0/61

Threat

com.att.iqi

Mobile Network Diagnostics

Analyzed on 2022-06-18T23:38:23.399641

17

permissions

4

activities

1

services

0

receivers

2

domains

File sums

MD5 db4b2b8edcc9773c2699107504284e12
SHA1 65fd7624e97a22db757864df3fe77ff86abb3a7c
SHA256 a3872d7f202b7e9aea55adf77a42ea137923422f30e8de09b69853f072599733
Size 21.46MB

APKiD

Information computed with APKiD.

/tmp/tmp9du0tasb!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MANUFACTURER check
compiler
  • dx

SSdeep

Information computed with ssdeep.

APK file 196608:xpvvHissOvs8hNWr2DOENjV2uwELixXNMhvD20w9NVNz:fvHidys86rqV2uwE120wNZ
Manifest 192:+wl1fehUzto9O63ryb1eApabyC6+/by9T+3T+CSnat2qkXaJuTT/Vg:+wvfehUzto…
classes.dex 49152:lpmYyYcQE5qu2cSzzEidpvBGiKL2geiYtlrcwZYrmP:lpwMvHP

Dexofuzzy

Information computed with Dexofuzzy.

APK file 3072:dfY7tBG+hCyLXU2q/8ytdLRpdE9F7ACDX03NkGNcxR6VCmp2737:pQ/U2qrtdreZ…
classes.dex 3072:dfY7tBG+hCyLXU2q/8ytdLRpdE9F7ACDX03NkGNcxR6VCmp2737:pQ/U2qrtdreZ…

APK details

Information computed with AndroGuard and Pithus.

Package com.att.iqi
App name Mobile Network Diagnostics
Version name 21.3-66-gf4bb800952
Version code 10347
SDK 26 - 31
UAID 3f649945897d791aa257171e3155d5e5f9f20b7c
Signature Signature V1 Signature V2
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown
  • 0x504b4453: Dependency metadata
  • 0x42726577: Verity padding

Certificate details

Information computed with AndroGuard.

MD5 a428d4bebff1384be08cb788fc262584
SHA1 a9130e8728d2dd2c6a4f3d90113cba58f86ac9a1
SHA256 2e7f54980de978f4ab05514b6ca4c5ed053e4f48e75b0f212d9b6e1d4364d22a
Issuer Common Name: iQ Insights, Organizational Unit: Big Data, Organization: AT&T, Locality: Sunnyvale, State/Province: CA, Country: US
Not before 2017-08-17T22:31:36+00:00
Not after 2042-08-11T22:31:36+00:00

Manifest analysis

Information computed with MobSF.

High Service (com.att.iqi.service.IQService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.att.iqi.permission.BIND_IQI_MANAGER [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High TaskAffinity is set for Activity
(com.att.iqi.suw.SuwIqiActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.

Activities

Information computed with AndroGuard.

com.att.iqi.service.ui.ShowMessage
com.att.iqi.service.ui.SettingsActivity
com.att.iqi.suw.SuwIqiActivity
com.google.android.gms.common.api.GoogleApiActivity

Services

Information computed with AndroGuard.

com.att.iqi.service.IQService

Sample timeline

Oldest file found in APK Jan. 1, 1981, 1:01 a.m.
Latest file found in APK Jan. 1, 1981, 1:01 a.m.
Certificate valid not before Aug. 17, 2017, 10:31 p.m.
First submission on VT May 29, 2022, 10:04 a.m.
Last submission on VT May 31, 2022, 5:25 a.m.
Upload on Pithus June 18, 2022, 11:38 p.m.
Certificate valid not after Aug. 11, 2042, 10:31 p.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['location', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 h0/c.java
y2/c.java
z/f.java
q2/g.java
com/att/iqi/client/b.java
o/d.java
w/l.java
d3/g.java
y1/a.java
n2/d.java
u0/y.java
d3/a.java
y/a.java
o1/a.java
u0/i0.java
c3/a.java
b3/a.java
z/k.java
u1/q.java
j1/g.java
d0/h.java
e/a.java
w/h.java
y/b.java
w/b.java
b2/h.java
f0/b.java
j1/d.java
z/e.java
v2/h.java
l1/j.java
y2/b.java
z/g.java
p1/f.java
i/g.java
z/j.java
r/f.java
z2/b.java
j/c.java
e3/b.java
o2/b.java
y/f.java
l0/c.java
t0/a.java
d3/b.java
z/c.java
Medium
CVSS:7.4
Files may contain hardcoded sensitive information like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files:
 w2/a.java
Pygal United States: 100

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

schemas.android.com
US plus.google.com 172.217.23.110

URL analysis

Information computed with MobSF.

http://schemas.android.com/apk/res/android
Defined in y/g.java
https://plus.google.com/
Defined in l1/r.java

Permissions analysis

Information computed with MobSF.

High android.permission.ACCESS_FINE_LOCATION fine (GPS) location
Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
High android.permission.ACCESS_COARSE_LOCATION coarse (network-based) location
Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
High android.permission.ACCESS_BACKGROUND_LOCATION access location in background
Allows an app to access location in the background.
High android.permission.WRITE_APN_SETTINGS write Access Point Name settings
Allows an application to modify the APN settings, such as Proxy and Port of any APN.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.CHANGE_NETWORK_STATE change network connectivity
Allows applications to change network connectivity state.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
android.permission.LOCAL_MAC_ADDRESS Unknown permission
Unknown permission from android reference
android.permission.READ_PRIVILEGED_PHONE_STATE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.ACCESS_BRIDGE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.CHANGE_IQI_STATE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.RECEIVE_CHANGE_UNLOCK_KEYCODE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.TOGGLE_DEBUG_STATE Unknown permission
Unknown permission from android reference
com.att.iqi.permission.RECEIVE_UPLOAD_NOTIFICATIONS Unknown permission
Unknown permission from android reference
com.att.iqi.permission.MODIFY_MNC_MCC_VALIDATION_STATE Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Load external class
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Method reflection
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get the current WIFI information
Confidence:
100%
Get location of the device
Confidence:
100%
Method reflection
Confidence:
100%
Query data from URI (SMS, CALLLOGS)
Confidence:
100%
Get the time of current location
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Connect to a URL and set request method
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Get declared method from given method name
Confidence:
80%
Get last known location of the device
Confidence:
80%
Executes the specified string Linux command
Confidence:
80%
Get resource file from res/raw directory

Behavior analysis

Information computed with MobSF.

Android notifications
       j1/d.java
Base64 decode
       y/c.java
Base64 encode
       e0/d.java
Execute os command
       d1/t.java
Gps location
       e1/f.java
com/att/iqi/client/metrics/lc/LC36.java
Get cell information
       e1/n.java
Get network interface information
       e1/q.java
Get phone number
       com/att/iqi/service/IdentityHelper.java
Get software version, imei/sv etc
       com/att/iqi/service/IdentityHelper.java
Get subscriber id
       com/att/iqi/service/IdentityHelper.java
Get system service
       com/att/iqi/service/IdentityHelper.java
com/att/iqi/service/network/PortingNetwork.java
j1/g.java
e1/r.java
l0/a.java
com/att/iqi/service/network/c.java
j1/d.java
e1/n.java
z0/e.java
d1/i.java
e1/q.java
j0/c.java
e1/f.java
i/d.java
e1/i.java
com/att/iqi/service/IQService.java
com/att/iqi/client/i.java
e1/p.java
d1/d.java
com/att/iqi/service/network/f.java
w/c.java
Get wifi details
       e1/r.java
com/att/iqi/service/network/f.java
e1/i.java
Http connection
       com/att/iqi/service/network/PortingHttp.java
Inter process communication
       t1/a.java
e1/r.java
u1/u.java
u1/b0.java
w/l.java
u1/f0.java
w/g.java
u0/k0.java
com/att/iqi/service/IQService.java
com/att/iqi/service/network/PortingHttp.java
t1/b.java
j/a.java
y1/d.java
b/b.java
x/a.java
u1/v.java
n1/a.java
com/att/iqi/IProfileChangedCallback.java
w/h.java
w/b.java
u1/e.java
v2/h.java
u1/h.java
s1/b.java
com/att/iqi/IMetricQueryCallback.java
j/c.java
com/att/iqi/IMetricSourcingCallback.java
b/c.java
l1/k.java
u2/a.java
u1/a.java
e1/i.java
n1/e.java
m1/b.java
y1/a.java
com/att/iqi/service/ui/ShowMessage.java
y1/g.java
j1/e.java
e1/p.java
u1/r.java
o1/a.java
l1/r.java
z2/d.java
u2/b.java
e1/b.java
j1/a.java
b/a.java
j1/d.java
com/att/iqi/IIQIService.java
l1/j.java
u1/e0.java
com/att/iqi/lib/IQIManager.java
j/d.java
y1/b.java
com/att/iqi/suw/SuwIqiActivity.java
r1/b.java
m1/c.java
w/f.java
v2/g.java
s1/a.java
j1/j.java
com/att/iqi/IIQIBroker.java
com/att/iqi/IServiceStateChangeCallback.java
e3/e.java
Java reflection
       com/att/iqi/service/IdentityHelper.java
e1/r.java
w/h.java
z/f.java
w/b.java
f0/b.java
z/e.java
com/att/iqi/lib/Metric.java
e1/n.java
com/att/iqi/lib/IQIManager.java
z/g.java
r1/b.java
i/g.java
u0/y.java
z/j.java
u0/i0.java
j/c.java
z/h.java
y/f.java
t0/a.java
Kill process
       com/att/iqi/IQIApplication.java
com/att/iqi/service/IQService.java
Loading native code (shared library)
       com/att/iqi/service/IQService.java
Local file i/o operations
       h1/a.java
z/k.java
com/att/iqi/service/IQService.java
Sending broadcast
       com/att/iqi/service/network/PortingHttp.java
com/att/iqi/service/IQService.java
Starting activity
       l1/k.java
w/l.java
com/att/iqi/service/IQService.java
Starting service
       o1/a.java
Tcp socket
       e1/q.java
Url connection to file/http/https/ftp/jar
       com/att/iqi/service/network/PortingHttp.java

Control flow graphs analysis

Information computed by Pithus.

The application probably dynamically loads code

The application probably gets different information regarding the telephony capabilities

The application probably gets the IMEI of the phone

The application probably gets the subscriber ID associated to the SIM card/ Should never be collected

The application probably gets the phone number associated to the SIM card

The application probably scans the Wi-Fi network

The application probably gets the Wi-Fi connection information

The application probably gets network interfaces addresses (IP and/or MAC)

The application probably uses the phone sensors

The application probably plays sound

The application probably makes OS calls

The application probably reads the Android serial number

The application probably executes OS commands

The application probably listens accessibility events