Pakistani Hacker Details How Backdoors in Infinix Phones Send Data Back to China

Last week we covered the news of Infinix phones sending data back to China, and now more has been revealed in this case.

This discovery was made just recently by Ahmed Mehtab, a security researcher who works with #infosec researchers to educate people on information security.

The Culprit App

This analysis was performed by Ahmed on a non-rooted Infinix Hot 4 bought from an online store in Pakistan. He was urged to do so after all the reports and complaints coming from Infinix users about their personal data being exposed.

Newly bought Infinix Smartphones come with pre-installed apps, which are also known as ­bloatware. While most of these apps can be uninstalled by the user, a few of those apps cannot be removed from the phone. This brought suspicion on one of the apps called BabelFont (Fonts Manager).

1

Upon further investigation, it was found that this app was developed by a Chinese firm called “Shanghai Iekie Information Technology Co,Ltd”. This app is used to change the fonts of your smartphone. The app asks for the following list of permissions to be granted.

  • Device and app history
  • Identity
  • Location
  • Photos/Media/Files
  • Wi-Fi connection information
  • Device ID and call information
  • Other (download files without permission, close other apps, receive data from the internet)

Now a lot of questions arise after seeing all these permissions. Why would a font changer app need all these permissions? Download files without notification? Close other apps and receive data from the internet? There are a lot of other font changing apps available which do not need all these permissions to do their task.

Why is such an app as part of bloatware in the first place?

What Goes On Behind The Scenes

Ahmed listened to the information that Babel Fonts send/recieve and what he found was shocking. Once the phone goes idle, Font Manager starts sending some suspicious requests and information to some suspected Chinese servers.

Below is the information that Font Manager was caught sending.

GET /rest/api3.do?t=1480159338&data={“c1″:”Infinix HOT 4“,”c2″:”umeng“,”c0″:”Infinix“,”device_global_id“:”utdid_error”,”app_version“:”10.5.2.2.0“,”c6″:”3c10ae4918f05567″,”c4″:”02:00:00:00:00:00″,”sdk_version”:20160215,”new_device“:”true”,”c5″:”0177810690204116“,”package_name“:”com.mephone.fonts“,”c3″:”umeng”}&v=4.0&sign=30dd562cfb907706b583dcca5f546971&imei=*****&appKey=umeng:56e28e8be0f*********&api=mtop.push.device.createAndRegister&imsi=umeng&[email protected]  
HTTP/1.1 
Host: api.m.taobao.com Connection: Keep-Alive User-Agent: Agoo-sdk-2.0 Accept-Encoding: gzip

Looks like technical gibberish? Let us break down what this information really means.

This information could be used for identifying any Infinix user anywhere around the world. Not only does it reveal your personal data, but it also leaves your device vulnerable to a malware infection or an attack of many different kinds.

If the server is compromised, the attacker can gain access to your smartphones too by manipulating the requests.

Ahmed mentions that there could be more such apps on Infinix that send data to third-party servers, but its clear that there’s at least one app doing so.

People who care about their privacy and personal data should reconsider their decision to buy phones that transmit information to third-parties.

Via Securityfuse


    • xactly log ye soch kr Sony, LG or baqi brands ni lety k inki market value ni ha , bc kachra maal se to achy hain na

    • in any brand u need to install font app like ifont hifont or anything else to do the job and every single app require same thing what ever the brand is

  • “Looks like technical gibberish? Let us break down what this information really means.”

    Where is that breakdown? Did you forget mate?

    • skiddies cant do that. Even the so called ‘researcher’ does not know what it means. He came across something which overwhelmed him and made him lose his bowels in extreme excitement simply because he does not understand a sheeeit about it. I did not know installing wireshark made you a researcher these days. What a gibberish article on a squat grade ‘research’.

  • Who cares? Google knows a lot more about all of us anyway. And tbh, I’m more comfortable with China having this info than any American company. If this means quality hardware at competitive prices, I’m all for it.

    • Yes. Same Q why only infinix? FB and other social media messengers doing the same for quite a long time.

  • google, fb, linkedin, whatsapp, hotmail, yahoo …… all report to nsa …. the instant you connect your phone to wifi/2g/3g/4g or even inserting a sim (data), you security is *ucked

  • Be a popular or chinese brand, everybody do this. If there was no open end for a manufacturer to access their phone, we won’t be getting phone software updates in first place. Why signal out Infinix only?

  • google analytics and facebook pixel code is doing this from long time. these all are to monitor application usage behaviour. nothing odd in it.

  • I am OK with it if my personal info is on Chinese servers. I am not doing anything wrong or inappropriate that i should be scared of. Why you guys are making it bombastic / shocking news? Many users know what their privacy and what they are doing on FB by clicking on other’s FB accounts.

  • This isn’t HACKING! He used packet sniffer to see the calls going through his phone. You can’t comprehend if the app is sending your private information or just analytics that EVERY app does for improving it’s User Experience. Unless you can decrypt the data being sent over these network connections, you can’t CLASSIFY it as a PERSONAL INFO.

    Let me break it down for you, every single phone agnostic of the platform (OS) collects your info. Do you know that GOOGLE KEYBOARD and swiftkey for that matter reads EVERYTHING you type on those keyboards? Do you know EVERY SINGLE OEM that sideloads it’s bloatware on your phone is stealing your info one way or another? APPLE, GOOGLE, Microsoft and every single company thrives on your data.

    So yeah THIS GUY IS NOT A HACKER! He is a glorified packet sniffing app user who just published this NETWORK callback without having a solid proof, if this API call contains your pictures/contacts/videos/files or anything in any format or base64 (converts data in a long string). Decrypt the info being sent over to the servers than we can call him HACKER!

  • Well xiaomi is coming they need to create hype about that. What you dont see the coincidence that as soon as xiaomi gets type approval they started bashing Qmobile and Infinix a month ago they were praising these companies..

  • Waah! Kya chuss research hay!

    @Aftab, I know you’re reading this. Comment mai batao ismai kya data chori ho rha hy? Kya privacy disaster hy ismai?

    Awaien e sasti chusse na maro bhai, you call this hacking? Shame on you!

  • Installing wireshark and finding get request cant make your security reseacher..find something genuine and decrypt the data which is being sent to their server to confirm it is sending some personal details and not just app’s statistics.

  • Babel is an android font manager app which some time came preinstalled in your device if your phone have ability to change the fonts then you might have this or similer kind of app builtin.
    But if you are not able to change the fonts of your phone then what you do is 1 root the phone and install Hifont Ifont Fontinstaller etc apps in it
    now goto playstore and look for any font installer/ manager app present there which you all use daily and see their permissions. according to the group family this is a font installer app and a font installer app need to access all those permission to work on. so kiddo grow up and before sharing such crap get a background check.

  • Ltd feature videos

    Watch more at LTD

    close
    >