Last week we covered the news of Infinix phones sending data back to China, and now more has been revealed in this case.
This discovery was made just recently by Ahmed Mehtab, a security researcher who works with #infosec researchers to educate people on information security.
This analysis was performed by Ahmed on a non-rooted Infinix Hot 4 bought from an online store in Pakistan. He was urged to do so after all the reports and complaints coming from Infinix users about their personal data being exposed.
Newly bought Infinix smartphones come with pre-installed apps, which are also known as bloatware. While most of these apps can be uninstalled by the user, a few of those apps cannot be removed from the phone. This brought suspicion on one of the apps called BabelFont (Fonts Manager).
Upon further investigation, it was found that this app was developed by a Chinese firm called “Shanghai Iekie Information Technology Co,Ltd”. This app is used to change the fonts of your smartphone. The app asks for the following list of permissions to be granted.
Now a lot of questions arise after seeing all these permissions. Why would a font changer app need all these permissions? Download files without notification? Close other apps and receive data from the internet? There are a lot of other font changing apps available which do not need all these permissions to do their task.
Why is such an app as part of bloatware in the first place?
Ahmed listened to the information that Babel Fonts send/recieve and what he found was shocking. Once the phone goes idle, Font Manager starts sending some suspicious requests and information to some suspected Chinese servers.
Below is the information that Font Manager was caught sending.
GET /rest/api3.do?t=1480159338&data={“c1″:”Infinix HOT 4“,”c2″:”umeng“,”c0″:”Infinix“,”device_global_id“:”utdid_error”,”app_version“:”10.5.2.2.0“,”c6″:”3c10ae4918f05567″,”c4″:”02:00:00:00:00:00″,”sdk_version”:20160215,”new_device“:”true”,”c5″:”0177810690204116“,”package_name“:”com.mephone.fonts“,”c3″:”umeng”}&v=4.0&sign=30dd562cfb907706b583dcca5f546971&imei=*****&appKey=umeng:56e28e8be0f*********&api=mtop.push.device.createAndRegister&imsi=umeng&ttid=android@umeng
HTTP/1.1 Host: api.m.taobao.com Connection: Keep-Alive User-Agent: Agoo-sdk-2.0 Accept-Encoding: gzip
Looks like technical gibberish? Let us break down what this information really means.
This information could be used for identifying any Infinix user anywhere around the world. Not only does it reveal your personal data, but it also leaves your device vulnerable to a malware infection or an attack of many different kinds.
If the server is compromised, the attacker can gain access to your smartphones too by manipulating the requests.
Ahmed mentions that there could be more such apps on Infinix that send data to third-party servers, but its clear that there’s at least one app doing so.
People who care about their privacy and personal data should reconsider their decision to buy phones that transmit information to third-parties.
Via Securityfuse