0/64

Threat

com.sec.android.preloadinstaller

Application installer

Analyzed on 2022-05-19T02:48:28.770550

7

permissions

1

activities

0

services

0

receivers

0

domains

File sums

MD5 234266930124ac37428787a5eef2afea
SHA1 d813afe79852637d88e0cd396b33aa4f60d5e65f
SHA256 75554c6229a9c8ed07265fba3eb086ba206ba618917dee06cceb4bef033470c1
Size 0.04MB

APKiD

Information computed with APKiD.

/tmp/tmphmdnkxl2!classes.dex
yara_issue
  • yara issue - dex file recognized by apkid but not yara module
compiler
  • unknown (please file detection issue!)

SSdeep

Information computed with ssdeep.

APK file 768:+AM9M8WHikCa6HMWorRTlviFF62lPQqyKaLHUJ7su5KNrIK3zpOFz8doH:E9vuiThsWGTlviFU2l4oaL0Rn5KNrIKU
Manifest 96:m/iNpmV3gScZPXDN3gOXtO6RaWHEr9jcE2Ef4x4lukbSOioxRg:qdgSAPzNgOXtO6R…
classes.dex 768:tH2gWTIU7gU6LIDxrRzj6Q5sDOlK0POj9UU/CUNKjv7BUwG6HnA3AMzYQs1qHp6I:…

Dexofuzzy

Information computed with Dexofuzzy.

classes.dex None

APK details

Information computed with AndroGuard and Pithus.

Package com.sec.android.preloadinstaller
App name Application installer
Version name 9
Version code 28
SDK 28 - 28
UAID 7056ba096c480a998b92543c97b51641fad5f845
Signature Signature V1 Signature V2
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown

Certificate details

Information computed with AndroGuard.

MD5 d087e72912fba064cafa78dc34aea839
SHA1 9ca5170f381919dfe0446fcdab18b19a143b3163
SHA256 34df0e7a9f1cf1892e45c056b4973cd81ccf148a4050d11aea4ac5a65f900a42
Issuer Email Address: android.os@samsung.com, Common Name: Samsung Cert, Organizational Unit: DMC, Organization: Samsung Corporation, Locality: Suwon City, State/Province: South Korea, Country: KR
Not before 2011-06-22T12:25:12+00:00
Not after 2038-11-07T12:25:12+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. SEC-INF/buildConfirm.crt

Manifest analysis

Information computed with MobSF.

Low App is direct-boot aware [android:directBootAware=true]
This app can run before the user unlocks the device. If you're using a custom subclass of Application, and if any component inside your application is direct - boot aware, then your entire custom application is considered to be direct - boot aware.During Direct Boot, your application can only access the data that is stored in device protected storage.
Medium Application Data can be Backed up[android:allowBackup] flag is missing.
The flag [android:allowBackup] should be set to false. By default it is set to true and allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.

Activities

Information computed with AndroGuard.

com.sec.android.preloadinstaller.SN2007302047.PreloadInstallerActivity

Sample timeline

Oldest file found in APK Jan. 1, 2009, midnight
Latest file found in APK Jan. 1, 2009, midnight
Certificate valid not before June 22, 2011, 12:25 p.m.
First submission on VT Jan. 9, 2021, 11 a.m.
Last submission on VT Jan. 9, 2021, 11 a.m.
Upload on Pithus May 19, 2022, 2:48 a.m.
Certificate valid not after Nov. 7, 2038, 12:25 p.m.

NIAP analysis

Information computed with MobSF.

FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to no hardware resources.
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has no network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does not encrypt any data in traffic or does not transmit any data between itself and another trusted IT product.
Protection of Data in Transit

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 com/sec/android/preloadinstaller/LogMsg.java
com/sec/android/preloadinstaller/ApkInstaller.java

Permissions analysis

Information computed with MobSF.

High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
Medium android.permission.android.permission.SET_PREFERRED_APPLICATIONS set preferred applications
Allows an application to modify your preferred applications. This can allow malicious applications to silently change the applications that are run, spoofing your existing applications to collect private data from you.
Medium android.permission.INSTALL_PACKAGES directly install applications
Allows an application to install new or updated Android packages. Malicious applications can use this to add new applications with arbitrarily powerful permissions.
Medium android.permission.DELETE_PACKAGES delete applications
Allows an application to delete Android packages. Malicious applications can use this to delete important applications.
Medium android.permission.STATUS_BAR disable or modify status bar
Allows application to disable the status bar or add and remove system icons.
android.permission.GRANT_RUNTIME_PERMISSIONS Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Get absolute path of the file and store in string
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Hide the current app's icon

Behavior analysis

Information computed with MobSF.

Get system service
       com/sec/android/preloadinstaller/SN2007302047/PreloadInstallerActivity.java
Inter process communication
       com/sec/android/preloadinstaller/SN2007302047/PreloadInstallerActivity.java
com/sec/android/preloadinstaller/ApkInstaller.java
Local file i/o operations
       com/sec/android/preloadinstaller/SN2007302047/PreloadInstallerActivity.java
com/sec/android/preloadinstaller/ApkInstaller.java
Sending broadcast
       com/sec/android/preloadinstaller/SN2007302047/PreloadInstallerActivity.java
Starting activity
       com/sec/android/preloadinstaller/SN2007302047/PreloadInstallerActivity.java
com/sec/android/preloadinstaller/ApkInstaller.java

Control flow graphs analysis

Information computed by Pithus.