Virus

Riskware/Blued!Android

Analysis

Riskware/Blued!Android is an Android application for the Chinese gay flirting social network, Blued. Unfortunately, at least some versions of this application are very poorly secured and publicly discloses user's name, GPS coordinates, height, weight, birthdate and city. User's login and password are also found, unsecured, on the device.
The samples we inspected are not malicious, but the information they leak may pose risks to end-users, thus classified a Riskware.


Technical Details


This riskware targets chinese male end-users and exposes their privacy.
The malware comes packaged as com.soft.blued. The main activity is .activity.WelcomeActivity.
Application updates:
Initially, the application checks for updates, and sends a HTTP request to Blued's servers with the current application version and device OS. As an example:
http://[CENSORED].cn/blued?platform=Android&platform_version=4.4.2&version=3.0.1&version_code=12

If the end-user accepts, an update is downloaded from:
http://[CENSORED]niudn.com/apk/blued_[LATEST VERSION].apk
The update is then silently installed on the device using DexClassLoader/openDexFile technique. This is risky because it bypasses Android's installation permission checks.
Account creation:
Then, to log in, the end-user must create an account if he hasn't got any. Login name is unique, so the application checks that the desired login name is available:
http://[CENSORED].cn/users/inspector?name=DESIREDLOGIN&email=EMAIL&task=check_exists
The end-user is also asked to enter personal information for the social network. Unfortunately, this information is sent in cleartext on the network, and hence readable by whoever may sniff on the network (see Figure 1).

Figure 1. Birthday, weight, height, email and login of user are sent in cleartext during account creation
The password (see Figure 1) is not sent in cleartext, but hashed by SHA1.
The end-user's account information are stored in a file named blued_sf.xml. Note the password (incorrect spelling psaaword) is stored in clear text:
    <string name="user_name">USER's EMAIL</string>
    <string name="login_time">1405692509</string>
    <int name="screen_wide" value="768" />
    <string name="psaaword">mypassword</string>

Logging in. The end-user then logs in the social network. At this step, the application sends a HTTP request which contains in clear text user's email and GPS coordinates (see Figure 2):
Figure 2. User logging into social network discloses his GPS coordinates in cleartext.
Note other information like application version or hashed password (SHA1) are also sent.
The malware installs the following files on the device:
  • ./angel/lxq/helper/HttpUploadHelper.html
  • ./angel/lxq/helper/HttpUploadHelper.txt
  • ./classes.dex
  • ./AndroidManifest.xml
  • ./assets/cfg/a/street.sty
  • ./assets/cfg/a/trafficstyle.sty
  • ./assets/cfg/a/mapstyle.sty
  • ./assets/cfg/a/ResPack_Street.cfg
  • ./assets/cfg/a/ResPack.cfg
  • ./assets/cfg/a/satellitestyle.sty
  • ./assets/cfg/l/DVStreet.cfg
  • ./assets/cfg/l/DVDirectory.cfg
  • ./assets/cfg/l/DVHotcity.cfg
  • ./assets/cfg/l/DVVersion.cfg
  • ./assets/cfg/h/DVStreet.cfg
  • ./assets/cfg/h/DVHotcity.cfg
  • ./assets/cfg/h/DVVersion.cfg
  • ./assets/cfg/h/DVDirectory.cfg
  • ./assets/logo_l.png
  • ./assets/frontia_plugin/plugin-deploy.key
  • ./assets/frontia_plugin/plugin-deploy.jar
  • ./assets/icon_scale.9.png
  • ./assets/place/iconphone.png
  • ./assets/place/star_gray.png
  • ./assets/place/arrow.png
  • ./assets/place/star_light.png
  • ./assets/VerDatset.dat
  • ./assets/CMRequire.dat
  • ./assets/newBluedArea.txt
  • ./assets/logo_h.png
  • ./assets/real.m4a
  • ./resources.arsc
  • ./lib/armeabi/liblocSDK4b.so
  • ./lib/armeabi/libbdpush_V1_0.so
  • ./lib/armeabi/libBaiduMapSDK_v2_4_1.so
  • numerous resources
  • ./META-INF/CERT.SF
  • ./META-INF/MANIFEST.MF
  • ./META-INF/CERT.RSA

It uses external SDKs, such as:
  • Google GSON Library
  • Android Support v4
  • Umeng
Those SDKs are not malicious, but may be undesirable for various reasons such as privacy leaks, network traffic etc.
The riskware asks for the following permissions:
  • GET_ACCOUNTS
  • Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
  • Allows to send SMS messages
  • Allows to call or process outgoing calls
  • READ_CONTACTS
  • CHANGE_WIFI_STATE
  • ACCESS_WIFI_STATE
  • INTERNET
  • VIBRATE

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.