Baptiste Robert Profile picture
Jan 25, 2018 15 tweets 8 min read Twitter logo Read on Twitter
The @OnePlus #clipboard app contains a strange file called badword.txt 🤔

In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...
This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files:
- badword.txt
- brackets.txt
- end.txt
- follow.txt
- key.txt
- start.txt
All these files are used in a obfuscated package which seems to be an #Android library from teddymobile
TeddyMobile is a Chinese company, they worked with a lot of manufacturers including @oppo.
As far as I understand, teddymobile is making number identification in SMS

The picture below can be translated like this:
- Total number of SMS 20M+
- SMS identification accuracy 100%
- Identification number recognition rate of 70%
- recognition accuracy of 95%
According to the code @OnePlus is sending your IMEI and the phone manufacturer to a Chinese server owned by teddymobile 😡
In the TeddyMobile's package com.ted, they have a class called SysInfoUtil. This class contains the following methods:
- getAndroidID
- getCPUSerial
- getDeviceId
- getHardwareSerialNumber
- getIMEI
- getIPAddress
- getMacAddress
- getPhoneNumbe
- getScreenPixels
Except getIPAddress and getScreenPixels, all the other methods are used.
They also send JSON messages to their servers with a "telephone" and "messageText" fields...😡
This is a good reminder...Please don't copy paste your bank account number...TeddyMobile has a dedicated method to recognize a bank account...😡
I didn't manage to trigger the network communications to the teddymobile servers but I will continue later. Moreover, I have other ideas in mind regarding this app 😉
After deeper investigation only a small part of the tedmobile sdk is used. In the ClipboardManager, in the verifyExpress method they used the method parserOnline.

This parserOnline will send what you have in your clipboard to a teddymobile server in order to parse it. It important to say that this method is used only for Chinese users.
So we can definitively say that clipboard data of @OnePlus Chinese users is send to teddymobile servers without their consent.
The conditions to send your data to teddymobile server are:
- clip data is not numeric
- not an email
- Chinese @OnePlus phone
- clipboard data matched the express pattern.

It good to say that parserOnline method is used 3 times in the code, so this is only 1 of the 3 usecases

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Aug 30, 2018
Let's see how #WhatsApp is encrypting your attachments 1/n
In a #WhatsApp conversation, I sent a TTF file 2/n
In my phone, this TTF file is stored in the sdcard. To be precise here: /sdcard/WhatsApp/Media/WhatsApp Documents/Action_Man.enc 3/n
Read 10 tweets
Jul 28, 2018
The phone number linked to this #Aadhaar number is 9958587977
According to an official @nicmeity circular, this phone number is the number of your secretary….
Is it really your #Aadhaar number @rssharma3?
Read 13 tweets
Jul 13, 2018
Hi @KamalAditi,

Challenge accepted!

Please find below the first flaw of #Kimbho app 2.0 aka how to get the online status of #Bolo users
First thing first, we are talking about this app "Bolo Messenger - Secure Chat, Voice & Video Calls" which is the new version of the #Kimbho app…
When you send a message with the #Bolo app, it is checking if your contact is online with this request. The endpoint is taking the "contact userId" (the 1st black rectangle in the picture)
Read 10 tweets
May 2, 2018
People are stupid... A Youtube account called "DIGISEVA CENTER" showed how to bypass ECMP software in this video
Of course if you like the video you can donate to the Paytm account 7041704604
Thanks to his Paytm account you can find his Facebook page
Read 6 tweets
Apr 13, 2018
Time for a new thread. The #android #application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size
Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
This is a very good example of data abuse. Every time you open the @moinsbete #android #app with location on, your location is send without your consent to an US based server owned by @mopub
Read 9 tweets
Apr 8, 2018
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
The samples are available on @koodous_project and @virusbay_io
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!