Baptiste Robert Profile picture
Nov 12, 2017 25 tweets 12 min read Twitter logo Read on Twitter
<Thread> CM Browser is a very popular application (50M - 100M downloads) published by @CheetahMobile.
In the description it said "#1 antivirus engine (rated by AV-TEST)" which is a lie. The AV-TEST best android security 2016 award had been given to @Bitdefender and @Sophos.
Security Master is in their best antivirus for #Android list but it's not the same app and not #1:…
Virus Total score of the last CM Browser APK is 1/60. Detected as A.L.Rog.RedTubeSex by Alibaba 🤔
Description said "Ad Blocker: Block annoying pop-ups and ads, enjoy clear and clean browsing" but in the service list you can find
In the "Interesting Strings" section we can find a lot of http address, that's interesting. We will check that later
First thing you saw when you open the AndroidManifest, the app is asking 3 permissions which are granted only for system app. Why a web browser need to mount/unmount my file system?
Package name of the app is com.ksmobile.cb but the code is located in com.ijinshan.browser. Ijinshan,, is another company which seems working/related for/to @CheetahMobile.
When you click the product tab in it redirect to the product list of @CheetahMobile, In the list you can see the "Jinshan battery doctor" app. ijinshan seems 2 differents legal company but same people 🤔
They also listen to android.hardware.action.NEW_PICTURE...
Another receiver to PACKAGE_ADDED and PACKAGE_REMOVED 🤦‍♂️
The third receiver to PACKAGE_ADDED
And fourth...
I'll pause my investigation for today. Here the summary for now:
* They lie in the description
* VT detected it as a Rog.RedtubeSex
* This Adblock browser load their own ad
* They used multiple SDKs
* They listen to the apps movement (install,...)
In there is a list a porn websites which is added to a HashMap in the constructor 🤔
Even if you delete your browser history, you can find the last visit url in clear in a shared preferences file
If you visit #YouTube, #Pornhub, #xvideos or #xnxx, CM browser will inject their cmbFloatVideo js script in the webpage
BIG PRIVACY ISSUE: CM Browser is storing your browser history in clear in browser.db EVEN IN INCOGNITO MODE 😡
The AppExistTrackingReceiver is listening to a multiple intent: USER_PRESENT, CONNECTIVITY_CHANGE,...
On the onReceive method it will start the KBrowserService if the device is connected to the network and the last upload is older than 6 hours
On the OnCreate method of KBrowserService, it register a BroadcastReceiver which listen to SCREEN_ON and SCREEN_OFF intents...I saw that in a lot of malware...
When SCREEN_OFF is received the AppLockBroadCastReceiver check if the phone is locked and will update their content provider with is_screen_off to true
I'm done with this app. There is more to find for sure. Feel free to check the decompiled source… and share your findings!
To sumarize: Stay away of this app! It clearly an invasive application which listen for too much things on the user device. They do the opposite of the app description and don't protect your data
I'm ready for my next challenge. If you an app name in mind, feel free to send here or by DMs and I will look into it

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Aug 30, 2018
Let's see how #WhatsApp is encrypting your attachments 1/n
In a #WhatsApp conversation, I sent a TTF file 2/n
In my phone, this TTF file is stored in the sdcard. To be precise here: /sdcard/WhatsApp/Media/WhatsApp Documents/Action_Man.enc 3/n
Read 10 tweets
Jul 28, 2018
The phone number linked to this #Aadhaar number is 9958587977
According to an official @nicmeity circular, this phone number is the number of your secretary….
Is it really your #Aadhaar number @rssharma3?
Read 13 tweets
Jul 13, 2018
Hi @KamalAditi,

Challenge accepted!

Please find below the first flaw of #Kimbho app 2.0 aka how to get the online status of #Bolo users
First thing first, we are talking about this app "Bolo Messenger - Secure Chat, Voice & Video Calls" which is the new version of the #Kimbho app…
When you send a message with the #Bolo app, it is checking if your contact is online with this request. The endpoint is taking the "contact userId" (the 1st black rectangle in the picture)
Read 10 tweets
May 2, 2018
People are stupid... A Youtube account called "DIGISEVA CENTER" showed how to bypass ECMP software in this video
Of course if you like the video you can donate to the Paytm account 7041704604
Thanks to his Paytm account you can find his Facebook page
Read 6 tweets
Apr 13, 2018
Time for a new thread. The #android #application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size
Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
This is a very good example of data abuse. Every time you open the @moinsbete #android #app with location on, your location is send without your consent to an US based server owned by @mopub
Read 9 tweets
Apr 8, 2018
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
The samples are available on @koodous_project and @virusbay_io
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!