0/61

Threat

com.att.iqi

Mobile Network Diagnostics

Analyzed on 2022-06-18T23:38:23.399641

17

permissions

4

activities

1

services

0

receivers

2

domains

File sums

MD5 db4b2b8edcc9773c2699107504284e12
SHA1 65fd7624e97a22db757864df3fe77ff86abb3a7c
SHA256 a3872d7f202b7e9aea55adf77a42ea137923422f30e8de09b69853f072599733
Size 21.46MB

APKiD

Information computed with APKiD.

/tmp/tmp9du0tasb!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MANUFACTURER check
compiler
  • dx

SSdeep

Information computed with ssdeep.

APK file 196608:xpvvHissOvs8hNWr2DOENjV2uwELixXNMhvD20w9NVNz:fvHidys86rqV2uwE120wNZ
Manifest 192:+wl1fehUzto9O63ryb1eApabyC6+/by9T+3T+CSnat2qkXaJuTT/Vg:+wvfehUzto…
classes.dex 49152:lpmYyYcQE5qu2cSzzEidpvBGiKL2geiYtlrcwZYrmP:lpwMvHP

Dexofuzzy

Information computed with Dexofuzzy.

APK file 3072:dfY7tBG+hCyLXU2q/8ytdLRpdE9F7ACDX03NkGNcxR6VCmp2737:pQ/U2qrtdreZ…
classes.dex 3072:dfY7tBG+hCyLXU2q/8ytdLRpdE9F7ACDX03NkGNcxR6VCmp2737:pQ/U2qrtdreZ…

APK details

Information computed with AndroGuard and Pithus.

Package com.att.iqi
App name Mobile Network Diagnostics
Version name 21.3-66-gf4bb800952
Version code 10347
SDK 26 - 31
UAID 3f649945897d791aa257171e3155d5e5f9f20b7c
Signature Signature V1 Signature V2
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0x504b4453: Dependency metadata
  • 0x42726577: Verity padding

Certificate details

Information computed with AndroGuard.

MD5 a428d4bebff1384be08cb788fc262584
SHA1 a9130e8728d2dd2c6a4f3d90113cba58f86ac9a1
SHA256 2e7f54980de978f4ab05514b6ca4c5ed053e4f48e75b0f212d9b6e1d4364d22a
Issuer Common Name: iQ Insights, Organizational Unit: Big Data, Organization: AT&T, Locality: Sunnyvale, State/Province: CA, Country: US
Not before 2017-08-17T22:31:36+00:00
Not after 2042-08-11T22:31:36+00:00

Manifest analysis

Information computed with MobSF.

High Service (com.att.iqi.service.IQService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.att.iqi.permission.BIND_IQI_MANAGER [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High TaskAffinity is set for Activity
(com.att.iqi.suw.SuwIqiActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.

Activities

Information computed with AndroGuard. 

com.att.iqi.service.ui.ShowMessage
com.att.iqi.service.ui.SettingsActivity
com.att.iqi.suw.SuwIqiActivity
com.google.android.gms.common.api.GoogleApiActivity

Services

Information computed with AndroGuard. 

com.att.iqi.service.IQService

Sample timeline

Oldest file found in APK Jan. 1, 1981, 1:01 a.m.
Latest file found in APK Jan. 1, 1981, 1:01 a.m.
Certificate valid not before Aug. 17, 2017, 10:31 p.m.
First submission on VT May 29, 2022, 10:04 a.m.
Last submission on VT May 31, 2022, 5:25 a.m.
Upload on Pithus June 18, 2022, 11:38 p.m.
Certificate valid not after Aug. 11, 2042, 10:31 p.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['location', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files: 
 h0/c.java
 y2/c.java
 z/f.java
 q2/g.java
 com/att/iqi/client/b.java
 o/d.java
 w/l.java
 d3/g.java
 y1/a.java
 n2/d.java
 u0/y.java
 d3/a.java
 y/a.java
 o1/a.java
 u0/i0.java
 c3/a.java
 b3/a.java
 z/k.java
 u1/q.java
 j1/g.java
 d0/h.java
 e/a.java
 w/h.java
 y/b.java
 w/b.java
 b2/h.java
 f0/b.java
 j1/d.java
 z/e.java
 v2/h.java
 l1/j.java
 y2/b.java
 z/g.java
 p1/f.java
 i/g.java
 z/j.java
 r/f.java
 z2/b.java
 j/c.java
 e3/b.java
 o2/b.java
 y/f.java
 l0/c.java
 t0/a.java
 d3/b.java
 z/c.java
Medium
CVSS:7.4
Files may contain hardcoded sensitive information like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files: 
 w2/a.java
Pygal United States: 100

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

schemas.android.com
US plus.google.com 172.217.23.110

URL analysis

Information computed with MobSF.

http://schemas.android.com/apk/res/android
Defined in y/g.java
https://plus.google.com/
Defined in l1/r.java

Permissions analysis

Information computed with MobSF.

High android.permission.ACCESS_FINE_LOCATION fine (GPS) location
Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
High android.permission.ACCESS_COARSE_LOCATION coarse (network-based) location
Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
High android.permission.ACCESS_BACKGROUND_LOCATION access location in background
Allows an app to access location in the background.
High android.permission.WRITE_APN_SETTINGS write Access Point Name settings
Allows an application to modify the APN settings, such as Proxy and Port of any APN.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.CHANGE_NETWORK_STATE change network connectivity
Allows applications to change network connectivity state.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
android.permission.LOCAL_MAC_ADDRESS Unknown permission
Unknown permission from android reference
android.permission.READ_PRIVILEGED_PHONE_STATE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.ACCESS_BRIDGE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.CHANGE_IQI_STATE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.RECEIVE_CHANGE_UNLOCK_KEYCODE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.TOGGLE_DEBUG_STATE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.RECEIVE_UPLOAD_NOTIFICATIONS Unknown permission
Unknown permission from android reference
com.att.iqi.permission.MODIFY_MNC_MCC_VALIDATION_STATE Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Load external class
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Method reflection
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get the current WIFI information
Confidence:
100%
Get location of the device
Confidence:
100%
Method reflection
Confidence:
100%
Query data from URI (SMS, CALLLOGS)
Confidence:
100%
Get the time of current location
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Connect to a URL and set request method
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Get declared method from given method name
Confidence:
80%
Get last known location of the device
Confidence:
80%
Executes the specified string Linux command
Confidence:
80%
Get resource file from res/raw directory

Behavior analysis

Information computed with MobSF.

Android notifications 
       j1/d.java
Base64 decode 
       y/c.java
Base64 encode 
       e0/d.java
Execute os command 
       d1/t.java
Gps location 
       e1/f.java
       com/att/iqi/client/metrics/lc/LC36.java
Get cell information 
       e1/n.java
Get network interface information 
       e1/q.java
Get phone number 
       com/att/iqi/service/IdentityHelper.java
Get software version, imei/sv etc 
       com/att/iqi/service/IdentityHelper.java
Get subscriber id 
       com/att/iqi/service/IdentityHelper.java
Get system service 
       com/att/iqi/service/IdentityHelper.java
       com/att/iqi/service/network/PortingNetwork.java
       j1/g.java
       e1/r.java
       l0/a.java
       com/att/iqi/service/network/c.java
       j1/d.java
       e1/n.java
       z0/e.java
       d1/i.java
       e1/q.java
       j0/c.java
       e1/f.java
       i/d.java
       e1/i.java
       com/att/iqi/service/IQService.java
       com/att/iqi/client/i.java
       e1/p.java
       d1/d.java
       com/att/iqi/service/network/f.java
       w/c.java
Get wifi details 
       e1/r.java
       com/att/iqi/service/network/f.java
       e1/i.java
Http connection 
       com/att/iqi/service/network/PortingHttp.java
Inter process communication 
       t1/a.java
       e1/r.java
       u1/u.java
       u1/b0.java
       w/l.java
       u1/f0.java
       w/g.java
       u0/k0.java
       com/att/iqi/service/IQService.java
       com/att/iqi/service/network/PortingHttp.java
       t1/b.java
       j/a.java
       y1/d.java
       b/b.java
       x/a.java
       u1/v.java
       n1/a.java
       com/att/iqi/IProfileChangedCallback.java
       w/h.java
       w/b.java
       u1/e.java
       v2/h.java
       u1/h.java
       s1/b.java
       com/att/iqi/IMetricQueryCallback.java
       j/c.java
       com/att/iqi/IMetricSourcingCallback.java
       b/c.java
       l1/k.java
       u2/a.java
       u1/a.java
       e1/i.java
       n1/e.java
       m1/b.java
       y1/a.java
       com/att/iqi/service/ui/ShowMessage.java
       y1/g.java
       j1/e.java
       e1/p.java
       u1/r.java
       o1/a.java
       l1/r.java
       z2/d.java
       u2/b.java
       e1/b.java
       j1/a.java
       b/a.java
       j1/d.java
       com/att/iqi/IIQIService.java
       l1/j.java
       u1/e0.java
       com/att/iqi/lib/IQIManager.java
       j/d.java
       y1/b.java
       com/att/iqi/suw/SuwIqiActivity.java
       r1/b.java
       m1/c.java
       w/f.java
       v2/g.java
       s1/a.java
       j1/j.java
       com/att/iqi/IIQIBroker.java
       com/att/iqi/IServiceStateChangeCallback.java
       e3/e.java
Java reflection 
       com/att/iqi/service/IdentityHelper.java
       e1/r.java
       w/h.java
       z/f.java
       w/b.java
       f0/b.java
       z/e.java
       com/att/iqi/lib/Metric.java
       e1/n.java
       com/att/iqi/lib/IQIManager.java
       z/g.java
       r1/b.java
       i/g.java
       u0/y.java
       z/j.java
       u0/i0.java
       j/c.java
       z/h.java
       y/f.java
       t0/a.java
Kill process 
       com/att/iqi/IQIApplication.java
       com/att/iqi/service/IQService.java
Loading native code (shared library) 
       com/att/iqi/service/IQService.java
Local file i/o operations 
       h1/a.java
       z/k.java
       com/att/iqi/service/IQService.java
Sending broadcast 
       com/att/iqi/service/network/PortingHttp.java
       com/att/iqi/service/IQService.java
Starting activity 
       l1/k.java
       w/l.java
       com/att/iqi/service/IQService.java
Starting service 
       o1/a.java
Tcp socket 
       e1/q.java
Url connection to file/http/https/ftp/jar 
       com/att/iqi/service/network/PortingHttp.java

Control flow graphs analysis

Information computed by Pithus.

The application probably dynamically loads code

The application probably gets different information regarding the telephony capabilities

The application probably gets the IMEI of the phone

The application probably gets the subscriber ID associated to the SIM card/ Should never be collected

The application probably gets the phone number associated to the SIM card

The application probably gets the location based on GPS and/or Wi-Fi

The application probably scans the Wi-Fi network

The application probably gets the Wi-Fi connection information

The application probably gets network interfaces addresses (IP and/or MAC)

The application probably uses the phone sensors

The application probably plays sound

The application probably makes OS calls

The application probably reads the Android serial number

The application probably sends data over HTTP/S

The application probably executes OS commands

The application probably creates an accessibility service

The application probably listens accessibility events