Tuesday, March 10, 2015

XiaoMi phone - Analysis Part 2 - Bluebox Security Labs with Mi 4

Referring to the recent blog which posted by Bluebox Security labs (https://bluebox.com/blog/technical/popular-xiaomi-phone-could-put-data-at-risk), they discovered that Xiaomi devices being shipped with pre-installed malware and suspicious backdoor. Also, they observed that the MIUI ROM is a modified Android release, which the build properties (e.g. build version and corresponding API Level) are conflicting with original Google Android release. Their research and analysis is based on the Mi 4 devices.

Well, simply out of curiosity, I took a quick look on a brand new XiaoMi Note 4G LTE (Singapore version) with MIUI KHIMIBH21.0. Let's try go through what being discovered by Bluebox Security Lab:

Bluebox # 1 - Pre-Installed Malware
"One particularly nefarious app was Yt Service. Yt Service embeds an adware service called DarthPusher that delivers ads to the device among other things[2]. This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google).

Other risky apps of note included PhoneGuardService (com.egame.tonyCore.feicheng) classified as a Trojan, AppStats classified (org.zxl.appstats) as riskware and SMSreg classified as malware."

Observation:
I wish that I could find those packages for further analysis purposes, However, I have not seeing any installation of these reported packages on the device e.g. Yt Service (com.google.hfapservice), PhoneGuardService (com.egame.tonyCore.feicheng) or AppStats (org.zxl.appstats).

gento@local:~$ adb shell 'pm list packages -f'
open: Permission denied
open: Permission denied
package:/system/app/fastdormancy.apk=com.qualcomm.fastdormancy
package:/data/app/partner-Swiftkey.apk=com.touchtype.swiftkey.xiaomi
package:/system/priv-app/MiuiGallery.apk=com.miui.gallery
package:/system/app/TimeService.apk=com.qualcomm.timeservice
package:/system/priv-app/DefaultContainerService.apk=com.android.defcontainer
package:/system/app/PartnerBookmarksProvider.apk=com.android.providers.partnerbookmarks
package:/system/priv-app/Contacts.apk=com.android.contacts
package:/system/priv-app/Phone.apk=com.android.phone
package:/system/app/Calculator.apk=com.android.calculator2
package:/system/priv-app/Music.apk=com.miui.player
package:/system/app/HTMLViewer.apk=com.android.htmlviewer
package:/system/app/MiAssistant.apk=com.xiaomi.mitunes
package:/system/app/GuardProvider.apk=com.miui.guardprovider
package:/system/app/CellBroadcastReceiver.apk=com.android.cellbroadcastreceiver
package:/system/priv-app/GoogleLoginService.apk=com.google.android.gsf.login
package:/system/app/CalendarProvider.apk=com.android.providers.calendar
package:/system/app/Bluetooth.apk=com.android.bluetooth
package:/system/app/TrafficControl.apk=com.trafficctr.miui
package:/system/app/GsmTuneAway.apk=com.qualcomm.gsmtuneaway
package:/data/app/partner-mOffice.apk=cn.wps.moffice_eng
package:/system/priv-app/YellowPage.apk=com.miui.yellowpage
package:/system/priv-app/Calendar.apk=com.android.calendar
package:/data/app/Browser.apk=com.android.browser
package:/system/app/MiLinkService.apk=com.milink.service
package:/system/app/AntHalService.apk=com.dsi.ant.server
package:/system/priv-app/Backup.apk=com.miui.backup
package:/system/app/ims.apk=org.codeaurora.ims
package:/system/app/AntiSpam.apk=com.miui.antispam
package:/system/app/CloudService.apk=com.miui.cloudservice
package:/system/app/Notes.apk=com.miui.notes
package:/system/app/DM.apk=com.xiaomi.dm
package:/system/app/DownloadProviderUi.apk=com.android.providers.downloads.ui
package:/system/app/DocumentsUI.apk=com.android.documentsui
package:/system/framework/framework-miui-res.apk=miui
package:/system/priv-app/SharedStorageBackup.apk=com.android.sharedstoragebackup
package:/system/app/WeatherProvider.apk=com.miui.providers.weather
package:/system/priv-app/VpnDialogs.apk=com.android.vpndialogs
package:/system/priv-app/Mms.apk=com.android.mms
package:/system/app/Provision.apk=com.android.provision
package:/system/priv-app/MediaProvider.apk=com.android.providers.media
package:/system/app/KingSoftCleaner.apk=com.cleanmaster.sdk
package:/system/app/CertInstaller.apk=com.android.certinstaller
package:/system/app/Cit.apk=com.miui.cit
package:/system/app/ThemeManager.apk=com.android.thememanager
package:/system/app/MiuiCompass.apk=com.miui.compass
package:/system/priv-app/GmsCore.apk=com.google.android.gms
package:/system/app/PhotoTable.apk=com.android.dreams.phototable
package:/data/app/SetupWizard.apk=com.google.android.setupwizard
package:/system/app/Updater.apk=com.android.updater
package:/system/priv-app/Settings.apk=com.android.settings
package:/system/app/LBESEC_MIUI.apk=com.lbe.security.miui
package:/system/app/FileExplorer.apk=com.android.fileexplorer
package:/data/app/Street.apk=com.google.android.street
package:/data/app/partner-Facebook.apk=com.facebook.katana
package:/data/app/Velvet.apk=com.google.android.googlequicksearchbox
package:/system/app/UserbookProvider.apk=com.miui.providers.userbook
package:/data/app/Music2.apk=com.google.android.music
package:/system/app/VisualizationWallpapers.apk=com.android.musicvis
package:/system/app/InterfacePermissions.apk=com.qualcomm.interfacepermissions
package:/system/app/NetworkAssistant2.apk=com.miui.networkassistant
package:/system/app/LiveWallpapersPicker.apk=com.android.wallpaper.livepicker
package:/data/app/GoogleBackupTransport.apk=com.google.android.backuptransport
package:/system/app/PackageInstaller.apk=com.android.packageinstaller
package:/system/app/LatinImeGoogle.apk=com.google.android.inputmethod.latin
package:/system/app/TelephonyProvider.apk=com.android.providers.telephony
package:/system/priv-app/MiuiHome.apk=com.miui.home
package:/system/app/PicoTts.apk=com.svox.pico
package:/system/app/NoiseField.apk=com.android.noisefield
package:/system/app/NetworkAssistant.apk=com.wali.miui.networkassistant
package:/system/app/Email.apk=com.android.email
package:/data/app/Maps.apk=com.google.android.apps.maps
package:/system/priv-app/WallpaperCropper.apk=com.android.wallpapercropper
package:/system/priv-app/FusedLocation.apk=com.android.location.fused
package:/system/priv-app/BackupRestoreConfirmation.apk=com.android.backupconfirm
package:/system/app/MagicSmokeWallpapers.apk=com.android.magicsmoke
package:/system/priv-app/SettingsProvider.apk=com.android.providers.settings
package:/system/app/com.qualcomm.services.location.apk=com.qualcomm.services.location
package:/data/app/Drive.apk=com.google.android.apps.docs
package:/system/app/qcrilmsgtunnel.apk=com.qualcomm.qcrilmsgtunnel
package:/system/priv-app/DownloadProvider.apk=com.android.providers.downloads
package:/data/app/BrowserProviderProxy.apk=com.android.browser.provider
package:/system/app/FM.apk=com.miui.fmradio
package:/system/priv-app/MusicFX.apk=com.android.musicfx
package:/data/app/Books.apk=com.google.android.apps.books
package:/system/app/PhaseBeam.apk=com.android.phasebeam
package:/system/app/SoundRecorder.apk=com.android.soundrecorder
package:/data/app/Videos.apk=com.google.android.videos
package:/data/app/ota-partner-GooglePinyin.apk=com.google.android.inputmethod.pinyin
package:/data/app/GoogleOneTimeInitializer.apk=com.google.android.onetimeinitializer
package:/data/app/GooglePartnerSetup.apk=com.google.android.partnersetup
package:/system/priv-app/ProxyHandler.apk=com.android.proxyhandler
package:/system/app/SVIService.apk=com.qualcomm.svi
package:/system/priv-app/BarcodeScanner.apk=com.miui.barcodescanner
package:/system/priv-app/InputDevices.apk=com.android.inputdevices
package:/system/app/HoloSpiralWallpaper.apk=com.android.wallpaper.holospiral
package:/system/app/BugReport.apk=com.miui.bugreport
package:/data/app/GoogleFeedback.apk=com.google.android.feedback
package:/data/app/Hangouts.apk=com.google.android.talk
package:/system/app/MiWallpaper.apk=com.miui.miwallpaper
package:/system/app/Stk.apk=com.android.stk
package:/system/app/shutdownlistener.apk=com.qualcomm.shutdownlistner
package:/system/app/MiuiVideoPlayer.apk=com.miui.videoplayer
package:/system/app/UserDictionaryProvider.apk=com.android.providers.userdictionary
package:/data/app/ConfigUpdater.apk=com.google.android.configupdater
package:/system/app/PacProcessor.apk=com.android.pacprocessor
package:/system/app/Galaxy4.apk=com.android.galaxy4
package:/system/app/Weather.apk=com.miui.weather2
package:/system/app/PrintSpooler.apk=com.android.printspooler
package:/data/app/GoogleCalendarSyncAdapter.apk=com.google.android.syncadapters.calendar
package:/system/framework/framework-res.apk=android
package:/system/app/ContactsProvider.apk=com.android.providers.contacts
package:/system/app/com.qualcomm.location.apk=com.qualcomm.location
package:/system/app/Protips.apk=com.android.protips
package:/system/priv-app/ExternalStorageProvider.apk=com.android.externalstorage
package:/system/app/WfdService.apk=com.qualcomm.wfd.service
package:/system/app/ApplicationsProvider.apk=com.android.providers.applications
package:/system/app/BasicDreams.apk=com.android.dreams.basic
package:/data/app/PlusOne.apk=com.google.android.apps.plus
package:/data/app/Phonesky.apk=com.android.vending
package:/data/app/PlayGames.apk=com.google.android.play.games
package:/system/app/DataHubProvider.apk=com.miui.providers.datahub
package:/system/priv-app/MiuiSystemUI.apk=com.android.systemui
package:/system/app/NetworkSetting.apk=com.qualcomm.networksetting
package:/system/app/KeyChain.apk=com.android.keychain
package:/data/app/Gmail2.apk=com.google.android.gm
package:/system/app/WAPPushManager.apk=com.android.smspush
package:/system/app/QComQMIPermissions.apk=com.qualcomm.qcom_qmi
package:/system/app/Userbook.apk=com.miui.userbook
package:/system/app/LiveWallpapers.apk=com.android.wallpaper
package:/system/priv-app/Camera.apk=com.android.camera
package:/data/app/YouTube.apk=com.google.android.youtube
package:/data/app/Magazines.apk=com.google.android.apps.magazines
package:/system/app/CABLService.apk=com.qualcomm.cabl
package:/system/app/DeskClock.apk=com.android.deskclock
package:/system/priv-app/GoogleServicesFramework.apk=com.google.android.gsf
package:/system/priv-app/MiuiKeyguard.apk=com.android.keyguard
package:/data/app/Chrome.apk=com.android.chrome
package:/system/app/matcli.apk=com.qcom.matcli
package:/system/app/xtra_t_app.apk=com.qualcomm.location.XT
package:/system/priv-app/Shell.apk=com.android.shell
package:/system/app/XiaomiServiceFramework.apk=com.xiaomi.xmsf
package:/system/app/GoogleContactsSyncAdapter.apk=com.google.android.syncadapters.contacts
gento@local:~$ adb shell 'pm list packages -f' | grep hfap
gento@local:~$ adb shell 'pm list packages -f' | grep hfapservice
gento@local:~$
gento@local:~$ adb shell 'pm list packages -f' | grep egame
gento@local:~$ adb shell 'pm list packages -f' | grep cheng
gento@local:~$ adb shell 'pm list packages -f' | grep appstats
gento@local:~$ adb shell 'pm list packages -f' | grep zx


Bluebox # 2 - Device comes 'root'
"Additionally, we noticed that the device comes rooted. The “su” application does require a security provider to be used on the device (com.lbe.security.miui.su), so the usage of “su” is restricted in some sense, however it shouldn't exist in a production released build of Android, as it’s a gateway for apps that can access it to do potentially bad things."

Observation:
No luck for me. I guess I need to root it by myself later.

gento@local:~$ adb shell
shell@dior:/ $ su -
/system/bin/sh: su: not found
127|shell@dior:/ $ su
/system/bin/sh: su: not found

Bluebox # 3 - Conflicting build properties
"we found several conflicts with the API level corresponding to Android 4.2 and whether or not the device is signed with test-keys or release-keys. This means it’s unclear if this build of the software was meant for testing or release to consumers."

Observation:
shell@dior:/ $ cat /system/build.prop
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=KVT49L
ro.build.display.id=KVT49L
ro.build.version.incremental=KHIMIBH21.0
ro.build.version.sdk=19
ro.build.version.codename=REL
ro.build.version.release=4.4.2
ro.build.date=Tue Nov  4 11:26:53 CST 2014
ro.build.date.utc=1415071613
ro.build.type=user
ro.build.user=builder
ro.build.host=zc-miui-ota-bd34
ro.build.tags=release-keys
ro.product.model=HM NOTE 1LTE
ro.product.brand=Xiaomi
ro.product.name=dior
ro.product.device=dior
ro.product.mod_device=dior_global
ro.product.board=MSM8226
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product.manufacturer=Xiaomi
ro.product.locale.language=zh
ro.product.locale.region=CN
ro.wifi.channels=
ro.board.platform=msm8226
# ro.build.product is obsolete; use ro.product.device
ro.build.product=dior
# Do not try to parse ro.build.description or .fingerprint
ro.build.description=dior-user 4.4.2 KVT49L KHIMIBH21.0 release-keys
ro.build.fingerprint=Xiaomi/dior/dior:4.4.2/KVT49L/KHIMIBH21.0:user/release-keys
ro.build.characteristics=default
# end build properties
#
# from device/xiaomi/dior/system.prop
#
#
# system.prop for dior
#

# Use reference RIL for initial bringup
#rild.libpath=/system/lib/libreference-ril.so
rild.libpath=/vendor/lib/libril-qc-qmi-1.so
rild.libargs=-d /dev/smd0
persist.rild.nitz_plmn=
persist.rild.nitz_long_ons_0=
persist.rild.nitz_long_ons_1=
persist.rild.nitz_long_ons_2=
persist.rild.nitz_long_ons_3=
persist.rild.nitz_short_ons_0=
persist.rild.nitz_short_ons_1=
persist.rild.nitz_short_ons_2=
persist.rild.nitz_short_ons_3=
persist.sys.ssr.restart_level=3
persist.radio.ramdump_sdcard=1
ril.subscription.types=RUIM
DEVICE_PROVISIONED=1
persist.radio.msgtunnel.start=false
# Start in LTE/GSM/WCDMA/TDSCDMA mode
# ro.telephony.default_network=20

#
# system props for the cne module
#
persist.cne.feature=1


# Skip /sys/power/wait_for_fb_* nodes and
# force FB to be always on
debug.sf.fb_always_on=1

debug.sf.hw=1
debug.egl.hw=1
debug.composition.type=c2d
persist.hwc.mdpcomp.enable=true
debug.mdpcomp.logs=0
dalvik.vm.heapsize=36m
dev.pm.dyn_samplingrate=1

persist.demo.hdmirotationlock=false
ro.hdmi.enable=true
qcom.hw.aac.encoder=true

#system props for the MM modules

media.stagefright.enable-player=true
media.stagefright.enable-http=true
media.stagefright.enable-aac=true
media.stagefright.enable-qcp=true
media.stagefright.enable-fma2dp=true
media.stagefright.enable-scan=true
mmp.enable.3g2=true
mm.enable.smoothstreaming=true
#9273 is decimal sum of supported codecs in AAL
#codecs:(PARSER_)AVI AC3 ASF AAC QCP DTS 3G2 MP2TS
mm.enable.qcom_parser=37491

# VIDC: debug_levels
# 1:ERROR 2:HIGH 4:LOW 0:NOlogs 7:AllLogs
vidc.debug.level=1
#
# system props for the data modules
#
ro.use_data_netmgrd=true
persist.data.netmgrd.qos.enable=true

#system props for time-services
persist.timed.enable=true

#
# system prop for opengles version
#
# 196608 is decimal for 0x30000 to report version 3
ro.opengles.version=196608

#
# System props for telephony
# System prop to turn on CdmaLTEPhone always
# telephony.lteOnCdmaDevice=1

#System property to turn on hfp client
bluetooth.hfp.client=1

# simulate sdcard on /data/media
#
persist.fuse_sdcard=true

#
#snapdragon value add features
#
ro.qc.sdk.audio.ssr=false
##fluencetype can be "fluence" or "fluencepro" or "none"
ro.qc.sdk.audio.fluencetype=fluence
persist.audio.fluence.voicecall=true
persist.audio.fluence.voicerec=true
persist.audio.fluence.speaker=false

# System props for charger
persist.usb.hvdcp.detect=true

# Enable/disable cabl
ro.qualcomm.cabl=1

# system prop for NFC DT
ro.nfc.port=I2C

#property to enable user to access Google WFD settings
persist.debug.wfd.enable=1
##property to choose between virtual/external wfd display
persist.sys.wfd.virtual=0
tunnel.audio.encode = false

#use VERY_HIGH_QUALITY for audio resampler
af.resampler.quality=4

#Buffer size in kbytes for compress offload playback
audio.offload.buffer.size.kb=32

#Enable offload audio video playback by default
av.offload.enable=true

#enable voice path for PCM VoIP by default
use.voice.path.for.pcm.voip=true

#enable dsp gapless mode by default
audio.offload.gapless.enabled=true

#disable audio offload mode
audio.offload.disable=1
audio.offload.pcm.enable=false

# disable strictmode
persist.sys.strictmode.disable=true

# button jack mode & switch
persist.sys.button_jack_profile=volume
persist.sys.button_jack_switch=0

# media button for headset hook
persist.sys.button_headset_hook=media

# enable auto-brightness adjustment
persist.power.useautobrightadj=true

#property to set minimum frequency as 787Mhz by default
ro.min_freq=787000

#
# ADDITIONAL_BUILD_PROPERTIES
#
ro.product.locale.language=en
ro.product.locale.region=GB
ro.miui.ui.version.code=3
ro.miui.ui.version.name=V5
keyguard.no_require_sim=true
ro.com.android.dataroaming=false
ro.com.android.dateformat=MM-dd-yyyy
ro.config.elder-ringtone=Angel.mp3
ro.carrier=unknown
ro.vendor.extension_library=/vendor/lib/libqc-opt.so
persist.radio.apm_sim_not_pwdn=0
dalvik.vm.heapstartsize=8m
dalvik.vm.heapgrowthlimit=96m
dalvik.vm.heapsize=256m
dalvik.vm.heaptargetutilization=0.75
dalvik.vm.heapminfree=2m
dalvik.vm.heapmaxfree=8m
qcom.bt.dev_power_class=1
ro.btconfig.if=smd
ro.btconfig.dev=/dev/smd3
ro.btconfig.vendor=qcom
ro.btconfig.chip=WCN3680
ro.setupwizard.mode=OPTIONAL
ro.com.google.gmsversion=4.4_r4
drm.service.enabled=true
persist.sys.dalvik.vm.lib=libdvm.so
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
ro.qc.sdk.izat.premium_enabled=1
ro.qc.sdk.izat.service_mask=0x5
persist.gps.qc_nlp_in_use=1
persist.loc.nlp_name=com.qualcomm.services.location
ro.gps.agps_provider=1
ro.config.ringtone=MI.ogg
ro.config.notification_sound=FadeIn.ogg
ro.config.alarm_alert=GoodMorning.ogg
ro.config.sms_received_sound=FadeIn.ogg
ro.config.sms_delivered_sound=MessageComplete.ogg
ro.com.android.mobiledata=false
persist.sys.mitalk.enable=true

shell@dior:/ $ 
shell@dior:/ $ cat /system/build.prop | grep version                           
ro.build.version.incremental=KHIMIBH21.0
ro.build.version.sdk=19
ro.build.version.codename=REL
ro.build.version.release=4.4.2
# system prop for opengles version
# 196608 is decimal for 0x30000 to report version 3
ro.opengles.version=196608
ro.miui.ui.version.code=3
ro.miui.ui.version.name=V5
ro.com.google.gmsversion=4.4_r4

shell@dior:/ $ cat /system/build.prop | grep tags                              
ro.build.tags=release-keys

shell@dior:/ $ cat /system/build.prop | grep fingerprint                       
# Do not try to parse ro.build.description or .fingerprint
ro.build.fingerprint=Xiaomi/dior/dior:4.4.2/KVT49L/KHIMIBH21.0:user/release-keys

Bluebox # 4 - Hidden directory on external storage which store tampered app
"As Bluebox Labs mentioned in the original findings there is a hidden directory on the sdcard called .apk. It is within this hidden directory that some APKs are sitting like CPU-Z and also a version of the AntiFake app. If a user tries to install an app on their phone that corresponds to one of these packages then the app on the sdcard replaces the real app the user attempts to install. This is one method the ROM is using to bypass the verification app."

Observation:
Again, no luck for me. no hidden directory.

shell@dior:/sdcard $ ls -al
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Alarms
drwxrwx--x root     sdcard_r          1970-01-02 07:40 Android
drwxrwx--- root     sdcard_r          1970-01-02 07:35 DCIM
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Download
drwxrwx--- root     sdcard_r          1970-01-02 07:40 MIUI
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Movies
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Music
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Notifications
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Pictures
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Podcasts
drwxrwx--- root     sdcard_r          1970-01-02 07:39 Ringtones
drwxrwx--- root     sdcard_r          1970-01-02 07:36 ramdump
shell@dior:/sdcard $ 

As a response to Bluebox Labs discovery, Xiaomi claimed that the tested device is counterfeit. No matter what, credit to Bluebox Labs for the findings,. Cheers.


No comments:

Post a Comment