Malicious
8
/62
Threat
Analyzed on 2021-09-07T13:45:08.700290
MD5 | b86fde2540f2032f55c9071ee7db131d | |
SHA1 | 53a1673b49874ab524faed5cf4efe07f9860c415 | |
SHA256 | b3132e4cd475c381f2ec384b9055ee11ae80b529dcc78f03629106e2d12a50f6 | |
Size | 14.52MB |
Information computed with APKiD.
/tmp/tmp3d7e26v2!classes.dex | |
anti_vm |
|
compiler |
|
Information computed with ssdeep.
APK file | 393216:vFRs7LjtYbcud/Bcu976k94ulTbG2qD9S45Y/WCCwkhL7Y6joH7N:9RIjIdpcuFJTbGjS4aQwCsp | |
Manifest | 768:0rKqRxcKE6XSc7ctmIxSbqUQtoT8hobQOI771gLJv9/i3gAeCTynYa4DbGAMitOa:… | |
classes.dex | 49152:7hRehMD2/QjHvKQyFHd5OoD/DtP8G2jvAK62Trtlfe2+4ZV3mDWwIagSQju:98h… |
Information computed with Dexofuzzy.
APK file | 6144:0vA22rurE3pOuDFY56vVP6NrdnZG0SHiIpaI2fqO:SAPb5O6VyRApO | |
classes.dex | 6144:0vA22rurE3pOuDFY56vVP6NrdnZG0SHiIpaI2fqO:SAPb5O6VyRApO |
Information computed with AndroGuard and Pithus.
Information computed with AndroGuard.
Information computed with MobSF.
Low | App has a Network Security Configuration[android:networkSecurityConfig=@xml/network_security_config] The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app. |
High | Debug Enabled For App[android:debuggable=true] Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes. |
Medium | Application Data can be Backed up[android:allowBackup=true] This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device. |
High | Activity-Alias (com.wlset.info.alias) is not Protected.An intent-filter exists. An Activity-Alias is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity-Alias is explicitly exported. |
High | Activity (com.wlset.info.SmsActivity) is not Protected.An intent-filter exists. An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported. |
High | Broadcast Receiver (com.wlset.info.receivers.SmsReceiver) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.BROADCAST_SMS [android:exported=true] A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
High | Broadcast Receiver (com.wlset.info.receivers.MmsReceiver) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.BROADCAST_WAP_PUSH [android:exported=true] A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
High | Service (com.wlset.info.services.HeadlessSmsSendService) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.SEND_RESPOND_VIA_MESSAGE [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
High | Service (com.wlset.info.services.PhoneCallService) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.BIND_INCALL_SERVICE [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
High | Activity (com.wlset.info.CallActivity) is not Protected.An intent-filter exists. An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported. |
High | Broadcast Receiver (com.wlset.info.receivers.a) is not Protected.An intent-filter exists. A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported. |
High | Service (com.gyf.cactus.service.LocalService) is not Protected. [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. |
High | Service (com.gyf.cactus.service.RemoteService) is not Protected. [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. |
High | Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
High | Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.DUMP [android:exported=true] A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
Medium | High Intent Priority (2147483647)[android:priority] By setting an intent priority higher than another intent, the app effectively overrides other requests. |
Medium | High Intent Priority (2147483647)[android:priority] By setting an intent priority higher than another intent, the app effectively overrides other requests. |
Information computed with MobSF.
com.wlset.info.SmsActivity |
Schemes: sms:// smsto:// mms:// mmsto:// |
com.wlset.info.CallActivity |
Schemes: tel:// |
Information computed with AndroGuard.
|
Information computed with AndroGuard.
|
Information computed with AndroGuard.
|
Information computed with AndroGuard.
|
Oldest file found in APK | Jan. 1, 1981, 1:01 a.m. |
Latest file found in APK | Jan. 1, 1981, 1:01 a.m. |
Certificate valid not before | Aug. 9, 2021, 10:23 a.m. |
First submission on VT | Sept. 7, 2021, 1:15 p.m. |
Last submission on VT | Sept. 7, 2021, 1:15 p.m. |
Upload on Pithus | Sept. 7, 2021, 1:45 p.m. |
Certificate valid not after | Aug. 3, 2046, 10:23 a.m. |
Score | 8/62 |
Report | https://www.virustotal.com/gui/file/b3132e4cd475c381f2ec384b9055ee11ae80b529dcc78f03629106e2d12a50f6/detection |
Provided by VirusTotal
Threat name: phonespy | Identified 2 times |
Information computed with MobSF.
FCS_RBG_EXT.1.1 | The application invoke platform-provided DRBG functionality for its cryptographic operations. Random Bit Generation Services |
FCS_STO_EXT.1.1 | The application does not store any credentials to non-volatile memory. Storage of Credentials |
FCS_CKM_EXT.1.1 | The application generate no asymmetric cryptographic keys. Cryptographic Key Generation Services |
FDP_DEC_EXT.1.1 | The application has access to ['network connectivity', 'camera', 'location', 'bluetooth', 'microphone']. Access to Platform Resources |
FDP_DEC_EXT.1.2 | The application has access to ['call lists', 'address book']. Access to Platform Resources |
FDP_NET_EXT.1.1 | The application has user/application initiated network communications. Network Communications |
FDP_DAR_EXT.1.1 | The application implement functionality to encrypt sensitive data in non-volatile memory. Encryption Of Sensitive Application Data |
FMT_MEC_EXT.1.1 | The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options. Supported Configuration Mechanism |
FTP_DIT_EXT.1.1 | The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product. Protection of Data in Transit |
FCS_RBG_EXT.2.1 FCS_RBG_EXT.2.2 |
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate. Random Bit Generation from Application |
FCS_COP.1.1(1) | The application perform encryption/decryption in accordance with a specified cryptographic algorithm AES-CBC (as defined in NIST SP 800-38A) mode or AES-GCM (as defined in NIST SP 800-38D) and cryptographic key sizes 256-bit/128-bit. Cryptographic Operation - Encryption/Decryption |
FCS_COP.1.1(2) | The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5. Cryptographic Operation - Hashing |
FCS_HTTPS_EXT.1.1 | The application implement the HTTPS protocol that complies with RFC 2818. HTTPS Protocol |
FCS_HTTPS_EXT.1.2 | The application implement HTTPS using TLS. HTTPS Protocol |
FCS_HTTPS_EXT.1.3 | The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid. HTTPS Protocol |
FIA_X509_EXT.2.1 | The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS. X.509 Certificate Authentication |
Information computed with MobSF.
Map computed by Pithus.
Information computed with MobSF.
High | Base config is insecurely configured to permit clear text traffic to all domains. Scope: ['*'] |
Information computed with MobSF.
Information computed with MobSF.
http://lbs.amap.com/api/android-location-sdk/guide/utilities/errorcode/查看错误码说明 Defined in com/amap/api/location/AMapLocation.java |
|
https://restapi.amap.com/v3/iasdkauth http://restapi.amap.com/v3/iasdkauth Defined in com/loc/y3.java |
|
https://restapi.amap.com/v3/iasdkauth http://restapi.amap.com/v3/iasdkauth Defined in com/loc/y3.java |
|
http://restapi.amap.com Defined in com/loc/f4.java |
|
http://abroad.apilocate.amap.com/mobile/binary Defined in com/loc/c3.java |
|
http://apilocate.amap.com/mobile/binary http://dualstack.apilocate.amap.com/mobile/binary http://abroad.apilocate.amap.com/mobile/binary Defined in com/loc/j3.java |
|
http://apilocate.amap.com/mobile/binary http://dualstack.apilocate.amap.com/mobile/binary http://abroad.apilocate.amap.com/mobile/binary Defined in com/loc/j3.java |
|
http://apilocate.amap.com/mobile/binary http://dualstack.apilocate.amap.com/mobile/binary http://abroad.apilocate.amap.com/mobile/binary Defined in com/loc/j3.java |
|
http://abroad.apilocate.amap.com/mobile/binary Defined in com/loc/n3.java |
|
http://restapi.amap.com/v3/place/text? http://restapi.amap.com/v3/place/around? http://restapi.amap.com/v3/config/district? Defined in com/loc/a.java |
|
http://restapi.amap.com/v3/place/text? http://restapi.amap.com/v3/place/around? http://restapi.amap.com/v3/config/district? Defined in com/loc/a.java |
|
http://restapi.amap.com/v3/place/text? http://restapi.amap.com/v3/place/around? http://restapi.amap.com/v3/config/district? Defined in com/loc/a.java |
|
http://dualstack-restapi.amap.com/v3/geocode/regeo http://restapi.amap.com/v3/geocode/regeo Defined in com/loc/e3.java |
|
http://dualstack-restapi.amap.com/v3/geocode/regeo http://restapi.amap.com/v3/geocode/regeo Defined in com/loc/e3.java |
|
http://aps.testing.amap.com/collection/collectData?src=baseCol&ver=v74& Defined in com/loc/c1.java |
|
http://lame.sf.net Defined in lib/arm64-v8a/libmp3lame.so |
|
http://argus.agoralab.co/vosdk/public/report?speaker=%u&listener=%u&venderID=%s&channelName=%s http://argus.agoralab.co/vosdk/public/report?listener=%u&venderID=%s&channelName=%s www.google.com www.baidu.com http://s/opt/jenkins_home/workspace/Kbuild/Android_Bitbucket2/media_sdk3/../agora_universal_transport/aut/impl/sdk/../../../aut/base/lru_cache.h Defined in lib/arm64-v8a/libagora-rtc-sdk.so |
|
http://argus.agoralab.co/vosdk/public/report?speaker=%u&listener=%u&venderID=%s&channelName=%s http://argus.agoralab.co/vosdk/public/report?listener=%u&venderID=%s&channelName=%s www.google.com www.baidu.com http://s/opt/jenkins_home/workspace/Kbuild/Android_Bitbucket2/media_sdk3/../agora_universal_transport/aut/impl/sdk/../../../aut/base/lru_cache.h Defined in lib/arm64-v8a/libagora-rtc-sdk.so |
Information computed with MobSF.
Information computed with Exodus-core.
AutoNavi / Amap | https://reports.exodus-privacy.eu.org/fr/trackers/361 |
Information computed with Quark-Engine.
Confidence:
|
Check if the network is connected |
Confidence:
|
Append the sender's address to the string |
Confidence:
|
Load external class |
Confidence:
|
Query the current data network type |
Confidence:
|
Append the sender's address to the string |
Confidence:
|
Implicit intent(view a web page, make a phone call, etc.) |
Confidence:
|
Query the list of the installed packages |
Confidence:
|
Find a method from given class name, usually for reflection |
Confidence:
|
Check the active network type |
Confidence:
|
Connect to a URL and receive input stream from the server |
Confidence:
|
Modify voice volume |
Confidence:
|
Method reflection |
Confidence:
|
Install other APKs from file |
Confidence:
|
Get the network operator name |
Confidence:
|
Check if the sender address of SMS contains the given string |
Confidence:
|
Retrieve data from broadcast |
Confidence:
|
Read sensitive data(SMS, CALLLOG, etc) |
Confidence:
|
Check the current network type |
Confidence:
|
Implicit intent(view a web page, make a phone call, etc.) via setData |
Confidence:
|
Connect to a URL and get the response code |
Confidence:
|
Monitor the broadcast action events (BOOT_COMPLETED) |
Confidence:
|
Get Location of the device and append this info to a string |
Confidence:
|
Check the current active network type |
Confidence:
|
Query the IMSI number |
Confidence:
|
Check the network capabilities |
Confidence:
|
Read file from assets directory |
Confidence:
|
Get last known location of the device |
Confidence:
|
Check if the content of SMS contains given string |
Confidence:
|
Get calendar information |
Confidence:
|
Query the network operator name |
Confidence:
|
Get the current WIFI information |
Confidence:
|
Get the current WiFi information and put it into JSON |
Confidence:
|
Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.) |
Confidence:
|
Get location of the device |
Confidence:
|
Method reflection |
Confidence:
|
Hide the current app's icon |
Confidence:
|
Query WiFi information and WiFi Mac Address |
Confidence:
|
Query data from URI (SMS, CALLLOGS) |
Confidence:
|
Check if the device is in data roaming mode |
Confidence:
|
Get the time of current location |
Confidence:
|
Initialize class object dynamically |
Confidence:
|
Calculate WiFi signal strength |
Confidence:
|
Get the current WiFi MAC address |
Confidence:
|
Check the list of currently running applications |
Confidence:
|
Connect to a URL and set request method |
Confidence:
|
Read data and put it into a buffer stream |
Confidence:
|
Get location info of the device and put it to JSON object |
Confidence:
|
Connect to a URL and read data from it |
Confidence:
|
Read file and put it into a stream |
Confidence:
|
Get declared method from given method name |
Confidence:
|
Open a file from given absolute path of the file |
Confidence:
|
Put data in cursor to JSON object |
Confidence:
|
Return dynamic information about the current Wi-Fi connection |
Confidence:
|
Get absolute path of the file and store in string |
Confidence:
|
Check if the given file path exist |
Confidence:
|
Get the country code of the SIM card provider |
Confidence:
|
Connect to the remote server through the given URL |
Confidence:
|
Executes the specified string Linux command |
Confidence:
|
Query the phone number |
Confidence:
|
Create a directory |
Confidence:
|
Read the input stream from given URL |
Confidence:
|
Set the phone speaker on |
Confidence:
|
Get resource file from res/raw directory |
Confidence:
|
Initialize bitmap object and compress data (e.g. JPEG) into bitmap object |
Information computed with MobSF.
Information computed by Pithus.