Clipboard data of OnePlus Chinese users is sending data to teddymobile servers - OnePlus 5T Guides, News, & Discussion

Teddymobile app comes preinstalled by oneplus and had been added in OxygenOS Open Beta 2. This app is sending data to Teddymobile servers in China without users consent.
The OnePlus clipboard app contains a strange file called badword.txt ? In these words, you can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...
Details here: Pastebin Link
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files: - badword.txt - brackets.txt - end.txt - follow.txt - key.txt - start.txt
All these files are used in a obfuscated package which seems to be an #Android library from teddymobile. TeddyMobile is a Chinese company, they worked with a lot of manufacturers including oppo. Their website http://teddymobile.cn/
As far it can be understood that teddymobile is making number identification in SMS The picture below can be translated like this: - Total number of SMS 20M+ - SMS identification accuracy 100% - Identification number recognition rate of 70% - recognition accuracy of 95%
According to the code OnePlus is sending your IMEI and the phone manufacturer to a Chinese server owned by teddymobile
In the TeddyMobile's package com.ted, they have a class called SysInfoUtil. This class contains the following methods:
- getAndroidID
- getCPUSerial
- getDeviceId
- getHardwareSerialNumber
- getIMEI
- getIPAddress
- getMacAddress
- getPhoneNumber
- getScreenPixels
Except getIPAddress and getScreenPixels, all the other methods are used. They also send JSON messages to their servers with a "telephone" and "messageText" fields...
This is a good reminder...Please don't copy paste your bank account number...TeddyMobile has a dedicated method to recognize a bank account...
Verify it yourself from the Oneplus clipboard apk available at koodous project. Link is here
After deeper investigation only a small part of the tedmobile sdk is used. In the ClipboardManager, in the verifyExpress method they used the method parserOnline.
This parserOnline will send what you have in your clipboard data to a teddymobile server in order to parse it. It important to say that this method is used only for Chinese users.
The conditions to send your data to teddymobile server are: - clip data is not numeric - not an email - Chinese OnePlus phone - clipboard data matched the express pattern. It good to say that parserOnline method is used 3 times in the code, so this is only 1 of the 3 use cases!
So finally word of caution, whoever has installed OxygenOS Open Beta 2, there is a good chance your data is with Teddymobile right now.

Uh oh the hysteria! A tech company may be collecting information???? Never heard of that happening before...
Wasn't this already debunked over on Reddit?

this is very alarming.

http://www.androidpolice.com/2018/01/26/no-oneplus-still-not-sending-clipboard-data-china/

Please read and inform yourself before spreading false information.
And god what is it with the massive font and broken OP ?

i did some digging. paradoxx is right. but what about this app ?

False Information!! This looks like false information to you? Did you even bother to read all the technical explanation being mentioned here. Company will obviously deny the allegations saying it as baseless.
I have mentioned everything step by step which are revealed by a renowned hacker Elliot Alderson‏ . Check his twitter bio - https://twitter.com/fs0c131y
Apologies for the large fonts, corrected them. By the way, I am an Oneplus 5T user since Oneplus One.
Paradoxxx said:
Please read and inform yourself before spreading false information.
And god what is it with the massive font and broken OP ?
Click to expand...
Click to collapse

https://www.gsmarena.com/oneplus_re...ther_clipboard_data_accusation-news-29344.php

arka.b said:
False Information!! This looks like false information to you? Did you even bother to read all the technical explanation being mentioned here. Company will obviously deny the allegations saying it as baseless.
I have mentioned everything step by step which are revealed by a renowned hacker Elliot Alderson‏ . Check his twitter bio - https://twitter.com/fs0c131y
Apologies for the large fonts, corrected them. By the way, I am an Oneplus 5T user since Oneplus One.
Click to expand...
Click to collapse
https://www.reddit.com/r/android/comments/7t6joy
https://www.reddit.com/r/android/comments/7t6joy/_/dtaggn3

I am eager too. but did someone including mods looked at thw screenshot i sent, is it a safe apk to have in the phone ?
---------- Post added at 02:17 PM ---------- Previous post was at 02:16 PM ----------
it seeks like the clipboard app was controversial. it has been removed in beta 3.

arka.b said:
False Information!! This looks like false information to you? Did you even bother to read all the technical explanation being mentioned here. Company will obviously deny the allegations saying it as baseless.
I have mentioned everything step by step which are revealed by a renowned hacker Elliot Alderson‏ . Check his twitter bio - https://twitter.com/fs0c131y
Apologies for the large fonts, corrected them. By the way, I am an Oneplus 5T user since Oneplus One.
Click to expand...
Click to collapse
I know who he is, I have seen this couple of days before you even posted here, and unlike you, I actually done some research on other website to find more info regarding this.
Please read AndroidPolice's article on this.

Hmm interesting
Sent from my ONEPLUS A5010 using Tapatalk

The web is full of misinformation. The code is/was there. The fact that it was 'inactive' on US handsets means - exactly- doodily squat. If you know anything about linux code then you know that it wouldn't take very much for the proprietors of said code to 'activate'. Especially with the code being in ROM at a place where it is given any permissions they deem fit w/out the typical end-user's knowledge.
It was wise on op's part to remove it. They already have the credit card fiasco to deal w/.
Excerpts from the aforementioned AndroidPolice article:
- but the company says
-the company is wasting no time issuing a clear explanation of the situation
-According to OnePlus,
-So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS
Hardly a hard hitting piece that rises to the bar of journalistic integrity.

Clipboard code removed from Oneplus 5T Open Beta 3
And may be because of this controversy, Oneplus removed the clipboard from Open Beta 3.
http://www.firstpost.com/tech/news-...lity-and-adds-cpu-security-patch-4327815.html
https://www.gsmarena.com/oxygenos_o...ols_removes_clipboard_function-news-29392.php
Lossyx said:
https://www.reddit.com/r/android/comments/7t6joy
https://www.reddit.com/r/android/comments/7t6joy/_/dtaggn3
Click to expand...
Click to collapse

yeah, right. Appreciate your concern!
Paradoxxx said:
I know who he is, I have seen this couple of days before you even posted here, and unlike you, I actually done some research on other website to find more info regarding this.
Please read AndroidPolice's article on this.
Click to expand...
Click to collapse

arka.b said:
And may be because of this controversy, Oneplus removed the clipboard from Open Beta 3.
http://www.firstpost.com/tech/news-...lity-and-adds-cpu-security-patch-4327815.html
https://www.gsmarena.com/oxygenos_o...ols_removes_clipboard_function-news-29392.php
Click to expand...
Click to collapse
Damage has already been done because of circle jerks...

chas123 said:
The web is full of misinformation. The code is/was there. The fact that it was 'inactive' on US handsets means - exactly- doodily squat. If you know anything about linux code then you know that it wouldn't take very much for the proprietors of said code to 'activate'. Especially with the code being in ROM at a place where it is given any permissions they deem fit w/out the typical end-user's knowledge.
It was wise on op's part to remove it. They already have the credit card fiasco to deal w/.
Excerpts from the aforementioned AndroidPolice article:
- but the company says
-the company is wasting no time issuing a clear explanation of the situation
-According to OnePlus,
-So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS
Hardly a hard hitting piece that rises to the bar of journalistic integrity.
Click to expand...
Click to collapse
arka.b said:
yeah, right. Appreciate your concern!
Click to expand...
Click to collapse
To add on top of that, some people actually tried to trigger the application activities, and no contact to any server could be made.

Related

Free 100gb of Google Drive Storage on your Oneplus One or ANY other device

So as many of you guys know if you don't live under a rock, Today HTC has a special offer going on for free 100gb of Google Drive storage if you sign in from a selected HTC phones..
So me being all that I am, I thought of something very quick.
Unethical or whatever you may call it, I went and made a visit to my nearest Tmobile store and I approached the closest HTC M8.
I promptly went into settings and did a factory reset and then proceeded to logging into my Google account. Right after that all you
have to do is open the Google drive app (it should already be pre-installed for you so no need to go download it) once you are there
you will be prompted a screen that shows the actual offer. Like I said it depends on which phone you are on and how much free storage you will
be given. Use the chart below to see what you will get.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Tap Redeem and that's it. You may have to close out of Google drive again and reopen it for it to show up but it works perfectly. Best part is that it is free 100GB if you sign in from an HTC M8 for 2 years!
Also you can as very well use it on your other devices like me on my oneplus one Good luck to you guys and enjoy :good:
Important FAQ's for Offer
Which HTC Android devices are eligible for additional storage on Google Drive?
New HTC One (M8) (+100GB for two years)
HTC Desire 816, HTC Desire 610 (+100GB for two years)
HTC One max (+100GB for two years)
When upgrade to HTC Sense 5+ and Sense 6 becomes available on certain 2013 HTC models,
including HTC One, HTC Butterfly S, HTC One Mini and HTC Desire 601. (+25GB for two years)
How long is this Drive storage offer valid?
The offer must be redeemed before January 1, 2016. For most devices, you'll have your storage for 2 years, starting on the date you redeem the offer.
Can I apply the storage to another Google Account?
No. The free storage is not transferable and will only apply to the Google account you are using when you redeem the offer.
if I purchased a used/refurbished HTC device or unlocked the bootloader on my device, can I redeem the offer?
No. The offer is only available to original buyer of a device over its lifetime. Users who unlock the bootloader on their device are not eligible to receive this offer. so YOU MUST HAVE A LOCKED BOOTLOADER!!
Read more about the FAQ here: https://support.google.com/drive/answer/3333549?p=drive_offers_htc&rd=1
Official HTC Offer page: http://www.htc.com/us/support/htc-one-m8/howto/465031.html
Haha nice trick
lopman said:
Haha nice trick
Click to expand...
Click to collapse
Thanks man, Gotta enjoy free things when life throws them at you. :highfive:
SystemErrorOne said:
So me being all that I am, I thought of something very quick.
Unethical or whatever you may call it...
Click to expand...
Click to collapse
You have a conscience and choose to ignore it. That's nothing to be proud of.
SystemErrorOne said:
Thanks man, Gotta enjoy free things when life throws them at you. :highfive:
Click to expand...
Click to collapse
Is that a quote from the looters at Ferguson last month? I'm sure you wouldn't be giving yourself high fives if you were on HTC or Google's end of the deal.
CafeKampuchia said:
You have a conscience and choose to ignore it. That's nothing to be proud of.
Is that a quote from the looters at Ferguson last month? I'm sure you wouldn't be giving yourself high fives if you were on HTC or Google's end of the deal.
Click to expand...
Click to collapse
There's nothing wrong with what I did. Others could say the same about users continously finding exploits to root and void warranties but you don't see anyone *****ing about that. I did this because it's simple and its not as if I stole any physical money, hardware, ect
Its your choice how you look at it.
SystemErrorOne said:
its not as if I stole any physical money, hardware, ect
Its your choice how you look at it.
Click to expand...
Click to collapse
Wrong. You took something with a fixed monetary value without paying. The fact that it's non-physical is a non-argument.
While it is clever, I agree with CafeKampuchia, and it also probably violates these forum rules:
6. Do not post warez.
If a piece of software requires you to pay to use it, then pay for it. We do not accept warez and nor do we permit any member to request, promote or describe ways in which warez, cracks, serial codes or other means of avoiding payment, can be obtained. This is a site of developers, i.e. the sort of people who create such software. When you cheat a software developer, you cheat us as a community.
Click to expand...
Click to collapse
9. Don't get us into trouble.
Don't post copyrighted materials or do other things which will obviously lead to legal trouble. If you wouldn't do it on your own homepage, you probably shouldn't do it here either. This does not mean that we agree with everything that the software piracy lobby try to impose on us. It simply means that you cannot break any laws here, since we'll end up dealing with the legal hassle caused by you. Please use common sense: respect the forum, its users and those that write great code.
Click to expand...
Click to collapse
so after 2 years, does the account become deactivated or do you loose all the data thats on Google Drive?

One Month With Ogury

Hi Am Paul, an indie android developer in Uganda,
Last month I received an email from a one, Adrian Williams, VP of publishing with Ogury Ltd. (ogury.co)
It's not your conventional Ad network, it shows an impression called a "recommendation". These are interstitials that are shown at the start of the app life cycle.
Since their implementation wasn't going to interfere with my already existing monetization schemes such as admob, i took the plunge. This was mid August, most of my traffic is from the US, India, Korea, Indonesia, combined EU in that order. I average 20,000 impressions on Admob daily. And have 40,000 people currently with one of my apps on their devices.
Their dashboard isn't the best and takes time to update itself.
So far they don't have a section where you can feed in your payment details. However within the first week of the next month, you're sent an email with a verified amount and you're asked to send them am invoice asking for the money and include your payment details.
And today (19th Sept) I received the August Earnings.
They have a minimum payment threshold of $50 and can pay via PayPal as well as bank transfer.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I frankly didnt believe it all and didnt want to share anything here until i had actually received the Money.
So if you want to add a monetization avenue that wont affect your existing banners and interstitials, I believe this is worth a plunge.
Goodluck bros (and sisters, all 3 of you)
compatible with google policy ???
Hi Paul,
My big concern is that .. is ogury compatible with new google policies .
Sorry, I made an error, ads aren't shown outside the app itself.
They are shown at the start.
paulasiimwe said:
Sorry, I made an error, ads aren't shown outside the app itself.
They are shown at the start.
Click to expand...
Click to collapse
How nice that you created an account just to praise them.
Does anyone has reliable infos ?
I Know it looks bad but im a legit developer with apps on play store,
email me or go on hangouts for more info : [email protected]
Search for an app on Google Play called Image Converter made by dev called "Paul Asiimwe", check the info and you'll see that same email.
You can ask me all you want there.
After plenty of time, I can settle with my final opinion about Ogury, based on my personal experience.
Pros:
High CPM.
Easy to implement.
Nice staff.
Clean dashboard.
Low payment threshold.
Ads can be disabled by the user. A pro for user compliance (although the button to do so is quite hidden).
Cons:
Usually low fill rate, although there has been a short period with 100% fill rate.
Poor SDK. There's no pre-load. It may be updated in future though, I guess.
Requires heavy authorizations. Personally, about 20-25% of my users never accepted those new permissions and never updated.
Requires a background service. I wasn't running any service before and received some complaints by users who noticed the change.
Ads can be disabled by the user. Also a con, because fill rate is 0% now. Luckily, they can't do it easily - LoL.
Intricate procedure to ask for a payment (it's not automatic).
Hefty fee (14€ for me) on the bank transfer (you probably want to be paid via Paypal).
No one told me about the above mentioned things related to payments.
Payment was late and was received after a solicitation.
Based on this, if you chose Ogury I suggest to implement it before the launch, because doing it on the way may upset the user base.
After all, the revenue was very good and it's worth as long as you can find a way to keep users happy.
Hi Paul,
My concern is do they have fast supporting? And what about the time for approval?
Thanks alot!
TramPham said:
Hi Paul,
My concern is do they have fast supporting? And what about the time for approval?
Thanks alot!
Click to expand...
Click to collapse
I can tell that support is super rapid and there's no time of approval. I needed 1 minute to register, and 15 minutes to implement the code. Ads are instanlty live.
My concern is, what about the privacy policy we provide with our app ?
I think it had to be wrote somewhere that the ad network is collecting user datas.
What about other networks that specialize in the African continent like AdVine, Mobiclicks Direct, TwinPine, or Thumbtribe?

Honor 5x $1 bonanza is a SCAM

This is a scam. They are not giving any $1 Honor 5x. I already had my address in my profile and the item in my cart. I clicked on "proceed to checkout", after less than 1 second that the button appeared, yet it got stuck on order summary, how could they have clicked the shipping option, payment method, click the "I have read the term and conditions" and then click the pay button, be redirected to 3rd party website and have paid for item, in less than second of what it took me to access the payment website where it hung? It happened 2 times already.
Even if you already have item In your cart and shipping address stored in your profile, you still have to go through this process. You cannot automate these steps, they have to be done manually.
- click on proceed to checkout
- click on shipping option
- click the dot on "payment method"
- select the square on the right that says "I accept the terms and conditions"
- click the "pay" button
- be redirected to their party website
- enter your payment information and pay
I had the $1 item already in my cart. I have been refreshing like crazy. I clicked on "proceed to checkout", my timing my flawless and as soon as I got to the checkout page, it was gone, out of stock in less than second. It is IMPOSSIBLE, let me repeat, impossible, that they could have gone through those 7 steps in less time than what it took me to simply click on "proceed to checkout". This is a scam to bring huge traffic to their site, where they will make more revenue from visits, and also people will buy their legit deals, 30% off and the bundle. Also, how convenient that the winner happens to be a guy who constantly posts pictures of different phones, wallpapers, selling, comparing and reviewing phones, and he is part of the google+ honor usa community.
//plus.google.com/+GaryBell/posts/3bYAFd9NCQR
How convenient that right after I say on the honor blog that there is no proof that anyone could have won, and this could be a scam, suddenly that link/winner pops up.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sour grapes much?
Sent from my SGP621 using XDA-Developers mobile app
A scam? Really??
So because you didn't magically win, when going up against who knows how many other people, the offer must be a scam? One would have to have an understanding of how the hosted services on the internet works to be able to ascertain whether or not this is a "Scam" or not. And I can assure you that the results you encountered were the same as many others. Ever been through a Woot-Off when a BoC get's posted? Same idea....
CMed67 said:
So because you didn't magically win, when going up against who knows how many other people, the offer must be a scam? One would have to have an understanding of how the hosted services on the internet works to be able to ascertain whether or not this is a "Scam" or not. And I can assure you that the results you encountered were the same as many others. Ever been through a Woot-Off when a BoC get's posted? Same idea....
Click to expand...
Click to collapse
How would you know is not just a plot to get more traffic to their store?
This is a big business we are talking about, do you think they give a crap about you? All they care about is money. Do you really think they are gonna give away free phones? lmao How convenient that after I ask on the honor blog that there is no way for us to know if is legit or not, and that they could easily create fake profiles/buy reviewers, suddenly, right after a guy pops up on the honor google plus page claiming to have won the phone lol
Whatever, i already have the phone, but i feel bad for those people who cannot afford one, had their hopes up, wasted their whole day on this, only for some other guy who obviously is well off and changes phones every month, supposedly won another new phone
Fowleri said:
How would you know is not just a plot to get more traffic to their store?
This is a big business we are talking about, do you think they give a crap about you? All they care about is money. Do you really think they are gonna give away free phones? lmao How convenient that after I ask on the honor blog that there is no way for us to know if is legit or not, and that they could easily create fake profiles/buy reviewers, suddenly, right after a guy pops up on the honor google plus page claiming to have won the phone lol
Whatever, i already have the phone, but i feel bad for those people who cannot afford one, had their hopes up, wasted their whole day on this, only for some other guy who obviously is well off and changes phones every month, supposedly won another new phone
Click to expand...
Click to collapse
And the butthurt continues.
Sent from my SGP621 using XDA-Developers mobile app
Some people's children...

IS the dashboard hijacking our texts?

I downloaded the app "Servicely" and it can disable services and apps to prolong your battery and what not, well i opened it up to take a look and i was going through each apps running services.. Not all mind you as there are a ton but i was scrolling down through OnePlus 6T dashboard app and one of the services was ".mms.SmsHijackerService" .
This of course grabbed my attention. Does anybody know what this is and is a lot more Innocent then what it looks like? I also read something earlier tonight about One plus does steal info behind users backs...not sure if it was a BS article or if out had some truth to it ( sure everything has truth to it) . So after reading that then seeing this i was like WTF. Are my texts being hijacked and sent to them. There was a few other ones with names that at least if they are what i think they are, they hid the name better. I have a screen shot here not sure if i
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
am uploaded it right as its my first time. Any help to put my mind at ease. I am headed to bed and i will look more into it in a few hours Thanks!
That's interesting -.- I have no words hopefully oneplus ain't hijacking our text messages.
I think they need to hijack sms and mms just to display it in the Dashboard. At least I hope so.
Nevermind, I am using a custom ROM.
Ryan Mixed said:
That's interesting -.- I have no words hopefully oneplus ain't hijacking our text messages.
Click to expand...
Click to collapse
I have found nothing online about it. Very strange, i figured if anybody knew it would be someone on here. I am going to keep digging into it.
@Funk Wizard
My good man, got any inside on this?
fogame said:
@Funk Wizard
Click to expand...
Click to collapse
You won't hear from him till there's an stable OOS update.
indian84 said:
You won't hear from him till there's an stable OOS update.
Click to expand...
Click to collapse
Lol true. He might respond though. He answers my messages.
Hope for the best, expect the worst.
Has anybody else seen this or have it on their device?
Jrod333 said:
Has anybody else seen this or have it on their device?
Click to expand...
Click to collapse
I have the same on OOS 9.012
gogoffm said:
I have the same on OOS 9.012
Click to expand...
Click to collapse
I am on 9.0.11 , so it doesn't go away in an update ha ha not that i thought it would. Seems shady but also why on earth would they name it something that seems shady....... I am going to try to install this sms reader module i read about, it logs all data & sms that leave your phone. Find out if any leave that A) i didn't write & B) go somewhere i didn't send...hopefully the app can tell me that..... if it turns out not , Do you or anybody know of an app that can do that ? I think that would solve all my paranoia that every app i have is sending out my information.
Jrod333 said:
I am on 9.0.11 , so it doesn't go away in an update ha ha not that i thought it would. Seems shady but also why on earth would they name it something that seems shady....... I am going to try to install this sms reader module i read about, it logs all data & sms that leave your phone. Find out if any leave that A) i didn't write & B) go somewhere i didn't send...hopefully the app can tell me that..... if it turns out not , Do you or anybody know of an app that can do that ? I think that would solve all my paranoia that every app i have is sending out my information.
Click to expand...
Click to collapse
Agree, the name is really strange we should wait the reply from the OP guy....
I put an aluminum foil cover on my phone, and it went away...
the paranoia here is impressive...
MarcoLK said:
I think they need to hijack sms and mms just to display it in the Dashboard. At least I hope so.
Nevermind, I am using a custom ROM.
Click to expand...
Click to collapse
Does the Dashboard display sms? Maybe I don't understand what the Dashboard is?
wase4711 said:
I put an aluminum foil cover on my phone, and it went away...
the paranoia here is impressive...
Click to expand...
Click to collapse
Hmmm... don't want to start drama as I'm sure you didn't intend to, but I'm one of those "paranoid" or conscious as I prefer.
I'm huge on keeping up with geopolitics and some of us should really research the history of China, and I don't mean reading modern, watered-down history literature. China's CCP is the biggest and most vast "Big Brother" in the world except for intelligence in the US/Europe. Not only that, but they are VERY open about the intrusion of privacy amongst it's own people along with the current controversy on China's LONG history of Intellectual Property theft. Read anything re: China's (state owned and funded) Huawei these days (also, notice Huawei's focus on high quality cameras.. eyes everywhere), I will never own anything they produce and I'm sad to say I may be skeptical of this phone now, sadly. And here's a fun-fact.... I'm a Chinese-American, no joke lol
This is very concerning and I think these questions should continue to be asked higher up. I will definitely research this and watch this thread closely.
Please post any finding on it's nature and update us on if we can remove/block the apk. I will do some testing after work.
- Former GE Engineer and Chinese Businessman Charged with Economic Espionage and Theft of GE’s Trade Secrets - An indictment unsealed today charges Xiaoqing Zheng, 56, of Niskayuna, New York, and Zhaoxi Zhang, 47, of Liaoning Province, China, with economic espionage and conspiring to steal General Electric’s (GE’s) trade secrets surrounding turbine technologies, knowing
- The future of the smartphone camera is here, it’s not Apple and it’s disturbing - "Mashable’s Stan Schroeder snapped this picture that, while grainy, gives a sense of the potential spy-power of the phone’s camera."
- Chinese Infiltration in US Reaches ‘Extreme’ Levels - "There are a minimum of 50,000 Chinese Communist Party (CCP) spies at U.S. companies, government agencies, and U.S. military."
- China Infiltration Into U.S. Education System - "Chinese government has infiltrated nearly every sector of the U.S. education system via a package of programs and monetary schemes that seek to indoctrinate American children and bring the Communist government’s propaganda into the classroom, according to a new report by a Senate investigatory body."
- Why Chinese Steel is Unsafe For Your Next Steel Building Project - Weak steel flooded into the market by the Chinese creates weak infrastructure and military components in rival countries... along with destroying the steel market itself.
Edit: After some initial research, OnePlus is a little more distant than Huawei when it comes to state relations.. but keep in mind that China announced last year a new law that "requires cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China". Why do you think that is....? NEVER EVER EVER trust ANYONE/ANYTHING that says they're from/with the government and that they are there to help you. REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE!
This is a tech/dev forum, so I'll stop here to stay on that topic. But please... understand that there's always a threat to your freedom, it's up to the masses to protect it from the >1% of those working tirelessly to take it.
WWG1WGA!!!
that's fine, and being "conscious" is always appropriate in dealing with all things internet..
however, it always makes me chuckle how so many folks are super paranoid of their privacy being invaded, yet they spend half their lives on faceschnook, tweeter, Snapchat, "the gram" and on and on, plus, as I am sure you already know that once you have an email account, an internet plan, a cell phone, a credit card, a car payment, what ever, you can pretty much kiss any semblance of personal privacy goodbye..
wase4711 said:
I put an aluminum foil cover on my phone, and it went away...
the paranoia here is impressive...
Click to expand...
Click to collapse
Every time I do that it really messes my Wi-Fi signal up...
If you use Chinese aluminum foil, it some how works...
wase4711 said:
that's fine, and being "conscious" is always appropriate in dealing with all things internet..
however, it always makes me chuckle how so many folks are super paranoid of their privacy being invaded, yet they spend half their lives on faceschnook, tweeter, Snapchat, "the gram" and on and on, plus, as I am sure you already know that once you have an email account, an internet plan, a cell phone, a credit card, a car payment, what ever, you can pretty much kiss any semblance of personal privacy goodbye..
Click to expand...
Click to collapse
You are giving alot assumptions (? ) about me when you don't even know me. I don't have half those things you listed and if I did or if anybody did that automatically takes their right to privacy away? I will always be concerned with that and as I do agree you can't stop it all as everything you have is tied to you in some digital public way, it does not mean we should just give up... That's your choice not mine. But let's get back to the original topic... As this is what this site is for. If you want to argue the topics hipocricy and all that good stuff (because I gladly will) we can do that else where.
I never made ONE SINGLE assumption about you, so no pity party for you..
and, you said I "gave up"..where EXACTLY did I say that?
you cant make stuff up to fit your narrative dude, so dont try..
even XDA hides tracking cookies on your devices, so deal with it..
and, please show me where it says we have a "right" to privacy...
..Cory.. said:
Hmmm... don't want to start drama as I'm sure you didn't intend to, but I'm one of those "paranoid" or conscious as I prefer.
I'm huge on keeping up with geopolitics and some of us should really research the history of China, and I don't mean reading modern, watered-down history literature. China's CCP is the biggest and most vast "Big Brother" in the world except for intelligence in the US/Europe. Not only that, but they are VERY open about the intrusion of privacy amongst it's own people along with the current controversy on China's LONG history of Intellectual Property theft. Read anything re: China's (state owned and funded) Huawei these days (also, notice Huawei's focus on high quality cameras.. eyes everywhere), I will never own anything they produce and I'm sad to say I may be skeptical of this phone now, sadly. And here's a fun-fact.... I'm a Chinese-American, no joke lol
This is very concerning and I think these questions should continue to be asked higher up. I will definitely research this and watch this thread closely.
Please post any finding on it's nature and update us on if we can remove/block the apk. I will do some testing after work.
- Chinese Infiltration in US Reaches ‘Extreme’ Levels - "There are a minimum of 50,000 Chinese Communist Party (CCP) spies at U.S. companies, government agencies, and U.S. military."
- China Infiltration Into U.S. Education System - "Chinese government has infiltrated nearly every sector of the U.S. education system via a package of programs and monetary schemes that seek to indoctrinate American children and bring the Communist government’s propaganda into the classroom, according to a new report by a Senate investigatory body."
- Why Chinese Steel is Unsafe For Your Next Steel Building Project - Weak steel flooded into the market by the Chinese creates weak infrastructure and military components in rival countries... along with destroying the steel market itself.
Edit: After some initial research, OnePlus is a little more distant than Huawei when it comes to state relations.. but keep in mind that China announced last year a new law that "requires cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China". Why do you think that is....? NEVER EVER EVER trust ANYONE/ANYTHING that says they're from/with the government and that they are there to help you. REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE!
This is a tech/dev forum, so I'll stop here to stay on that topic. But please... understand that there's always a threat to your freedom, it's up to the masses to protect it from the >1% of those working tirelessly to take it.
WWG1WGA!!!
Click to expand...
Click to collapse
I will keep researching as it has peaked my curiosity. By the way I agree with you. As I can't take it as far as not owning anything made in China as I find that impossible I do limit it where ever I can. And Mr. Tinfoil hat isn't entirely wrong in stating if you have email. Etc then your privacy has been invaded, if everybody read and understood the fine print in every app alone they download, I bet they would think twice. Google freaking owns us and everything we create... You give it to them the min you agree and download this or that... It's sad really.

Owner of an Android TV box? May want to check if it's an active botnet member...

I installed Pi-hole on my Android device and pointed DNS at 127.0.0.1
Saw a bunch of funky domains in the query log and blocked them.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
But what was causing it?
Code:
[email protected]:~# tcpflow -p -c -i wlan0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'
reportfilename: ./report.xml
tcpflow: listening on wlan0
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /logs/log.active?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /?timestamp=1668566687503&version=1&biz=10016&os=2&id=3e2dfd4c426e38721ac0bcc09612aa96&sign=d59dab2813001575f0a9dfb2ce850353 HTTP/1.1
Host: www.forfor123.com
GET /get_endpoint?timestamp=1668566687493&version=1&biz=10016&os=2&id=3e2dfd4c426e38721ac0bcc09612aa96&sign=135d9c2723c76587e86a540fced231ec HTTP/1.1
Host: qweqwe135.top
POST /u.php?id=30018&m=cTUJPWA&s=d1,u3&p=cY29tLnN3ZS5kZ2JsdWFuY2hlcg&aid=df53b410ca1fd8a6&am=2 HTTP/1.0
Host: v.sustat.com
GET /stg?channel=hzsdk_05&sdk=js_club HTTP/1.1
Host: sdk2.appclicking.com
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /d/bcc/v2/o/ffeca781ecfd6067e5e56b04d67edc7e HTTP/1.1
Host: dct.g1ee.com
This is exactly why I debloated my android tv using adb app control and removed everything that wasn't necessary. And got a new launcher to get rid of the crappy one.
That's all good and fine but you don't really know if your device is cleaned-up until you've snooped its wire and can account for the traffic going out.
Is your device roughly the same as this?
Code:
https://www.amazon.com/gp/product/B08CRV62C4
I have that one. It still has the shipped build. I haven't had it hooked up much because it is kind of a piece of crap. I'll check and see what it has.
This might be kind of a good argument to use certified builds on certified devices. But the amount of data collection done by those would make your head spin. And it is all outsourced to the factory. Servers to sdmc, sei, skyworth, and the like. Sdmc even advertises these features as "big data" features.
goapy said:
Is your device roughly the same as this?
Code:
https://www.amazon.com/gp/product/B08CRV62C4
I have that one. It still has the shipped build. I haven't had it hooked up much because it is kind of a piece of crap. I'll check and see what it has.
This might be kind of a good argument to use certified builds on certified devices. But the amount of data collection done by those would make your head spin. And it is all outsourced to the factory. Servers to sdmc, sei, skyworth, and the like. Sdmc even advertises these features as "big data" features.
Click to expand...
Click to collapse
That’s the one! I’m about to pull the trigger on a second one to see how deep the rot goes. If this is how they come from Amazon it’d be a pretty big deal.
can confirm it is there out of the box.
forexamplejohn said:
can confirm it is there out of the box.
Click to expand...
Click to collapse
That's... horrifying.
Just to confirm, you're using a stock device, unflashed box?
Did you see the да folder in:
Code:
/data/data/com.swe.dgbluancher/files
How did you discover your device was infected? If possible, can you name where you bought the device, like an Amazon link or similar?
yes, stock. I bought four of these:
https://www.amazon.com/dp/B08X11HGR4
They were being blown out for ~ $14 each. Wonder why.....
I can't claim credit, found your threads here. I was looking for options to flash linux to them in order to run klipper or kodi. Had taken a look around the stock android, and being paranoid that included preinstalled apps. I was actually thinking it was fairly clean compared to say an ATT motorola prepaid android phone or something. But that "luancher" was there, for sure. WIthout uninstall or disable options
I speak Russian, what want me to do?
Arealhooman said:
I speak Russian, what want me to do?
Click to expand...
Click to collapse
It seems to be a popular Android box over there. Here is the link to a megathread dedicated to that deivce:
{Mod edit: Link removed. Oswald Boelcke}
It might be helpful to ask in that forum if anyone with one of these devices sees the folder:
Code:
/data/data/com.swe.dgbluancher/files/да
...and if so, let them know their device is compromised.
The firmware links being shared here and elsewhere have the malware built-in. Actually, I have yet to see a 'clean' downloadable firmware for this box, anywhere on the Internet.
forexamplejohn said:
yes, stock. I bought four of these:
https://www.amazon.com/dp/B08X11HGR4
They were being blown out for ~ $14 each. Wonder why.....
I can't claim credit, found your threads here. I was looking for options to flash linux to them in order to run klipper or kodi. Had taken a look around the stock android, and being paranoid that included preinstalled apps. I was actually thinking it was fairly clean compared to say an ATT motorola prepaid android phone or something. But that "luancher" was there, for sure. WIthout uninstall or disable options
Click to expand...
Click to collapse
Thanks for the info. Really hard to believe these devices can be built for $14 with the reseller making a dollar or two per unit.
Does the foler /data/data/com.swe.dgbluancher/files/да exist on your device?
forexamplejohn said:
"luancher" was there, for sure. WIthout uninstall or disable options
Click to expand...
Click to collapse
To be clear, com.swe.dgbluancher appears to be a simple open-source launcher that was rebuilt with the malware and packaged in the ROM. the presence of the launcher is not an indication of malware, but the "/да" folder definitely is.
The Universal Android Debloater will get rid of this easily, but I'm not sure that is enough to clean the device. There may be more nasty stuff in the ROM I haven't yet found. For a safe replacement, I'm using Microsoft Launcher because it includes an entry point to the device's settings menu.
One last bit of traffic I can't account for:
Code:
ycxrl.com / li1470-135.members.linode.com (139.162.57.135)
Every few minutes the T95 wants to send "something" to ycxrl.com
Code:
|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1
|ycxrl.com|POST /terminal/client/apiInfo HTTP/1.1
How many of these things sold on Amazon and AliExpress?!
Update -- The malware injects the system_server process. Looks to be deeply baked-into the ROM.
If I can't remove this malware, find a clean ROM, or get 'regular' Linux running, this T95 box is worse than useless.
Pretty sophisticated malware, resembling CopyCat in how it works.
This was actually an interesting topic. Part of me isn't surprised because I've heard of a lot of these types of boxes and mobile devices used for stuff like botnets. I have a Xiaomi Mi box and am curious if they are also similar.
It makes me curious what a good modern android box is these days.
Xiaomi maybe not so much, but these vendors on Amazon operating with names like BLAÜMTRON could be up to anything apparently.
If other T95 owners can check their devices for DNS traffic to ycxrl.com it'd be a huge help to determine the extent of this problem.
Would this open source malware checker find it on the android tv boxes?
Can someone check?
Hypatia | F-Droid - Free and Open Source Android App Repository
A real-time malware scanner
www.f-droid.org
DesktopECHO said:
It seems to be a popular Android box over there. Here is the link to a megathread dedicated to that deivce:
{Mod edit: Link removed. Oswald Boelcke}
It might be helpful to ask in that forum if anyone with one of these devices sees the folder:
Code:
/data/data/com.swe.dgbluancher/files/да
...and if so, let them know their device is compromised.
The firmware links being shared here and elsewhere have the malware built-in. Actually, I have yet to see a 'clean' downloadable firmware for this box, anywhere on the Internet.
Click to expand...
Click to collapse
@DesktopECHO
I've removed the link to 4pda from your above post! 4pda is not only another phone related website (and not at all affiliated with xda-developers) but also well known for the distribution of malware and warez. Links or references to 4pda are not accepted on XDA.
XDA Forum Rules (excerpt):
...
6. Do not post or request warez.
If a piece of software requires you to pay to use it, then pay for it. We do not accept warez nor do we permit members to request, post, promote or describe ways in which warez, cracks, serial codes or other means of avoiding payment, can be obtained or used. This is a site of developers, i.e. the sort of people who create such software. When you cheat a software developer, you cheat us as a community.
(...)
11. Don’t post with the intention of selling something.
Don’t use XDA to advertise your product or service. Proprietors of for-pay products or services, may use XDA to get feedback, provide beta access, or a free version of their product for XDA users and to offer support, but not to post with the intention of selling. This includes promoting sites similar / substantially similar to XDA-Developers.com.
Do not post press releases, announcements, links to trial software or commercial services, unless you’re posting an exclusive release for XDA-Developers.com.
Encouraging members to participate in forum activities on other phone related sites is prohibited.
Off-site downloads are permitted if the site is non-commercial and does not require registration.
Off-site downloads from sites requiring registration are NOT encouraged but may be permitted if both of the following conditions are met:
A) The site belongs to a member of XDA-Developers with at least 1500 posts and 2 years membership, who actively maintains an XDA-Developers support thread(s) / posts, related to the download.
B) The site is a relatively small, personal website without commercial advertising / links (i.e. not a competitor forum-based site with purposes and aims similar to those of XDA-Developers.com.)
...
Click to expand...
Click to collapse
Please refrain from sharing of such links in future! Thanks for your cooperation.
Regards
Oswald Boelcke
Senior Moderator
Thorough write-up here: T95 H616 Malware
Reported online by BleepingComputer,PCMag and others
Thanks for the investigation of this device.

Categories

Resources