0/62

Threat

com.google.android.setupwizard

Android Setup

Analyzed on 2022-05-10T11:13:55.022103

61

permissions

56

activities

11

services

7

receivers

3

domains

File sums

MD5 6e71285133bbfceaf5729bf225e4fbd7
SHA1 3e4a02195094c119e21f8a0c2e6f03dd540f064e
SHA256 f06d5b9880edd510ebb440f4f5a8da8297b575e33d70d485d6e851af3c6a7763
Size 8.55MB

APKiD

Information computed with APKiD.

/tmp/tmpnk6tz1r8!classes.dex
yara_issue
  • yara issue - dex file recognized by apkid but not yara module
anti_vm
  • Build.FINGERPRINT check
  • Build.PRODUCT check
compiler
  • unknown (please file detection issue!)

SSdeep

Information computed with ssdeep.

APK file 49152:9NyCP0FJBnXEGfUFw/YGgGpr+poIAoCDn7abzKyQ7xfHCtwaz4920mkYZRRXEJkP:BsGkHCtzUSkYZokilw8nNTZpU
Manifest 768:peXCVBb1+PCBl5k7aDKTT6lhOBRpMpMNgQBV/DL6oOd2dihS/v3s3R3c3f5Owtyk:…
classes.dex 49152:bzhOu84iuYOFWUfMfQFJ/QpAcd6XB5qxp7IoCDIZ2JlubKkQ6XQ0zsUhxa+FX9y…

Dexofuzzy

Information computed with Dexofuzzy.

classes.dex None

APK details

Information computed with AndroGuard and Pithus.

Package com.google.android.setupwizard
App name Android Setup
Version name 228.5921675
Version code 228
SDK 26 - 28
UAID 06b8b2ec137c3be061a3111de115161c9449df83
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 cde9f6208d672b54b1dacc0b7029f5eb
SHA1 38918a453d07199354f8b19af05ec6562ced5788
SHA256 f0fd6c5b410f25cb25c3b53346c8972fae30f8ee7411df910480ad6b2d60db83
Issuer Common Name: Android, Organizational Unit: Android, Organization: Google Inc., Locality: Mountain View, State/Province: California, Country: US
Not before 2008-08-21T23:13:34+00:00
Not after 2036-01-07T23:13:34+00:00

Manifest analysis

Information computed with MobSF.

High Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]
The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
High Broadcast Receiver (.util.SetupWizardUserInitReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (.restore.UsbAttachedReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Service (.predeferred.NotificationConsolidatorService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_NOTIFICATION_LISTENER_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Activity (.WizardManagerActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High TaskAffinity is set for Activity
(.deferred.DeferredSetupWizardActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.
High Activity (.deferred.DeferredSetupWizardActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (.deferred.DeferredTrampolineActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity-Alias (.deferred.DeferredSettingsSuggestionActivity) is not Protected. [android:exported=true]
An Activity-Alias is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (.util.WebDialogActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (.util.SecureInterceptActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (.user.DeviceOwnerUserSetupCompleteActivity) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_DEVICE_ADMIN [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Activity (.user.GoogleServicesWrapper) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High TaskAffinity is set for Activity
(.predeferred.PreDeferredSetupWizardActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.
High Activity (.predeferred.PreDeferredSetupWizardActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (.predeferred.SetUseMobileDataReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.WRITE_SECURE_SETTINGS [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Content Provider (com.google.android.setupwizard.deviceorigin.provider.DeviceOriginProvider) is not Protected. [android:exported=true]
A Content Provider is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Content Provider (com.google.android.setupwizard.deferred.DeferredSuggestionSummaryProvider) is not Protected. [android:exported=true]
A Content Provider is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

Browsable activities

Information computed with MobSF.

.util.WebDialogActivity

Schemes: http:// https://

Activities

Information computed with AndroGuard.

com.google.android.setupwizard.SetupWizardActivity
com.google.android.setupwizard.WizardManagerActivity
com.google.android.setupwizard.SetupWizardTestActivity
com.google.android.setupwizard.deferred.DeferredSetupWizardActivity
com.google.android.setupwizard.deferred.DeferredTrampolineActivity
com.google.android.setupwizard.SetupWizardExitActivity
com.google.android.setupwizard.util.WebDialogActivity
com.google.android.setupwizard.util.SecureInterceptActivity
com.google.android.setupwizard.user.WelcomeActivity
com.google.android.setupwizard.deferred.DeferredSetupWelcomeActivity
com.google.android.setupwizard.user.ClosingActivity
com.google.android.setupwizard.user.UserWarningActivity
com.google.android.setupwizard.user.DeviceOwnerUserSetupCompleteActivity
com.google.android.setupwizard.user.FlowChoiceActivity
com.google.android.setupwizard.user.RestoreChoiceActivity
com.google.android.setupwizard.carrier.MobileDataActivity
com.google.android.setupwizard.carrier.CarrierSetupWrapper
com.google.android.setupwizard.account.PaiWrapper
com.google.android.setupwizard.carrier.EsimSetupWrapper
com.google.android.setupwizard.network.WifiActivity
com.google.android.setupwizard.network.NetworkActivity
com.google.android.setupwizard.account.AccountSetupWrapper
com.google.android.setupwizard.account.AccountExistsActivity
com.google.android.setupwizard.user.LockScreenWrapper
com.google.android.setupwizard.user.FingerprintWrapper
com.google.android.setupwizard.restore.IosSetupActivity
com.google.android.setupwizard.user.AssistGestureWrapper
com.google.android.setupwizard.restore.ChooseRestoreTokenWrapper
com.google.android.setupwizard.restore.RestoreProgressActivity
com.google.android.setupwizard.restore.UsbMigrationWrapper
com.google.android.setupwizard.restore.UsbMigrationAfterAccountWrapper
com.google.android.setupwizard.restore.UsbMigrationFinalHoldWrapper
com.google.android.setupwizard.restore.DemoModeWrapper
com.google.android.setupwizard.account.CheckFrpActivity
com.google.android.setupwizard.user.GoogleServicesWrapper
com.google.android.setupwizard.time.DateTimeActivity
com.google.android.setupwizard.carrier.SimMissingActivity
com.google.android.setupwizard.carrier.EsimIntroActivity
com.google.android.setupwizard.carrier.SimSetupActivity
com.google.android.setupwizard.update.OtaUpdateActivity
com.google.android.setupwizard.ProgressActivity
com.google.android.setupwizard.qrprovision.QrScanActivity
com.google.android.setupwizard.user.DeviceOwnerWarningActivity
com.google.android.setupwizard.user.WorkSetupInterruptedActivity
com.google.android.setupwizard.user.FactoryResetActivity
com.google.android.setupwizard.user.SuggestedActionsActivity
com.google.android.setupwizard.user.ZeroTouchWrapper
com.google.android.setupwizard.account.OpaWrapper
com.google.android.setupwizard.account.PaymentsWrapper
com.google.android.setupwizard.restore.ChooseWhatToRestoreWrapper
com.google.android.setupwizard.account.KidPostSetupWrapper
com.google.android.setupwizard.user.DecisionPointActivity
com.google.android.setupwizard.account.AuthEarlyUpdateRollbackActivity
com.google.android.setupwizard.predeferred.PreDeferredSetupWizardActivity
com.google.android.setupwizard.predeferred.ConnectToWifiActivity
com.google.android.setupwizard.predeferred.PreDeferredProgressActivity

Receivers

Information computed with AndroGuard.

com.google.android.setupwizard.util.SetupWizardUserInitReceiver
com.google.android.setupwizard.restore.UsbAttachedReceiver
com.google.android.setupwizard.util.AddContactsReceiver
com.google.android.setupwizard.deferred.ComponentStateMitigationReceiver
com.google.android.setupwizard.deferred.PostSetupLifecycleBootReceiver
com.google.android.setupwizard.deferred.DeferredNotificationDismissedReceiver
com.google.android.setupwizard.predeferred.SetUseMobileDataReceiver

Services

Information computed with AndroGuard.

com.google.android.setupwizard.restore.RestoreService
com.google.android.setupwizard.logging.ScreenOnClock
com.google.android.setupwizard.deferred.DeferredSetupScheduler
com.google.android.setupwizard.deferred.DeferredSetupNotificationSchedulerService
com.google.android.setupwizard.deferred.DeferredCleanUpJobService
com.google.android.setupwizard.deviceorigin.provider.DeviceOriginWipeOutJobService
com.google.android.setupwizard.deferred.DeferredOngoingService
com.google.android.setupwizard.predeferred.NotificationConsolidatorService
com.google.android.setupwizard.predeferred.PreDeferredLifecycleScheduler
com.google.android.setupwizard.predeferred.PreDeferredServiceScheduler
com.google.android.setupwizard.predeferred.PreDeferredUpdateService

Sample timeline

Certificate valid not before Aug. 21, 2008, 11:13 p.m.
Oldest file found in APK Jan. 1, 2009, midnight
Latest file found in APK Jan. 1, 2009, midnight
First submission on VT Jan. 9, 2020, 10:42 a.m.
Last submission on VT April 16, 2020, 4:46 a.m.
Upload on Pithus May 10, 2022, 11:13 a.m.
Certificate valid not after Jan. 7, 2036, 11:13 p.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['USB', 'location', 'camera', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to ['address book'].
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
Pygal United States: 300

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

US www.google.com 142.250.186.36
US www.example.com 93.184.216.34
US www.google.com.br 172.217.16.131

URL analysis

Information computed with MobSF.

https://www.google.com/policies
www.google.com/policies
https://www.example.com/proxy.pac
https://www.google.com.br/policies
www.google.com.br/policies
https://https://www.google.com/intl/fr-CA/policies/
https://www.google.com/intl/fr-CA/policies/
Defined in Android String Resource
https://www.google.com/policies
www.google.com/policies
https://www.example.com/proxy.pac
https://www.google.com.br/policies
www.google.com.br/policies
https://https://www.google.com/intl/fr-CA/policies/
https://www.google.com/intl/fr-CA/policies/
Defined in Android String Resource
https://www.google.com/policies
www.google.com/policies
https://www.example.com/proxy.pac
https://www.google.com.br/policies
www.google.com.br/policies
https://https://www.google.com/intl/fr-CA/policies/
https://www.google.com/intl/fr-CA/policies/
Defined in Android String Resource
https://www.google.com/policies
www.google.com/policies
https://www.example.com/proxy.pac
https://www.google.com.br/policies
www.google.com.br/policies
https://https://www.google.com/intl/fr-CA/policies/
https://www.google.com/intl/fr-CA/policies/
Defined in Android String Resource

Permissions analysis

Information computed with MobSF.

High android.permission.ACCESS_COARSE_LOCATION coarse (network-based) location
Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
High android.permission.AUTHENTICATE_ACCOUNTS act as an account authenticator
Allows an application to use the account authenticator capabilities of the Account Manager, including creating accounts as well as obtaining and setting their passwords.
High android.permission.CAMERA take pictures and videos
Allows application to take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
High android.permission.MANAGE_ACCOUNTS manage the accounts list
Allows an application to perform operations like adding and removing accounts and deleting their password.
High android.permission.READ_CONTACTS read contact data
Allows an application to read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.
High android.permission.READ_PROFILE read the user's personal profile data
Allows an application to read the user's personal profile data.
High android.permission.USE_CREDENTIALS use the authentication credentials of an account
Allows an application to request authentication tokens.
High android.permission.WRITE_APN_SETTINGS write Access Point Name settings
Allows an application to modify the APN settings, such as Proxy and Port of any APN.
High android.permission.WRITE_CONTACTS write contact data
Allows an application to modify the contact (address) data stored on your phone. Malicious applications can use this to erase or modify your contact data.
High android.permission.WRITE_PROFILE write the user's personal profile data
Allows an application to write (but not read) the user's personal profile data.
High android.permission.WRITE_SETTINGS modify global system settings
Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration.
High android.permission.CALL_PHONE directly call phone numbers
Allows the application to call phone numbers without your intervention. Malicious applications may cause unexpected calls on your phone bill. Note that this does not allow the application to call emergency numbers.
High android.permission.PROCESS_OUTGOING_CALLS intercept outgoing calls
Allows application to process outgoing calls and change the number to be dialled. Malicious applications may monitor, redirect or prevent outgoing calls.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.CHANGE_WIFI_STATE change Wi-Fi status
Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.
Low android.permission.CHANGE_NETWORK_STATE change network connectivity
Allows applications to change network connectivity state.
Low android.permission.DISABLE_KEYGUARD Allows applications to disable the keyguard if it is not secure.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.
Low android.permission.USE_FINGERPRINT allow use of fingerprint
This constant was deprecated in API level 28. Applications should request USE_BIOMETRIC instead.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.WRITE_SYNC_SETTINGS write sync settings
Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.
Low android.permission.FOREGROUND_SERVICE Allows a regular application to use Service.startForeground.
Medium android.permission.SHUTDOWN partial shutdown
Puts the activity manager into a shut-down state. Does not perform a complete shut down.
Medium android.permission.BACKUP control system back up and restore
Allows the application to control the system's back-up and restore mechanism. Not for use by common applications.
Medium android.permission.CHANGE_COMPONENT_ENABLED_STATE enable or disable application components
Allows an application to change whether or not a component of another application is enabled. Malicious applications can use this to disable important phone capabilities. It is important to be careful with permission, as it is possible to bring application components into an unusable, inconsistent or unstable state.
Medium android.permission.CHANGE_CONFIGURATION change your UI settings
Allows an application to change the current configuration, such as the locale or overall font size.
Medium android.permission.MASTER_CLEAR reset system to factory defaults
Allows an application to completely reset the system to its factory settings, erasing all data, configuration and installed applications.
Medium android.permission.MODIFY_PHONE_STATE modify phone status
Allows the application to control the phone features of the device. An application with this permission can switch networks, turn the phone radio on and off and the like, without ever notifying you.
Medium android.permission.PERFORM_CDMA_PROVISIONING directly start CDMA phone setup
Allows the application to start CDMA provisioning. Malicious applications may start CDMA provisioning unnecessarily.
Medium android.permission.REBOOT force phone reboot
Allows the application to force the phone to reboot.
Medium android.permission.SET_TIME set time
Allows an application to change the phone's clock time.
Medium android.permission.SET_TIME_ZONE set time zone
Allows an application to change the phone's time zone.
Medium android.permission.STATUS_BAR disable or modify status bar
Allows application to disable the status bar or add and remove system icons.
Medium android.permission.WRITE_SECURE_SETTINGS modify secure system settings
Allows an application to modify the system's secure settings data. Not for use by common applications.
android.permission.CONNECTIVITY_INTERNAL Unknown permission
Unknown permission from android reference
android.permission.DISPATCH_PROVISIONING_MESSAGE Unknown permission
Unknown permission from android reference
android.permission.LOCAL_MAC_ADDRESS Unknown permission
Unknown permission from android reference
android.permission.MANAGE_DEVICE_ADMINS Unknown permission
Unknown permission from android reference
android.permission.MANAGE_FINGERPRINT Unknown permission
Unknown permission from android reference
android.permission.MANAGE_USB Unknown permission
Unknown permission from android reference
android.permission.MANAGE_USERS Unknown permission
Unknown permission from android reference
android.permission.NETWORK_SETUP_WIZARD Unknown permission
Unknown permission from android reference
android.permission.NOTIFICATION_DURING_SETUP Unknown permission
Unknown permission from android reference
android.permission.OVERRIDE_WIFI_CONFIG Unknown permission
Unknown permission from android reference
android.permission.PEERS_MAC_ADDRESS Unknown permission
Unknown permission from android reference
android.permission.READ_PRIVILEGED_PHONE_STATE Unknown permission
Unknown permission from android reference
android.permission.REQUEST_NETWORK_SCORES Unknown permission
Unknown permission from android reference
android.permission.UPDATE_LOCK_TASK_PACKAGES Unknown permission
Unknown permission from android reference
android.permission.USE_COLORIZED_NOTIFICATIONS Unknown permission
Unknown permission from android reference
com.android.vending.TOS_ACKED Unknown permission
Unknown permission from android reference
com.google.android.apps.now.OPT_IN_WIZARD Unknown permission
Unknown permission from android reference
com.google.android.googleapps.permission.GOOGLE_AUTH Unknown permission
Unknown permission from android reference
com.google.android.providers.gsf.permission.READ_GSERVICES Unknown permission
Unknown permission from android reference
com.google.android.providers.settings.permission.READ_GSETTINGS Unknown permission
Unknown permission from android reference
com.google.android.providers.settings.permission.WRITE_GSETTINGS Unknown permission
Unknown permission from android reference
com.google.android.setupwizard.READ_DEVICE_ORIGIN_FIRST_PARTY Unknown permission
Unknown permission from android reference
com.google.android.setupwizard.SETUP Unknown permission
Unknown permission from android reference
android.permission.INVOKE_CARRIER_SETUP Unknown permission
Unknown permission from android reference
com.android.vending.setup.PLAY_SETUP_SERVICE Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Method reflection
Confidence:
100%
Load class from given class name
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Send notification
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get last known location of the device
Confidence:
100%
Get location of the device
Confidence:
100%
Method reflection
Confidence:
100%
Hide the current app's icon
Confidence:
100%
Query WiFi information and WiFi Mac Address
Confidence:
100%
Query data from URI (SMS, CALLLOGS)
Confidence:
100%
Get the time of current location
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Get resource file from res/raw directory
Confidence:
80%
Load external class
Confidence:
80%
Get declared method from given method name
Confidence:
80%
Query The ISO country code
Confidence:
80%
Calculate WiFi signal strength

Control flow graphs analysis

Information computed by Pithus.

The application probably gets network interfaces addresses (IP and/or MAC)

The application probably plays sound

The application probably listens accessibility events