Infinix Sending Data To China Suspected Backdoor Found in Analysis


There is no doubt Infinix mobile phone's are rocking in the market because of their cheap rate's but when it come's to security and privacy these's chinese phones are less secured as compared to other mobile phones. This analysis has been performed on non-rooted infinix hot 4 bought from daraz.pk . Multiple report's and allegations on Infinix urged me to  perform analysis on infinix smartphone's.

Recently we have seen number of report's on Infinix claiming that their smart phones are secretly sending private information to some Chinese servers. Some said its rumor, a false flag propaganda to defame the brand and some said it's true. Today we have configured out that it is actually true.

I accept that some of app's do collect information regarding the device but they do in a secured way i.e in encrypted form under some terms and conditions. However one of the worst thing i have noticed is Infinix was sending data in un-encrypted state to a vulnerable server. In case if that server is compromised because of some vulnerabilities it will lead to a major hack in which private information of millions of smartphones could be breached.

A newly bought Infinix smartphone contain's some pre-installed app's also known as bloatware. Infinix allow's you to uninstall some of the pre-installed app's but not few of the app's. That's how infinix came into the radar and urged us to perform analysis. One of the suspected app is mentioned below.

1- BabelFont

  •  Fonts Manager ( SYSTEM APPLICATION )


Both of the apps are related to Font's. One is Babel Fonts which is available on playstore indeed and the other one is FontManager which is a default system application. Babel Font could not be removed or uninstalled due to restriction.

What is the purpose of Babel Font ? 
This app is developed by a Chinese firm " Shanghai iekie information technology Co,Ltd " which could be used to change font's on your smartphone.
Why it is pre-installed ?
There could be a possible reason like application marketing between both of them

How it is vulnerable ?
As per android if you are a developer you might be aware that if your application need's to perform certain tasks you need to define permissions and user need's to grant that permission in order to use that app. Lets have a look on the permissions of Babel Font.



This app has access to:
Device & app history
Allows the app to view one or more of: information about activity on the device, which apps are running, browsing history and bookmarks
Identity
Uses one or more of: accounts on the device, profile data
Location
Uses the device's location
Photos/Media/Files
Uses one or more of: files on the device such as images, videos, or audio, the device's external storage
Wi-Fi connection information
Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and names of connected Wi-Fi devices
Device ID & call information
Allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call
Other
  • download files without notification
  • close other apps
  • receive data from Internet
So question arises why dose a simple font's changing app require such permissions ? We have seen many other font changing app's which dose not require such type of permissions. Also why a user is not given rights to uninstall it ? Why a font app is given permission to install apps without notification , close other apps and receive sensitive data from the device ?

Lets have a look on packet's analysis of BabelFonts > FontsManager

I turned on the listening while keeping my phone idle. Once the phone was gone idle Fonts Manager was sending some suspicious requests to a Chinese server. After 5 minute's of network packets listening i was able to configure out the behavior of this app. Lets have a look on the sniffed packets from our device.






Now look at the given picture's while your smartphone is idle Font Manager is sending your mobile information to some suspected Chinese server's. Information which Font Manager was caught sending is given below.

GET /rest/api3.do?t=1480159338&data={"c1":"Infinix HOT 4","c2":"umeng","c0":"Infinix","device_global_id":"utdid_error","app_version":"10.5.2.2.0","c6":"3c10ae4918f05567","c4":"02:00:00:00:00:00","sdk_version":20160215,"new_device":"true","c5":"0177810690204116","package_name":"com.mephone.fonts","c3":"umeng"}&v=4.0&sign=30dd562cfb907706b583dcca5f546971&imei=*****&appKey=umeng:56e28e8be0f*********&api=mtop.push.device.createAndRegister&imsi=umeng&ttid=android@umeng 
HTTP/1.1 Host: api.m.taobao.com Connection: Keep-Alive User-Agent: Agoo-sdk-2.0 Accept-Encoding: gzip

Now Just have a look at the information which is being sent from Infinix Smart Phone. This information could be used for identifying any Infinix user and once a specific user is identified there is a possibility of malware infection because app servers transferring information are vulnerable and have less security which increases the chance's of smartphone security breach.

Its not about just sending information to the server , the worst part is a vulnerable server which leaves millions of infinix devices vulnerable to attack using different techniques. If the server is compromised attacker can gain access to your smartphone too by manipulating the requests.

There are many questions , such as why That Babel Font application is a bloatware ? Why a user is not given rights to uninstall it ? if it was for the purpose of marketing an app why infinix allowed such a third party app without auditing its security.

Indeed , it is the very first step in cyber attack's to define a victim and this information is enough to traceout the user and that application / bloatware have full permission over your Infinix smartphone in which it is also able to install any application without your permission anonymously. Moreover can also send your sms  , call logs and other information as per permission of the application.





Visitors must follow the terms and conditions. content provided on this page is the authority of Security Fuse and is only for peaceful and educational purpose based on research and publication. Security Fuse is not responsible for any of the act caused by viewers after reading the content from *.securityfuse.com. Republication or fabrication without our permission or giving credit is not allowed.
Share on Google Plus

About Ahmed Mehtab

Ahmed Mehtab is a white hat cyber security researcher , speaker , trainer and blogger at security fuse. He loves to research on cyber security issues , cyber crime and hacktivism. Quote " Being a hacker without having knowledge of programming is just like a knife without sharpness ~ Ahmed Mehtab "

0 comments :

Post a Comment

Hi , Please take a minute to say somthing about this post