<Thread> CM Browser is a very popular application (50M - 100M downloads) published by @CheetahMobile.
In the description it said "#1 antivirus engine (rated by AV-TEST)" which is a lie. The AV-TEST best android security 2016 award had been given to @Bitdefender and @Sophos.
Virus Total score of the last CM Browser APK is 1/60. Detected as A.L.Rog.RedTubeSex by Alibaba 🤔
Description said "Ad Blocker: Block annoying pop-ups and ads, enjoy clear and clean browsing" but in the service list you can find nativesdk.ad.common.service.AdPreloadService
In the "Interesting Strings" section we can find a lot of http address, that's interesting. We will check that later
First thing you saw when you open the AndroidManifest, the app is asking 3 permissions which are granted only for system app. Why a web browser need to mount/unmount my file system?
Package name of the app is com.ksmobile.cb but the code is located in com.ijinshan.browser. Ijinshan, ijinshan.com, is another company which seems working/related for/to @CheetahMobile.
When you click the product tab in ijinshan.com it redirect to the product list of @CheetahMobile, cn.cmcm.com/products.html. In the list you can see the "Jinshan battery doctor" app. ijinshan seems 2 differents legal company but same people 🤔
Browser is listening to PACKAGE_ADDED, PACKAGE_REMOVED, PACKAGE_CHANGED and PACKAGE_REPLACED intents 😡
Another receiver to PACKAGE_ADDED and PACKAGE_REMOVED 🤦♂️
The third receiver to PACKAGE_ADDED
And fourth...
I'll pause my investigation for today. Here the summary for now:
* They lie in the description
* VT detected it as a Rog.RedtubeSex
* This Adblock browser load their own ad
* They used multiple SDKs
* They listen to the apps movement (install,...)
In Favorites.java there is a list a porn websites which is added to a HashMap in the constructor 🤔
Even if you delete your browser history, you can find the last visit url in clear in a shared preferences file
If you visit #YouTube, #Pornhub, #xvideos or #xnxx, CM browser will inject their cmbFloatVideo js script in the webpage
BIG PRIVACY ISSUE: CM Browser is storing your browser history in clear in browser.db EVEN IN INCOGNITO MODE 😡
The AppExistTrackingReceiver is listening to a multiple intent: USER_PRESENT, CONNECTIVITY_CHANGE,...
On the onReceive method it will start the KBrowserService if the device is connected to the network and the last upload is older than 6 hours
On the OnCreate method of KBrowserService, it register a BroadcastReceiver which listen to SCREEN_ON and SCREEN_OFF intents...I saw that in a lot of malware...
When SCREEN_OFF is received the AppLockBroadCastReceiver check if the phone is locked and will update their content provider with is_screen_off to true
I'm done with this app. There is more to find for sure. Feel free to check the decompiled source github.com/fs0c131y/CMBro… and share your findings!
To sumarize: Stay away of this app! It clearly an invasive application which listen for too much things on the user device. They do the opposite of the app description and don't protect your data
I'm ready for my next challenge. If you an app name in mind, feel free to send here or by DMs and I will look into it
• • •
Missing some Tweet in this thread? You can try to
force a refresh
First thing first, we are talking about this app "Bolo Messenger - Secure Chat, Voice & Video Calls" which is the new version of the #Kimbho app play.google.com/store/apps/det…
When you send a message with the #Bolo app, it is checking if your contact is online with this request. The endpoint is taking the "contact userId" (the 1st black rectangle in the picture)
Time for a new thread. The #android#application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size
Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
This is a very good example of data abuse. Every time you open the @moinsbete#android#app with location on, your location is send without your consent to an US based server owned by @mopub
The samples are available on @koodous_project and @virusbay_io
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209