Strings" section we can find a lot of http address, that's interesting. We will check that later

First thing you saw when you open the AndroidManifest, the app is asking 3 permissions which are granted only for system app. Why a web browser need to mount/unmount my file system?

Package name of the app is com.ksmobile.cb but the code is located in com.ijinshan.browser. Ijinshan,, is another company which seems working/related for/to @CheetahMobile.

When you click the product tab in it redirect to the product list of @CheetahMobile, In the list you can see the "Jinshan battery doctor" app. ijinshan seems 2 differents legal company but same people 🤔


They also listen to android.hardware.action.NEW_PICTURE...

Another receiver to PACKAGE_ADDED and PACKAGE_REMOVED 🤦‍♂️

The third receiver to PACKAGE_ADDED

And fourth...

I'll pause my investigation for today. Here the summary for now:
* They lie in the description
* VT detected it as a Rog.RedtubeSex
* This Adblock browser load their own ad
* They used multiple SDKs
* They listen to the apps movement (install,...)

In there is a list a porn websites which is added to a HashMap in the constructor 🤔

Even if you delete your browser history, you can find the last visit url in clear in a shared preferences file

If you visit #YouTube, #Pornhub, #xvideos or #xnxx, CM browser will inject their cmbFloatVideo js script in the webpage

BIG PRIVACY ISSUE: CM Browser is storing your browser history in clear in browser.db EVEN IN INCOGNITO MODE 😡

The AppExistTrackingReceiver is listening to a multiple intent: USER_PRESENT, CONNECTIVITY_CHANGE,...
On the onReceive method it will start the KBrowserService if the device is connected to the network and the last upload is older than 6 hours

On the OnCreate method of KBrowserService, it register a BroadcastReceiver which listen to SCREEN_ON and SCREEN_OFF intents...I saw that in a lot of malware...

When SCREEN_OFF is received the AppLockBroadCastReceiver check if the phone is locked and will update their content provider with is_screen_off to true

I'm done with this app. There is more to find for sure. Feel free to check the decompiled source… and share your findings!

To sumarize: Stay away of this app! It clearly an invasive application which listen for too much things on the user device. They do the opposite of the app description and don't protect your data

I'm ready for my next challenge. If you an app name in mind, feel free to send here or by DMs and I will look into it

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling