|Pre-installed malware found on an Android Gretel A7 device|
This is a follow-up to the previous story where I analyzed the sample mentioned on Reddit which was infecting a Gretel A7 device. To investigate further I obtained a Gretel A7 device from Ebay to confirm if there is any pre-installed malware on this device.
The /system/ folder is a good place for pre-installed malware as this folder is not accessible to the user, applications present here cannot be deleted by the user using the usual steps. No wonder bloatware added by device manufacturers is normally found here.
There were 117 applications on the Gretel A7 device and 103 of these applications were present in the system folder. The application with package name com.uctsadtxasch.quyry (which was the adware analyzed in the previous story) was nowhere to be found, indicating this might not be a case of pre-installed malware after all.
I checked on other apps present in the /system/ folder and based on basic analysis I found the app below interesting:
The system application - com.android.service
This application is stored as /system/priv-app/com.android.service-9002_0711/com.android.service-9002_0711.apk
This app requests for the following permissions:
Upon execution the app reports to the domain iwtiger.com with date and time of execution and the device model running the app. It then downloads an apk from static.iwtiger.com with package name com.iwtiger.plugin.activity17 and stores it in the app_dex folder:
This app contains code which is similar to the one present in a Github repo regarding dynamic apk loading:
This app has suspicious indicators and detections on VirusTotal as well:
Package name: com.iwtiger.plugin.activity17
The domain static.itwiger.com shows interesting details on VirusTotal relations:
The system application - com.ibingo.launcher3
This application is stored as /system/priv-app/Launcher3_G_yisheng_A47_201705191558/Launcher3_G_yisheng_A47_201705191558.apk
This is the launcher app for Gretel A7 devices and a few other devices as well - blu etc here . On execution we see the following network packet in which the device brand and model number were sent along with the package name responsible for this packet:
In one of the network packets to the host alter.sbingo.net.cn the IMEI number is leaked which is sensitive data for a device. VirusTotal shows that this domain is connected with a number of apks with malicious detection on VT:
Additional suspicious network activity
The IMEI for the test device was leaked in an additional network communication to mota.mediatek.com:
Play Protect detections
During my analysis I saw the Play Protect warning for com.android.service indicating that there is protection for this threat:
Based on my observation here is the detection for the malicious/suspicious apps I observed for Gretel, I will update this list as I see more threats on this device:
Similar concerns by users
A number of users have concerns about presence of malicious applications on Gretel devices. alternate ROMs for Gretel devices which shows that this device has a good user base.
Indicators of Compromise