[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP

To: seclists@xxxxxxxx
Subject: Re: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP
From: Daniel Wood <daniel.wood@xxxxxxxxx>
Date: Sun, 30 Apr 2017 09:26:42 -0400

Can't you just run the app in an Android emulator and shark it?

Sent from my iPhone

> On Apr 30, 2017, at 06:02, seclists@xxxxxxxx wrote:
> 
> I have a further update on the issue. After uninstalling the 360 security 
> android app, I found after repeated checks of Network Info on my phone via 
> the Ping & DNS app that even then the HTTP connection to IP address 
> 123.125.114.8 still frequently showed up. So, I monitored the network 
> connections on my phone via the Network Connections app 
> (https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) 
> and found that this time the HTTP connection to IP address 123.125.114.8 was 
> being established by the ES File Explorer app 
> (https://play.google.com/store/apps/details?id=com.estrongs.android.pop 
> (https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). 
> So, it is possible that the insecure HTTP connection to the above IP address 
> that I observed when both the 360 security and ES File Explorer app were 
> installed on my phone was in fact because of the ES File Explorer app or the 
> other possibility is that both the apps have the same problem. I haven't had 
> a c
 ha
> nce to re-install the 360 security app without the ES File Explorer to check 
> that and I don't intend to re-install the 360 security app on my phone, since 
> it anyways used to raise the temperature on my phone suspiciously. So, I will 
> report this as an issue for the ES File Explorer app in a separate email.
> 
> Thanks.
> Hi,
> 
> I found the following review posted about the 360 security android app:
> 
> https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c
>  
> (https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c)
> "Snoops data to China Unicom via insecure HTTP link! Found while checking 
> Network info on my device with this app installed that it had established an 
> insecure HTTP connection to an IP address(123.125.114.8) on Chinese state 
> owned China Unicom network (China Unicom owns a stake in app developer via 
> Qihoo 360). Also, when installed, found my phone temperature rising 
> frequently indicating covert data transfer from my phone. I've now 
> uninstalled this Chinese spying app & advice the same to anyone using the 
> app. Resp to comment: updated above info with IP addr.  
> 360 Mobile Security Limited April 26, 2017  Hi, sorry for the inconvenience. 
> It will be helpful for us to solve the problem, if you can give us more 
> information and details . Attaching some screenshots would be helpful. Please 
> contact us by email: jenny@xxxxxxxxxxxxx (mailto:jenny@xxxxxxxxxxxxx). Many 
> thanks."
> 
> I observed the same behavior when I had this app installed on my smartphone. 
> I checked the Network Info on my phone when this app was installed, using the 
> Ping & DNS 
> app(https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping 
> (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) 
> and found the insecure HTTP connection to the above IP address. After I 
> uninstalled the app, the HTTP connection to the above IP address was gone, as 
> well. On checking the WHOIS info(https://www.whois.com/whois/123.125.114.8 
> (https://www.whois.com/whois/123.125.114.8)) for this IP address it can be 
> seen that it is indeed on the Chinese state-owned China Unicom network. I had 
> App usage tracking permission on Android enabled for this app, to facilitate 
> phone temperature reduction, when I observed the above.
> 
> Can other security researchers please check and comment on this security hole?
> 
> Thanks.
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability
Next by Date: [FD] [oss-security]Sourcetree arbitrary command execution
Previous by thread: [FD] Zenario v7.6 - (Delete) Persistent Cross Site Vulnerability
Next by thread: [FD] [oss-security]Sourcetree arbitrary command execution
Index(es):
- Date
- Thread