Riskware/Blued!Android is an Android application for the Chinese gay flirting social network, Blued.
Unfortunately, at least some versions of this application are very poorly secured and publicly discloses user's name, GPS coordinates, height, weight, birthdate and city. User's login and password are also found, unsecured, on the device.
The samples we inspected are not malicious, but the information they leak may pose risks to end-users, thus classified a Riskware.
This riskware targets chinese male end-users and exposes their privacy.
The malware comes packaged as com.soft.blued. The main activity is .activity.WelcomeActivity.
Initially, the application checks for updates, and sends a HTTP request to Blued's servers with the current application version and device OS. As an example:
If the end-user accepts, an update is downloaded from:
http://[CENSORED]niudn.com/apk/blued_[LATEST VERSION].apkThe update is then silently installed on the device using DexClassLoader/openDexFile technique. This is risky because it bypasses Android's installation permission checks.
Then, to log in, the end-user must create an account if he hasn't got any. Login name is unique, so the application checks that the desired login name is available:
Figure 1. Birthday, weight, height, email and login of user are sent in cleartext during account creation
The password (see Figure 1) is not sent in cleartext, but hashed by SHA1.
The end-user's account information are stored in a file named blued_sf.xml. Note the password (incorrect spelling psaaword) is stored in clear text:
<string name="user_name">USER's EMAIL</string> <string name="login_time">1405692509</string> <int name="screen_wide" value="768" /> <string name="psaaword">mypassword</string>
Logging in. The end-user then logs in the social network. At this step, the application sends a HTTP request which contains in clear text user's email and GPS coordinates (see Figure 2):
Figure 2. User logging into social network discloses his GPS coordinates in cleartext.
Note other information like application version or hashed password (SHA1) are also sent.
The malware installs the following files on the device:
- numerous resources
It uses external SDKs, such as:
- Google GSON Library
- Android Support v4
The riskware asks for the following permissions:
- Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
- Allows to send SMS messages
- Allows to call or process outgoing calls
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.