The Chinese smartphone manufacturing market is rising in a fast pace. We see that popular and trustworthy companies like Huawei, Oppo and Meizu are slowly entering and conquering the US and European markets. In addition, we also see a lot of small scale Chinese smartphone manufacturers appearing, that offer cheap mobile devices. Privacy and security has always been an issue on mobile devices and applications. Even the big players sometimes fail to effectively protect their customers. We wanted to know how these small-scale manufacturers handle their user's privacy and security. We will discuss how a small-scale Chinese manufacturer decided to design and implement an Android mobile device that acts, looks and behaves as an iPhone 6S device. We bought this device for 150 EUR, which is allegedly designed by Apple in California and assembled in China.
At first sight it is difficult to distinguish the fake iPhone from a real device. The manufacturer and developers went out of their way to implement the same look,feel and user experience. The figure below, on the left, shows the iOS homescreen of the fake device which looks like the original iOS homescreen on an iPhone 6S device which can be seen below on the right.
We can clearly tell the difference between the two devices. First, the calendar app in the figure on the left has a bigger date font than the respective application, on the original screen, on the right. Secondly, the string "App Store" is merged into one word, and the overall font is a bit off. Finally, the user experience is where the manufacturer really drops the ball. When you extensively use, and navigate through the fake iPhone screens you notice a considerable amount of lagging that heavily impacts the user experience, which is not present on an original iOS device.
Being security and privacy minded penetration testers at ZIONLABS, we were really interested to see how this device manages the users privacy. Therefore we started intercepting communications between the mobile device and backend servers to which applications were connecting. While intercepting traffic from the phone we found out that a particular service is constantly broadcasting our location. This information, and by extension its user, is considered a privacy sensitive piece of data. Checking for the location of a device is not a wrong thing as such, but developers need to put appropiate mechanisms in place to protect the confidentiality of this piece of information. Most importantly, users should have full control over their own privacy sensitive data. We will show that this fake device violates all privacy laws and turns your smartphone in a Chinese spying machine.
Further investigation shows that besides reporting the coordinates and address, it also checks which building the device is located in, on which floor it's located and even whether the device is located in China. The same browser application which triggers the location lookup is not only eager to know our location, but it also wants to know what we are doing on our screen by taking screenshots. The figure below shows a request between the browser application and its Baidu backend server. The request contains a switch that can be remotely controlled to take screenshots on the device and tranferring them to the backend.
Discovering these privacy issues made us even more determined to dig deeper. We found out that the browser application and most of the apps like "Facetime" and "App Store", sent all their API requests over HTTP, which again, is a great risk for your privacy.
Now that we are convinced that this fake iPhone device is riddled with privacy breaching applications we were interested to see, just how much malicious applications were installed on this device. We dumped all the system and user installed applications from the device and pushed them through anti-virus scanners. Ideally, we would have wanted to reverse engineer them manually ourselves, but time being against us, we decided to rely on proven anti-virus heuristics. In total, we dumped 118 Android applications from the device. The table below shows our anti-virus scanning results. We only included the actual serious mal- and adware applications. It should be noted that more than 60 of the installed applications were flagged by at least one anti-virus for being spyware. In this paper, we decided to include only the serious adware/malware flagged applications.
Another key concern to note here, is the fact that these applications are installed as system applications. This means that the user needs root access to remove these applications from the device, which might not always be the case. Not only removing these applications is a problem, but also the fact that they have system level permission access. Which includes more privileges than the normal amount of permissions for any application installed through the Google Play Store.
We believe that we only scratched the surface with our research. There are countless other dubious Chinese manufactures that possibly implement the same tactics. Interesting research opportunities lie in correlating research results of different device manufactures to detect privacy breaching trends. For more technical information please refer to our whitepaper.
In case you have a device or a malware sample that needs research, feel free to contact our ZIONLABS team specialized in mobile security research.