Pre-installed malware found on an Android Gretel A7 device
This is a follow-up to the previous story where I analyzed the sample mentioned on Reddit which was infecting a Gretel A7 device. To investigate further I obtained a Gretel A7 device from Ebay to confirm if there is any pre-installed malware on this device.

System folders

The /system/ folder is a good place for pre-installed malware as this folder is not accessible to the user, applications present here cannot be deleted by the user using the usual steps. No wonder bloatware added by device manufacturers is normally found here.

There were 117 applications on the Gretel A7 device and 103 of these applications were present in the system folder. The application with package name com.uctsadtxasch.quyry (which was the adware analyzed in the previous story) was nowhere to be found, indicating this might not be a case of pre-installed malware after all.

I checked on other apps present in the /system/ folder and based on basic analysis I found the app below interesting:
  • stored as /system/priv-app/

The system application -

This application is stored as /system/priv-app/

This app requests for the following permissions:
  • Access network state
  • Receive boot completed
  • Wake lock
  • Read external storage
  • Write external storage
  • Internet
  • Read phone state
  • Access wifi state
  • System alert window
  • Package usage stats
  • Install packages
  • Delete packages
  • Access fine location
  • Get tasks
The permission Install and Delete package can be dangerous if misused as this gives an application the ability to install and delete applications in the background without the users knowledge

Upon execution the app reports to the domain with date and time of execution and the device model running the app. It then downloads an apk from with package name com.iwtiger.plugin.activity17 and stores it in the app_dex folder:

This app contains code which is similar to the one present in a Github repo regarding dynamic apk loading:

This app has suspicious indicators and detections on VirusTotal as well:

MD5: f8d4659099100539da581c5bf6bacf26
Package name: com.iwtiger.plugin.activity17

The domain shows interesting details on VirusTotal relations:

The system application - com.ibingo.launcher3

This application is stored as /system/priv-app/Launcher3_G_yisheng_A47_201705191558/Launcher3_G_yisheng_A47_201705191558.apk

This is the launcher app for Gretel A7 devices and a few other devices as well - blu etc here . On execution we see the following network packet in which the device brand and model number were sent along with the package name responsible for this packet:

In one of the network packets to the host the IMEI number is leaked which is sensitive data for a device. VirusTotal shows that this domain is connected with a number of apks with malicious detection on VT:

Additional suspicious network activity

The IMEI for the test device was leaked in an additional network communication to

Play Protect detections

During my analysis I saw the Play Protect warning for indicating that there is protection for this threat:

Based on my observation here is the detection for the malicious/suspicious apps I observed for Gretel, I will update this list as I see more threats on this device:
  • - Detected by Google Play Protect
  • com.ibingo.launcher3 - Undetected by Google Play Protect

Similar concerns by users

A number of users have concerns about presence of malicious applications on Gretel devices. Developers have also come up with alternate ROMs for Gretel devices which shows that this device has a good user base.

Koodous Rulesets
  • Rule 1 - For
  • Rule 2 - For com.ibingo.launcher3

Apk samples
Indicators of Compromise
  • Package
  • MD5: 8a8a2f1c13d0d57186bc343af96abe87

  • Package name: com.ibingo.launcher3
  • Md5: 7dda8481973cec79416c9aa94d2176bc

  • Package name: com.iwtiger.plugin.activity17
  • Md5: f8d4659099100539da581c5bf6bacf26