Malicious
10 /64

Threat

com.xinmoke.repairimage

手机恢复精灵

Analyzed on 2021-10-12T06:32:03.568347

10

permissions

16

activities

2

services

1

receivers

0

domains

File sums

MD5 04653b92edd4ef9cec3b1483d3044790
SHA1 5812b8644facab92f3973e47b23b4c21fa8c3b0c
SHA256 2f4ed9fe43efdbf7acbba893d5b69bdf400805e13d6a1e50e14e194ec41778c4
Size 6.67MB

APKiD

Information computed with APKiD.

/tmp/tmpix9wmcye
packer
  • Jiagu
/tmp/tmpix9wmcye!assets/gdt_plugin/gdtadv2.jar!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • possible Build.SERIAL check
  • subscriber ID check
compiler
  • dexlib 2.x
/tmp/tmpix9wmcye!classes.dex
obfuscator
  • unreadable field names
  • unreadable method names
compiler
  • dexlib 2.x

SSdeep

Information computed with ssdeep.

APK file 98304:IwdvdbCKRmmWXxSCz+hjusak+gb/2Ovf1XymRJjqDzpfKKxz4Nsu2:IwaKZWmhSk8mRJ2DzpfKKaq
Manifest 192:cvq1Sf+Ng9ywOWg5E9CcllvF9QrjWmIUVeDvMsRbB/TCAwa4T39XaJpoIdHW:x1Sy…
classes.dex 49152:6mfqmP0Bk9ekHXkFK3Vh5D6jF95AQqlwzKEd3:6mfnGk9tHXkIXaFVGG3

Dexofuzzy

Information computed with Dexofuzzy.

APK file 6:iLxh5PJ7KnK56PikiEE8GtVm0fFUUlzYfdQV/AprGzOovyqXEATmJtxMmeL5xtCl:gv…
classes.dex 6:iLxh5PJ7KnK56PikiEE8GtVm0fFUUlzYfdQV/AprGzOovyqXEATmJtxMmeL5xtCl:gv…

APK details

Information computed with AndroGuard and Pithus.

Package com.xinmoke.repairimage
App name 手机恢复精灵
Version name 1.0.0
Version code 100
SDK 19 - 27
UAID 51bb2427eea0fb1d3e7bb76760909b0b4aeda478
Signature Signature V1 Signature V2
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0x42726577: Verity padding

Certificate details

Information computed with AndroGuard.

MD5 12336120be87c5279fcb0accd1c4c4cc
SHA1 6405ffe9bb7f703abd1c3c5629f68ca66f56ba08
SHA256 87fe30eb601ea849e061b5df2dc8aab09461c741c6792df6ac0d2a336c42c2fe
Issuer Common Name: zhujiang, Locality: wuhan, State/Province: hubei
Not before 2020-05-12T06:05:51+00:00
Not after 2045-05-06T06:05:51+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. assets/.appkey

Manifest analysis

Information computed with MobSF.

Low App has a Network Security Configuration[android:networkSecurityConfig=@xml/network_security_config]
The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app.
Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High Broadcast Receiver (com.network.base.NetworkReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.

Main Activity

Information computed with AndroGuard. 

com.xinmoke.repairimage.ui.SplashActivity

Activities

Information computed with AndroGuard. 

com.xinmoke.repairimage.ui.MainActivity
com.xinmoke.repairimage.ui.AboutActivity
com.xinmoke.repairimage.ui.VipActivity
com.xinmoke.repairimage.ui.PayRecodeActivity
com.xinmoke.repairimage.ui.SplashActivity
com.xinmoke.repairimage.ui.ShowImgActivity
com.xinmoke.repairimage.ui.MiddleActivity
com.xinmoke.repairimage.ui.BigImgActivity
com.xinmoke.repairimage.ui.ScanActivity
com.xinmoke.repairimage.ui.RecoveredActivity
com.xinmoke.repairimage.ui.H5Activity
com.xinmoke.repairimage.ui.VideoActivity
com.qq.e.ads.ADActivity
com.qq.e.ads.PortraitADActivity
com.qq.e.ads.LandscapeADActivity
com.android.billingclient.api.ProxyBillingActivity

Receivers

Information computed with AndroGuard. 

com.network.base.NetworkReceiver

Services

Information computed with AndroGuard. 

com.xinmoke.repairimage.upgrade.UpgradeService
com.qq.e.comm.DownloadService

Sample timeline

Certificate valid not before May 12, 2020, 6:05 a.m.
Latest file found in APK May 26, 2020, 9:32 a.m.
First submission on VT June 10, 2020, 8:17 p.m.
Last submission on VT Oct. 26, 2020, 1:07 p.m.
Upload on Pithus Oct. 12, 2021, 6:32 a.m.
Certificate valid not after May 6, 2045, 6:05 a.m.

VirusTotal

Score 10/64
Report https://www.virustotal.com/gui/file/2f4ed9fe43efdbf7acbba893d5b69bdf400805e13d6a1e50e14e194ec41778c4/detection

Most Popular AV Detections

Provided by VirusTotal

Threat name: jiagu Identified 3 times

NIAP analysis

Information computed with MobSF.

FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FTP_DIT_EXT.1.1 The application does not encrypt any data in traffic or does not transmit any data between itself and another trusted IT product.
Protection of Data in Transit

Network analysis

Information computed with MobSF.

High Base config is insecurely configured to permit clear text traffic to all domains.
Scope: ['*']

Permissions analysis

Information computed with MobSF.

High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.REQUEST_INSTALL_PACKAGES Allows an application to request installing packages.
Malicious applications can use this to try and trick users into installing additional malicious packages.
High android.permission.READ_PHONE_STATE read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.
High android.permission.GET_TASKS retrieve running applications
Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.VIBRATE control vibrator
Allows the application to control the vibrator.
com.android.vending.BILLING Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Read file from assets directory
Confidence:
100%
Method reflection
Confidence:
80%
Read data and put it into a buffer stream
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Open a file from given absolute path of the file
Confidence:
80%
Get absolute path of the file and store in string

Behavior analysis

Information computed with MobSF.

Java reflection 
       com/qihoo/util/DtcLoader.java
       com/stub/StubApp.java
       com/qihoo/util/C0002.java
Load and manipulate dex files 
       com/stub/StubApp.java
Loading native code (shared library) 
       com/qihoo/util/DtcLoader.java
       com/stub/StubApp.java

Control flow graphs analysis

Information computed by Pithus.

The application probably dynamically loads code