0/64

Threat

mark.via.gp

Via

Analyzed on 2021-05-25T08:56:39.262456

12

permissions

1

activities

0

services

0

receivers

28

domains

File sums

MD5 adc834ffd4c2ddf7dd7d261dfd6d1c40
SHA1 9641d4b9fa1a42a0ff1c688a080d6e63a5d89610
SHA256 371dec8290ee107d808112575c1bbc1e5c30e052a18a1208b8c65da82b96fa7f
Size 1.48MB

APKiD

Information computed with APKiD.

/tmp/tmpw3j5eqmx!classes.dex
anti_vm
  • Build.MANUFACTURER check
  • Build.BOARD check
compiler
  • unknown (please file detection issue!)

SSdeep

Information computed with ssdeep.

APK file 24576:E9S4aic+EgLAGByNhihS6sHnn3Ib5BTxOD1mS+MokR71r8Q0aDZQ:wS4ai0DnkS6In3m5qh7Q
Manifest 192:eS9w5gA/Sx5PMNS9QtuO9OItyiUgwgPKKtsTDqFS0XypsYfUpbzE6X:eSq5n/Sx5P…
classes.dex 24576:cADueBALdMasxDnq4Ax7rNDB4Ws1ijsWW:VC575s11

Dexofuzzy

Information computed with Dexofuzzy.

APK file 3072:PQ8PuwMYH9onWe+rHtLiWs2e4QlXVUpvsi2p5Cc0Tvidb/a4M9:vWYdqWeALiWu+…
classes.dex 3072:PQ8PuwMYH9onWe+rHtLiWs2e4QlXVUpvsi2p5Cc0Tvidb/a4M9:vWYdqWeALiWu+…

APK details

Information computed with AndroGuard and Pithus.

Package mark.via.gp
App name Via
Version name 4.2.8
Version code 20210509
SDK 14 - 30
UAID 7cf88f0f3f04caba8ceb8e9dc46697424eb679aa
Signature Signature V1 Signature V2 Signature V3
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0xf05368c0: Unknown
  • 0x42726577: Verity padding

Certificate details

Information computed with AndroGuard.

MD5 9830874658327c15600f6e4ea939c324
SHA1 af5d11b1703127167e23b45fa706f0dd9865499b
SHA256 3df7f89d3b8d1315f05710c914fccbcf3a4e24980afddccb8dcebde90836a390
Issuer Common Name: Various Tu, Locality: 广西, State/Province: 广西, Country: CN
Not before 2014-08-27T05:03:28+00:00
Not after 2114-08-03T05:03:28+00:00

Manifest analysis

Information computed with MobSF.

High Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]
The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High Launch Mode of Activity (mark.via.Shell) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Content Provider (mark.via.provider.BookmarksProvider) is not Protected. [android:exported=true]
A Content Provider is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

Browsable activities

Information computed with MobSF.

mark.via.Shell

Schemes: http:// https:// about:// javascript:// inline:// file:// content://

Mime types: text/html text/plain application/xhtml+xml application/vnd.wap.xhtml+xml

Main Activity

Information computed with AndroGuard.

['mark.via.Shell']

Activities

Information computed with AndroGuard.

mark.via.Shell

Sample timeline

Certificate valid not before Aug. 27, 2014, 5:03 a.m.
Oldest file found in APK May 11, 2021, 3:58 p.m.
Latest file found in APK May 11, 2021, 3:58 p.m.
First submission on VT May 11, 2021, 4:49 p.m.
Upload on Pithus May 25, 2021, 8:56 a.m.
Last submission on VT June 9, 2021, 1:11 p.m.
Certificate valid not after Aug. 3, 2114, 5:03 a.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application invoke platform-provided DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['location', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_CKM.1.1(3)
FCS_CKM.1.2(3)
A password/passphrase shall perform [Password-based Key Derivation Functions] in accordance with a specified cryptographic algorithm..
Password Conditioning
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_COP.1.1(3) The application perform cryptographic signature services (generation and verification) in accordance with a specified cryptographic algorithm ECDSA schemes using "NIST curves" P-256, P-384.
Cryptographic Operation - Signing
FCS_HTTPS_EXT.1.1 The application implement the HTTPS protocol that complies with RFC 2818.
HTTPS Protocol
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 d/c/b/g.java
d/c/c/a.java
com/tuyafeng/support/widget/FlowLayoutManager.java
e/c/b/b.java
com/tuyafeng/support/dialog/d.java
e/b/a/b/a.java
d/c/e/m.java
d/d/a/a.java
e/c/a/d/b.java
e/c/a/c/e/a.java
e/c/a/c/e/f/a.java
d/f/a/b.java
e/c/a/a.java
e/c/c/r/d.java
d/c/e/r/c.java
d/c/e/o.java
e/b/a/a/d.java
d/c/e/l.java
e/c/c/m/b.java
d/h/a.java
d/c/e/d.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 e/c/a/c/d.java
High
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/flurry/sdk/b1.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 e/c/c/r/d.java
com/flurry/sdk/o0.java
mark/via/g/f/z.java
mark/via/g/f/r.java
mark/via/f/z2.java
High
CVSS:5.9
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
M7: Client Code Quality
Files:
 mark/via/i/h/e/b.java
mark/via/i/b/c.java
High
CVSS:7.4
MD5 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 mark/via/g/f/y.java
mark/via/g/f/t.java
High
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 mark/via/i/f/c.java
High
CVSS:7.4
Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks
MASVS: MSTG-NETWORK-3
CWE-295 Improper Certificate Validation
M3: Insecure Communication
Files:
 mark/via/f/h3/x.java
Low
CVSS:0
This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.
MASVS: MSTG-STORAGE-10
Files:
 e/c/c/r/h.java
Info
CVSS:0
This App uses SSL certificate pinning to detect or prevent MITM attacks in secure communication channel.
MASVS: MSTG-NETWORK-4
Files:
 com/flurry/sdk/v3.java
Pygal China: 600 Germany: 200 United Kingdom: 100 Ireland: 200 Netherlands: 200 Russian Federation: 100 United States: 1400

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

IE search.yahoo.com 212.82.100.137
US proton.flurry.com 74.6.138.80
CN viayoo.com 47.100.249.27
CN weibo.com 36.51.254.228
DE pic.sogou.com 49.51.130.237
US cdn.jsdelivr.net 151.101.14.109
NL startpage.com 37.0.87.35
US us.app.viayoo.com 67.209.185.243
CN wap.sogou.com 118.191.216.57
US twitter.com 104.244.42.65
CN yz.m.sm.cn 140.205.13.17
NL duckduckgo.com 40.114.177.156
US www.bing.com 131.253.33.200
RU www.yandex.ru 77.88.55.60
US www.google.com 142.250.185.100
CN app.viayoo.com 47.100.249.27
US images.google.com 142.250.185.238
US easylist.to 172.67.202.47
US github.com 140.82.121.3
US greasyfork.org 104.200.26.234
CN coolapk.com 42.236.126.191
US play.google.com 142.250.186.46
DE help.eyeo.com 88.99.84.224
US m.baidu.com 104.193.88.77
US m.so.com 104.192.110.225
IE data.flurry.com 87.248.118.22
US cfg.flurry.com 74.6.138.80
GB t.me 149.154.167.99

URL analysis

Information computed with MobSF.

https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in g/a/a/b/j.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in g/a/a/b/o.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in g/a/a/b/f.java
https://github.com/ReactiveX/RxJava/wiki/Plugins
Defined in g/a/a/b/a.java
https://github.com/ReactiveX/RxJava/wiki/What's-different-in-2.0#error-handling
Defined in io/reactivex/rxjava3/exceptions/UndeliverableException.java
https://github.com/ReactiveX/RxJava/wiki/Error-Handling
Defined in io/reactivex/rxjava3/exceptions/OnErrorNotImplementedException.java
data:image/
Defined in e/c/b/b.java
https://cdn.jsdelivr.net/gh/o0HalfLife0o/list/ad3.txt
https://easylist.to/easylist/easylist.txt
Defined in e/c/a/c/e/g/a.java
https://cfg.flurry.com/sdk/v1/config
Defined in com/flurry/sdk/d.java
https://cfg.flurry.com/sdk/v1/config
Defined in com/flurry/sdk/q3.java
https://proton.flurry.com/sdk/v1/config
Defined in com/flurry/sdk/w.java
https://data.flurry.com/aap.do
http://data.flurry.com/aap.do
Defined in com/flurry/sdk/l0.java
https://data.flurry.com/pcr.do
Defined in com/flurry/sdk/d0.java
https://m.baidu.com/s?from=%s&word=
https://wap.sogou.com/web/sl?bid=sogou-mobb-%s&keyword=
Defined in mark/via/g/c/c.java
http://coolapk.com/apk/
https://play.google.com/store/apps/details?id=
Defined in mark/via/g/f/r.java
data:image/
Defined in mark/via/g/f/j0.java
file:///android_asset/logo.png
file:///android_asset/opensug.js
Defined in mark/via/g/e/d.java
javascript:function
javascript:var
https://%s/translate_a/element.js?cb='+encodeURIComponent(o)+'&client=tee',document.getElementsByTagName('head')
javascript:url=unescape('
Defined in mark/via/g/b/c.java
https://m.baidu.com/?tn=&from=1022560v
https://www.google.com/
Defined in mark/via/g/b/a.java
https://us.app.viayoo.com/addons/
https://us.app.viayoo.com/api/user?
https://us.app.viayoo.com/api/update
https://us.app.viayoo.com/api/sync?
https://viayoo.com/en/docs/terms-of-use.html
https://viayoo.com/en/docs/privacy-policy.html
Defined in mark/via/i/g/b.java
https://app.viayoo.com/addons/
https://app.viayoo.com/api/user?
https://app.viayoo.com/api/update
https://app.viayoo.com/api/sync?
https://viayoo.com/zh-cn/docs/terms-of-use.html
https://viayoo.com/zh-cn/docs/privacy-policy.html
Defined in mark/via/i/g/a.java
https://www.google.com/search?q=
https://www.bing.com/search?q=
https://duckduckgo.com/?q=
https://m.so.com/s?q=
https://startpage.com/do/search?query=
https://yz.m.sm.cn/s?from=wm291047&q=
https://www.yandex.ru/search/touch/?text=
https://search.yahoo.com/search?p=
Defined in mark/via/i/f/c.java
http://viayoo.com/
http://viayoo.com/contact/qqgroup/
https://t.me/viatg
https://github.com/tuyafeng/Via
file:///android_asset/s3.js
Defined in mark/via/i/e/c.java
https://help.eyeo.com/en/adblockplus/how-to-write-filters
Defined in mark/via/d/g0.java
https://www.google.com/images/cleardot.gif
javascript:;
http://viayoo.com/
javascript:s=document.documentElement.outerHTML;a=window.open('');a.document.write(
Defined in mark/via/f/b3.java
https://pic.sogou.com/ris?flag=1&drag=0&query=
https://images.google.com/searchbyimage?image_url=
javascript:function
javascript:;
https://greasyfork.org/scripts/
Defined in mark/via/f/z2.java
file:///android_asset/logo.png
file:///
Defined in mark/via/h/k/u.java
www.google.com
Defined in mark/via/p/v2.java
https://github.com/tuyafeng/Via
https://t.me/viatg
http://viayoo.com/contact/qqgroup/
https://twitter.com/Yafeng78600505
https://weibo.com/u/7558014976
Defined in mark/via/p/h2.java
https://github.com/shwenzhang/AndResGuard
https://github.com/uber/AutoDispose
https://github.com/google/dagger
https://github.com/square/leakcanary/
https://github.com/ReactiveX/RxAndroid
https://github.com/ReactiveX/RxJava
https://github.com/SortableJS/Sortable
https://github.com/JakeWharton/timber
https://github.com/promeG/TinyPinyin
https://github.com/Tencent/VasDolly
Defined in mark/via/p/n2.java
www.google.com
Defined in mark/via/p/t2.java

Permissions analysis

Information computed with MobSF.

High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.ACCESS_FINE_LOCATION fine (GPS) location
Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
High android.permission.REQUEST_INSTALL_PACKAGES Allows an application to request installing packages.
Malicious applications can use this to try and trick users into installing additional malicious packages.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.FOREGROUND_SERVICE Allows a regular application to use Service.startForeground
Low android.permission.QUERY_ALL_PACKAGES Allows query of any normal app on the device, regardless of manifest declarations.
mark.via.permission.BROADCAST Unknown permission
Unknown permission from android reference
com.samsung.android.providers.context.permission.WRITE_USE_APP_FEATURE_SURVEY Unknown permission
Unknown permission from android reference
com.android.launcher.permission.INSTALL_SHORTCUT Unknown permission
Unknown permission from android reference

Tracking analysis

Information computed with Exodus-core.

Flurry https://reports.exodus-privacy.eu.org/fr/trackers/25

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Write HTTP input stream into a file
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Connect to a URL and receive input stream from the server
Confidence:
100%
Method reflection
Confidence:
100%
Connect to a URL and read data from it
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Put data in cursor to JSON object
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Connect to a URL and get the response code
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get Location of the device and append this info to a string
Confidence:
100%
Get last known location of the device
Confidence:
100%
Method reflection
Confidence:
100%
Connect to the remote server through the given URL
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Read the input stream from given URL
Confidence:
100%
Connect to a URL and set request method
Confidence:
100%
Initialize bitmap object and compress data (e.g. JPEG) into bitmap object
Confidence:
80%
Get the network operator name
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Get declared method from given method name
Confidence:
80%
Get absolute path of the file and store in string
Confidence:
80%
Executes the specified string Linux command

Behavior analysis

Information computed with MobSF.

Base64 decode
       mark/via/g/f/y.java
e/c/b/b.java
com/flurry/sdk/v3.java
mark/via/g/f/b0.java
Base64 encode
       mark/via/g/f/y.java
com/flurry/sdk/v3.java
com/flurry/sdk/s3.java
mark/via/g/f/b0.java
Content provider
       mark/via/provider/BookmarksProvider.java
Crypto
       com/flurry/sdk/cs.java
com/flurry/sdk/c1.java
com/flurry/sdk/b1.java
Execute os command
       e/c/c/r/i.java
com/flurry/sdk/o0.java
Gps location
       com/flurry/sdk/v0.java
com/flurry/sdk/w.java
com/flurry/sdk/m0.java
com/flurry/sdk/v.java
Get android advertising id
       com/flurry/sdk/bs.java
Get system service
       com/flurry/sdk/x2.java
com/flurry/sdk/o0.java
mark/via/g/f/r.java
com/flurry/sdk/by.java
com/tuyafeng/support/widget/i.java
com/tuyafeng/support/widget/f.java
e/c/b/a.java
com/flurry/sdk/x0.java
mark/via/g/f/t.java
e/c/c/r/h.java
mark/via/m/d.java
com/flurry/sdk/v0.java
d/c/e/l.java
mark/via/p/l2.java
com/tuyafeng/support/widget/j.java
Http connection
       mark/via/g/f/x.java
mark/via/g/f/i0.java
e/c/a/d/b.java
mark/via/g/f/h0.java
mark/via/f/z2.java
com/flurry/sdk/dk.java
Https connection
       com/flurry/sdk/q3.java
com/flurry/sdk/v3.java
Inter process communication
       mark/via/g/f/l.java
mark/via/k/y.java
com/flurry/sdk/o0.java
e/c/c/j/d.java
e/c/b/b.java
mark/via/g/f/r.java
mark/via/f/l1.java
com/flurry/sdk/by.java
mark/via/f/z2.java
e/c/b/a.java
mark/via/g/f/t.java
mark/via/f/b3.java
e/c/c/j/c.java
mark/via/Shell.java
mark/via/g/f/e.java
mark/via/g/f/c0.java
mark/via/m/d.java
mark/via/g/f/e0.java
e/c/c/j/e.java
mark/via/n/a.java
e/c/b/c.java
mark/via/f/v1.java
mark/via/p/l2.java
mark/via/g/f/c.java
Java reflection
       com/flurry/sdk/k3.java
com/flurry/sdk/x2.java
com/flurry/sdk/z3.java
d/c/e/c.java
d/c/c/a.java
e/c/c/r/k.java
com/flurry/sdk/s3.java
d/c/e/m.java
mark/via/g/f/k0.java
d/c/e/l.java
d/h/a.java
d/c/e/d.java
Local file i/o operations
       com/flurry/sdk/o2.java
mark/via/g/f/t.java
com/flurry/sdk/o0.java
com/flurry/sdk/w.java
com/flurry/sdk/bs.java
com/flurry/sdk/a0.java
mark/via/g/f/k0.java
mark/via/i/f/c.java
Message digest
       com/flurry/sdk/j1.java
mark/via/g/f/y.java
mark/via/g/f/t.java
com/flurry/sdk/v3.java
Sending broadcast
       e/c/b/b.java
Set or read clipboard data
       e/c/c/r/h.java
Starting activity
       mark/via/g/f/t.java
mark/via/k/y.java
mark/via/g/f/e.java
mark/via/g/f/c0.java
mark/via/g/f/e0.java
mark/via/g/f/r.java
e/c/b/c.java
mark/via/g/f/c.java
Tcp socket
       com/flurry/sdk/x.java
Webview javascript interface
       mark/via/f/h3/x.java

Control flow graphs analysis

Information computed by Pithus.

The application probably gets different information regarding the telephony capabilities

The application probably gets the advertising ID for tracking purposes

The application probably gets the network connections information

The application probably executes OS commands

The application probably gets memory and CPU information

The application probably creates an accessibility service