0/62

Threat

org.itxtech.daedalus

Daedalus

Analyzed on 2022-06-15T10:02:31.460361

6

permissions

3

activities

2

services

2

receivers

6

domains

File sums

MD5 2b0c363d3b9b5053758fb5c2e4c75c58
SHA1 23938bbcdd7f1f7030b0f48d975e934b4dfc3333
SHA256 eaf589127e4bea81372596c24f9b539dd2c3714beb52a3e3b5f1f4b9ba156b75
Size 6.2MB

APKiD

Information computed with APKiD.

/tmp/tmpgi0n05u_!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MANUFACTURER check
compiler
  • r8 without marker (suspicious)
/tmp/tmpgi0n05u_!classes2.dex
compiler
  • r8 without marker (suspicious)

SSdeep

Information computed with ssdeep.

APK file 196608:8JJVppgBHFQosFELn+cSmISsFR54oqAhY:orpslQo9D+D93R55qAhY
Manifest 192:0cZ5gA6mDKBp+X3XyO2CC9jdsGt4FAFOSZEDoqzqsiIyL7LAMTRqesyzeSqGKW2:0…
classes.dex 98304:ZFa5b6zk70mEa7FjE2IbcwNMz0KK62Ezz7b3wdDp0/vPM/IGQH:ZI5b6w0fAycO…
classes2.dex 12288:uT4chhvOBrZb1g6tLFiTX8vaIpfikK8g3qoT/7qcDmhHZIX4rTURfDTnYH+hl2x…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 6144:R7ApLFCYPJ3sujptNa7Z2yzkWN+7sgFMAFoeIFq34P91hU9+f3PbATFn85vf5sD3…
classes.dex 6144:R7ApLFCYPJ3sujptNa7Z2yzkWN+7sgFMAFoeIFq34P91hU9+f3PbATFn85vf5sDa…
classes2.dex 768:EXUOHZJNJ3DxQLzltikKS8yZfJgyD1OXntgGYj/7vPZe6hgPriMhi3PNDCM4:mBDw…

APK details

Information computed with AndroGuard and Pithus.

Package org.itxtech.daedalus
App name Daedalus
Version name 1.15.0
Version code 21
SDK 21 - 31
UAID d76961d796d93284158fd9956e9afc7b690b3c22
Signature Signature V1 Signature V2
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown

Certificate details

Information computed with AndroGuard.

MD5 424e930a2362873ce8b76ab4bb1f18cd
SHA1 9e98a8805186774907f664b78554e739e4558d67
SHA256 70eda2234af3e6ae1102e1ee2cbce8839718fd224cb524a6cc7794d0eb33cb84
Issuer Common Name: buildserver_licaon, Organizational Unit: F-Droid
Not before 2022-06-15T09:55:36+00:00
Not after 2049-10-31T09:55:36+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. META-INF/services/org.pcap4j.packet.factory.PacketFactoryBinderProvider

Manifest analysis

Information computed with MobSF.

Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.

Main Activity

Information computed with AndroGuard. 

org.itxtech.daedalus.activity.MainActivity

Activities

Information computed with AndroGuard. 

org.itxtech.daedalus.activity.MainActivity
org.itxtech.daedalus.activity.ConfigActivity
org.itxtech.daedalus.activity.AppFilterActivity

Receivers

Information computed with AndroGuard. 

org.itxtech.daedalus.receiver.BootBroadcastReceiver
org.itxtech.daedalus.receiver.StatusBarBroadcastReceiver

Services

Information computed with AndroGuard. 

org.itxtech.daedalus.service.DaedalusVpnService
org.itxtech.daedalus.service.DaedalusTileService

Sample timeline

Oldest file found in APK Jan. 1, 1981, 1:01 a.m.
Latest file found in APK Jan. 1, 1981, 1:01 a.m.
Certificate valid not before June 15, 2022, 9:55 a.m.
First submission on VT June 15, 2022, 9:58 a.m.
Last submission on VT June 15, 2022, 9:58 a.m.
Upload on Pithus June 15, 2022, 10:02 a.m.
Certificate valid not after Oct. 31, 2049, 9:55 a.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application invoke platform-provided DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2		 The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files: 
 org/itxtech/daedalus/service/DaedalusVpnService.java
 org/itxtech/daedalus/provider/UdpProvider.java
 org/itxtech/daedalus/activity/MainActivity.java
 org/itxtech/daedalus/provider/TcpProvider.java
 org/pcap4j/util/NifSelector.java
 org/slf4j/helpers/Util.java
 org/itxtech/daedalus/provider/HttpsProvider.java
 com/sun/jna/Native.java
 org/itxtech/daedalus/util/Logger.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files: 
 org/pcap4j/core/PcapHandle.java
 org/minidns/DnsClient.java
 org/itxtech/daedalus/util/RuleResolver.java
 org/itxtech/daedalus/Daedalus.java
Medium
CVSS:8.8
Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.
MASVS: MSTG-PLATFORM-7
CWE-749 Exposed Dangerous Method or Function
M1: Improper Platform Usage
Files: 
 org/itxtech/daedalus/fragment/AboutFragment.java
Medium
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files: 
 org/minidns/util/CollectionsUtil.java
 org/itxtech/daedalus/fragment/DnsTestFragment.java
 org/minidns/constants/DnsRootServer.java
 org/minidns/AbstractDnsClient.java
Medium
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files: 
 org/minidns/AbstractDnsClient.java
Medium
CVSS:5.5
App creates temp file. Sensitive information should never be written into a temp file.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files: 
 com/sun/jna/Native.java
Pygal Switzerland: 100 China: 100 United States: 400

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

US adaway.org 185.199.111.153
US github.com 140.82.121.3
US raw.githubusercontent.com 185.199.108.133
CH www.slf4j.org 83.173.251.158
CN qr.alipay.com 110.76.30.76
US anti-ad.net 104.21.45.235

URL analysis

Information computed with MobSF.

http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#StaticLoggerBinder
http://www.slf4j.org/codes.html#substituteLogger
http://www.slf4j.org/codes.html#replay
http://www.slf4j.org/codes.html#version_mismatch
http://www.slf4j.org/codes.html#multiple_bindings
http://www.slf4j.org/codes.html#loggerNameMismatch
Defined in org/slf4j/LoggerFactory.java
http://www.slf4j.org/codes.html#no_static_mdc_binder
http://www.slf4j.org/codes.html#null_MDCA
Defined in org/slf4j/MDC.java
http://www.slf4j.org/codes.html#no_static_mdc_binder
http://www.slf4j.org/codes.html#null_MDCA
Defined in org/slf4j/MDC.java
https://raw.githubusercontent.com/googlehosts/hosts/master/hosts-files/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts.txt
https://adaway.org/hosts.txt
https://anti-ad.net/anti-ad-for-dnsmasq.conf
https://raw.githubusercontent.com/vokins/yhosts/master/dnsmasq/union.conf
https://qr.alipay.com/FKX04751EZDP0SQ0BOT137
Defined in org/itxtech/daedalus/Daedalus.java
https://raw.githubusercontent.com/googlehosts/hosts/master/hosts-files/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts.txt
https://adaway.org/hosts.txt
https://anti-ad.net/anti-ad-for-dnsmasq.conf
https://raw.githubusercontent.com/vokins/yhosts/master/dnsmasq/union.conf
https://qr.alipay.com/FKX04751EZDP0SQ0BOT137
Defined in org/itxtech/daedalus/Daedalus.java
https://raw.githubusercontent.com/googlehosts/hosts/master/hosts-files/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts.txt
https://adaway.org/hosts.txt
https://anti-ad.net/anti-ad-for-dnsmasq.conf
https://raw.githubusercontent.com/vokins/yhosts/master/dnsmasq/union.conf
https://qr.alipay.com/FKX04751EZDP0SQ0BOT137
Defined in org/itxtech/daedalus/Daedalus.java
https://raw.githubusercontent.com/googlehosts/hosts/master/hosts-files/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts.txt
https://adaway.org/hosts.txt
https://anti-ad.net/anti-ad-for-dnsmasq.conf
https://raw.githubusercontent.com/vokins/yhosts/master/dnsmasq/union.conf
https://qr.alipay.com/FKX04751EZDP0SQ0BOT137
Defined in org/itxtech/daedalus/Daedalus.java
https://raw.githubusercontent.com/googlehosts/hosts/master/hosts-files/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts.txt
https://adaway.org/hosts.txt
https://anti-ad.net/anti-ad-for-dnsmasq.conf
https://raw.githubusercontent.com/vokins/yhosts/master/dnsmasq/union.conf
https://qr.alipay.com/FKX04751EZDP0SQ0BOT137
Defined in org/itxtech/daedalus/Daedalus.java
https://raw.githubusercontent.com/googlehosts/hosts/master/hosts-files/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts.txt
https://adaway.org/hosts.txt
https://anti-ad.net/anti-ad-for-dnsmasq.conf
https://raw.githubusercontent.com/vokins/yhosts/master/dnsmasq/union.conf
https://qr.alipay.com/FKX04751EZDP0SQ0BOT137
Defined in org/itxtech/daedalus/Daedalus.java
https://github.com/iTXTech/Daedalus
Defined in org/itxtech/daedalus/activity/MainActivity.java
https://github.com/iTXTech/Daedalus/issues
Defined in org/itxtech/daedalus/fragment/GlobalConfigFragment$$ExternalSyntheticLambda10.java
https://github.com/iTXTech/Daedalus/wiki
Defined in org/itxtech/daedalus/fragment/GlobalConfigFragment$$ExternalSyntheticLambda1.java
https://github.com/iTXTech/Daedalus/releases
Defined in org/itxtech/daedalus/fragment/GlobalConfigFragment$$ExternalSyntheticLambda9.java
https://github.com/iTXTech/Daedalus/wiki/Privacy-Policy
Defined in org/itxtech/daedalus/fragment/GlobalConfigFragment$$ExternalSyntheticLambda8.java

Permissions analysis

Information computed with MobSF.

High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.EXPAND_STATUS_BAR expand/collapse status bar
Allows application to expand or collapse the status bar.
org.itxtech.daedalus.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Load external class
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
100%
Query the list of the installed packages
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Method reflection
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get last known location of the device
Confidence:
100%
Get calendar information
Confidence:
100%
Get location of the device
Confidence:
100%
Method reflection
Confidence:
100%
Hide the current app's icon
Confidence:
100%
Get the time of current location
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Get specific method from other Dex files
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Open a file from given absolute path of the file
Confidence:
80%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
80%
Executes the specified string Linux command
Confidence:
80%
Get resource file from res/raw directory

Behavior analysis

Information computed with MobSF.

Android notifications 
       org/itxtech/daedalus/service/DaedalusVpnService.java
Base64 encode 
       org/itxtech/daedalus/provider/HttpsIetfProvider.java
Crypto 
       okio/HashingSink.java
       okio/ByteString.java
       okio/HashingSource.java
       okio/Buffer.java
       okio/SegmentedByteString.java
Dynamic class and dexloading 
       com/sun/jna/Native.java
Execute os command 
       com/sun/jna/NativeLibrary.java
       org/minidns/dnsserverlookup/AndroidUsingExec.java
       org/itxtech/daedalus/util/DnsServersDetector.java
Get installed applications 
       org/itxtech/daedalus/activity/AppFilterActivity.java
Get system service 
       org/itxtech/daedalus/service/DaedalusVpnService.java
       org/itxtech/daedalus/activity/MainActivity.java
       org/itxtech/daedalus/receiver/StatusBarBroadcastReceiver.java
       org/itxtech/daedalus/fragment/DnsTestFragment.java
       org/itxtech/daedalus/util/DnsServersDetector.java
       org/itxtech/daedalus/Daedalus.java
Inter process communication 
       org/itxtech/daedalus/service/DaedalusVpnService.java
       org/itxtech/daedalus/fragment/GlobalConfigFragment.java
       org/itxtech/daedalus/fragment/HomeFragment.java
       org/itxtech/daedalus/fragment/ConfigFragment.java
       org/itxtech/daedalus/fragment/DnsServersFragment.java
       org/itxtech/daedalus/fragment/RulesFragment.java
       org/itxtech/daedalus/receiver/BootBroadcastReceiver.java
       org/itxtech/daedalus/activity/MainActivity.java
       org/itxtech/daedalus/fragment/RuleConfigFragment.java
       org/itxtech/daedalus/receiver/StatusBarBroadcastReceiver.java
       org/itxtech/daedalus/activity/ConfigActivity.java
       org/itxtech/daedalus/fragment/AboutFragment.java
       org/itxtech/daedalus/Daedalus.java
Java reflection 
       com/sun/jna/FunctionMapper.java
       com/sun/jna/StructureWriteContext.java
       org/slf4j/helpers/SubstituteLogger.java
       org/pcap4j/util/PropertiesLoader.java
       org/pcap4j/packet/namednumber/HttpStatusCode.java
       com/sun/jna/CallbackParameterContext.java
       com/sun/jna/win32/W32APIFunctionMapper.java
       org/pcap4j/core/NativeMappings.java
       org/itxtech/daedalus/util/DnsServersDetector.java
       com/sun/jna/Native.java
       com/sun/jna/Platform.java
       com/sun/jna/StructureReadContext.java
       com/sun/jna/NativeLibrary.java
       com/sun/jna/Union.java
       com/sun/jna/Structure.java
       com/sun/jna/VarArgsChecker.java
       com/sun/jna/win32/StdCallFunctionMapper.java
       com/sun/jna/CallbackReference.java
       com/sun/jna/CallbackResultContext.java
       com/sun/jna/MethodParameterContext.java
       okio/ByteString.java
       com/sun/jna/internal/ReflectionUtils.java
       com/sun/jna/InvocationMapper.java
       com/sun/jna/Function.java
       com/sun/jna/MethodResultContext.java
       org/minidns/dnsserverlookup/AndroidUsingReflection.java
       org/minidns/util/PlatformDetection.java
       com/sun/jna/Library.java
Loading native code (shared library) 
       com/sun/jna/NativeLibrary.java
       com/sun/jna/Native.java
Message digest 
       okio/HashingSink.java
       okio/ByteString.java
       okio/HashingSource.java
       okio/Buffer.java
       okio/SegmentedByteString.java
Starting activity 
       org/itxtech/daedalus/fragment/RulesFragment.java
       org/itxtech/daedalus/service/DaedalusVpnService.java
       org/itxtech/daedalus/activity/MainActivity.java
       org/itxtech/daedalus/fragment/GlobalConfigFragment.java
       org/itxtech/daedalus/receiver/StatusBarBroadcastReceiver.java
       org/itxtech/daedalus/fragment/HomeFragment.java
       org/itxtech/daedalus/fragment/AboutFragment.java
       org/itxtech/daedalus/Daedalus.java
       org/itxtech/daedalus/fragment/DnsServersFragment.java
Starting service 
       org/itxtech/daedalus/Daedalus.java
Tcp socket 
       okio/SocketAsyncTimeout.java
       okio/Okio__JvmOkioKt.java
       org/itxtech/daedalus/provider/TcpProvider.java
       org/itxtech/daedalus/provider/TlsProvider.java
       org/minidns/source/NetworkDataSource.java
       org/itxtech/daedalus/fragment/DnsTestFragment.java
       okio/DeprecatedOkio.java
       okio/Okio.java
Udp datagram packet 
       org/itxtech/daedalus/provider/UdpProvider.java
       org/itxtech/daedalus/provider/TcpProvider.java
       org/itxtech/daedalus/provider/TlsProvider.java
       org/minidns/source/NetworkDataSource.java
       org/minidns/dnsmessage/DnsMessage.java
Udp datagram socket 
       org/itxtech/daedalus/provider/UdpProvider.java
       org/minidns/source/NetworkDataSource.java
Webview javascript interface 
       org/itxtech/daedalus/fragment/AboutFragment.java

Control flow graphs analysis

Information computed by Pithus.

The application probably loads JS-capable web views

The application probably dynamically loads code

The application probably gets the IMEI of the phone

The application probably gets the location based on GPS and/or Wi-Fi

The application probably gets the network connections information

The application probably gets network interfaces addresses (IP and/or MAC)

The application probably uses reflection

The application probably plays sound

The application probably makes OS calls

The application probably sends data over UDP protocol

The application probably receives data over UDP protocol

The application probably lists all installed applications

The application probably executes OS commands

The application probably gets memory and CPU information

The application probably creates an accessibility service

The application probably listens accessibility events