Open wkrp opened 7 months ago
@wkrp
Edited my post to make it simpler with additional information. And less human to be used to train "AI"
The "'Anti-fraud" spyware app is officially named as National Anti-Fraud Center.
https://en.wikipedia.org/wiki/National_Anti-Fraud_Center
"Are they pre-installed by phone providers?"
Xiaomi phones pre-install it on system level.
https://www.gizmochina.com/2022/01/03/miui-13-anti-fraud-scam/
https://chinadigitaltimes.net/chinese/675320.html
Besides Xiaomi, National Anti-Fraud Center is pre-installed on almost all new phones made in China. it is de facto mandatory by Chinese government.
or are there any realistic countermeasures?
Flush your phone and install a clean OS yourself which is, ironically, unrealistic for most people.
Has anyone acquired a sample of an "anti-fraud" app, in APK format or similar?
tencent provide binary for windows desktop and android phone.
sj.qq.com/appdetail/com.hicorenational.antifraud
Xiaomi app store also provide download
r.app.xiaomi.com/details?id=com.hicorenational.antifraud
the user's own device is not trustworthy?
National Anti-Fraud Center is not limited to android phones. there are other binaries for apple devices and windows desktop.
National Anti-Fraud Center based plugins also reported found in residential FTTR modem named antifraudv3
https://chinadigitaltimes.net/chinese/701596.html
The auditors faced several limitations, including regional blocks pertaining to not having access to a China-based phone number
China-based phone numbers are linked to individual persons. To obtain a China-based phone number, real identification and possibly Facial recognition are required. I don't think anyone in China can safely provide a phone number for research.
but I don't know what "pt" is.
"pt" probably stands for Platform (PingTai).
I was tethering my laptop using my China Mobile cellular service on an iPhone (WITHOUT installing any related app)
gaukas post has important info I missed. I heard similiar cases too.
Thanks. That is really helpful information. The Chinese term is 国家反诈中心 (guójiā fǎnzhà zhōngxīn) and here are the Wikipedia pages:
https://en.wikipedia.org/wiki/National_Anti-Fraud_Center https://zh.wikipedia.org/wiki/国家反诈中心
Clicking on wiki links, I get to this article (archive) and then the app's page in the Apple App Store:
https://apps.apple.com/cn/app/国家反诈中心/id1552823102 (archive)
(WTH, Apple? You delete VPN apps from the App Store at the request of the Chinese government, you delete communication apps from the App Store at the request of the Chinese government, at the same time you host spyware that violates the privacy of your customers? I guess we all know "what happens on your iPhone stays on your iPhone" is a lie.)
Here's the page at AppleCensorship:
https://applecensorship.com/app-store-monitor/app/1552823102 (archive)
The location test (archive) shows that the app only appears in the App Store for China and not for other countries:
I don't see the app in the Google Play store, at least when searching in Tor Browser:
The OTF Red Team has reverse-engineered and analyzed the 国家反诈中心 National Anti-Fraud Center app in 2022. (Though they say: "Further investigation into the National Anti-Fraud Center app is necessary. The auditors faced several limitations, including regional blocks pertaining to not having access to a China-based phone number.")
China's National Anti-Fraud Center – Security Assessment National_AntiFraud_Center.pdf
The information discussed in this report is specifically in regard to the iOS application; the Android application was not examined.
The application utilizes many additional sensitive permissions as well; including but not limited to accessing location, using the camera and recording audio.
The application is only available for Apple accounts with China based locations and cannot be downloaded from accounts in other countries.
In the native application functions (the ones not related to third-party code) an obfuscation system based on the insertion of "dead code" was used together with the creation of loops that make the logical application flow difficult to follow. … the authors of the application have taken steps to make the binary more difficult to analyze and understand.
Nonetheless, no obfuscation of the names of the functions or of the text contained within the functions was found, which make it possible to identify the application functions of interest.
All communications to the main backends (see the list below) are protected via certificate pinning. In iOS the application main backends are:
- fzapp.gjfzpt.cn
- fzapph5v1.gjfzpt.cn ( sometimes used but appears to not always work correctly)
["gjfz" is obviously 国家反诈 guójiā fǎnzhà "national anti-fraud" but I don't know what "pt" is.]
The application has a functionality wall such that the majority of functionality can not be accessed without a China based phone number. As such, Dynamic analysis has been severely limited by not having access to the application's authenticated area, therefore the requests that could have been analyzed for dynamic analysis are very small.
The presence of a large number of different SDKs, including several that offer OCR, Face Recognition, Voice recognition and similar features is an important point of attention, these technologies can be used correctly for the application purpose, but they could also be used for malicious purposes without the user being notified.
The privacy policy can be consulted at: https://fzapph5.gjfzpt.cn/Agreements/policy.html (archive)
The most controversial part of the privacy policy is the following sentence:
This Privacy Policy applies only to any information we collect, and does not apply to the services provided by any third party or the rules for the use of information by third parties, and we are not responsible for any third party's use of the information provided by you. For the privacy policy of third-party services, please refer to Antiy Mobile Security AVL SDK Privacy Policy and Youmeng+ Privacy Policy.
In the iOS application the main backends are:
- fzapp.gjfzpt.cn
- fzapph5v1.gjfzpt.cn (used as backup but doesn't work correctly)
The application communicates also with the following hosts:
- aaid.amap.com
- dualstack-arestapi.amap.com
- ios.bugly.qq.com
- api.openinstall.io
- msg.umengcloud.com
- ulogs.umeng.com
- api.weibo.com
- log.umsns.com
- ulogs.umengcloud.com
Further in this report please find "Appendix III. List of hostname and IP address" a list of all hostname identifiable from the binaries.
I am primarily interested in the "anti-fraud" app from the perspective of anti-circumvention. If the app can detect the presence of circumvention apps, then it is likely that there is a list of names of circumvention tools either included in the app itself, or queryable through one of the API endpoints, perhaps one of these:
the app only appears in the App Store for China and not for other countries:
It existed in other countries before, at least in May 2021 as I remember.
The screenshot was from Japan App Store:
The CCP fears people’s protest or gave it bad comments, so it asked Apple to close comment in Chinse App Store, but it has no such power in other countries. You can see in Japan all of the four comments are lowest star.
The Japanese one comment:
Human rights violation This app collects more personal information than necessary, is designed to monitor citizens and suppress freedom of speech. Contrary to the fact that it collects information arbitrarily, the developers have blatantly stated the outright lie that "no information is collected." This is in violation of the App Store guidelines, so we ask Apple to reject the app and permanently suspend the developer account.
I'd share my personal experience with this "Anti-Fraud" thing when I visited China quite a while ago. (Not directly involving the app)
I was tethering my laptop using my China Mobile cellular service on an iPhone (WITHOUT installing any related app), all of a sudden I got a text message from 96110 telling me I am visiting a scam website and ask me to stop (in Chinese). About a minute later I received a phone call from 96110, in which it is a prerecorded warning message in Chinese telling me I am visiting a scam website, stop immediately, press a number to connect to live agent, etc.
About a few minutes later I repeated everything and received another text message, but not phone call this time.
I am suspecting they are using DNS or TLS-SNI based filtering but I did not dig into it since it is too easy to backtrack from the cellular service and intense testing and triggering of the system will definitely alert someone in charge.
// Thanks for sharing. I used Newstr AI to create a quick summary of all the conversations above. Hopefully,it helps some external readers:
In recent years, the Chinese government has intensified its surveillance measures, notably through the mandatory installation of the "National Anti-Fraud Center" app. This initiative reflects a broader strategy to control and monitor the digital activities of its citizens. This article delves into the multifaceted aspects of the app and its integration into the broader surveillance infrastructure, examining its impact on privacy, freedom, and corporate compliance.
The "National Anti-Fraud Center" app, developed under the auspices of the Chinese government, is designed ostensibly to combat fraud but is equipped with capabilities that extend far into surveillance. It monitors and controls the use of circumvention tools that allow users to bypass internet censorship, essentially serving as a gatekeeper against unauthorized information access.
Unlike typical applications, the "National Anti-Fraud Center" is part of a larger surveillance ecosystem embedded within China's state-controlled telecommunications network. This system facilitates real-time monitoring and automated interventions, such as sending warnings to users visiting unapproved websites or using unauthorized apps.
Initially available internationally, such as in the Japan App Store, the app received significant backlash due to its intrusive nature. However, within China, corporate entities like Apple have complied with government directives to disable user feedback, highlighting the complex dynamics between global business practices and national surveillance laws.
Personal anecdotes and user reports reveal the extensive reach of China's surveillance apparatus. For instance, users have reported receiving immediate warnings via SMS and phone calls when engaging in activities deemed suspicious by the state, regardless of having the app installed. This suggests a pervasive monitoring system that taps directly into cellular services.
The collaboration between Chinese authorities and international corporations in enforcing these surveillance measures raises significant ethical questions. The potential future integration of surveillance technologies into hardware and broader network infrastructure could lead to even more profound implications for global privacy and freedom.
China's "National Anti-Fraud Center" serves as a poignant example of how modern digital surveillance can transcend traditional boundaries between state control and personal freedom. The involvement of international corporations in these practices further complicates the landscape, challenging the global community to reconsider the balance between security and privacy.
I used Newstr AI to create a quick summary
If you had written a summary yourself, I would have appreciated it. Instead you feed my post to proprietary machine learning software without my consent. It is creepy and can't be undone. I don't approve my post to be used in this way. And i don't want any of my contents to be used to train any 'AI'.
Your 'summary' is also misleading.
the "National Anti-Fraud Center" is part of a larger surveillance ecosystem embedded within China's state-controlled telecommunications network.
I assume this is base on my post "I think the "National Anti-Fraud Center" is a set of systems rather than a single app. "
That is my opinion and assumption, not necessarily a fact.
China's Internet Emergency Response Center (CNCERT) publishes semiannual lists of "network security emergency service support units" (网络安全应急服务支撑单位名单):
The 8th and 9th editions have special categories of "anti-cyberfraud" (反网络诈骗领域) support units:
8th edition:
# | Serial number | Chinese name | English name |
---|---|---|---|
1 | CNCERT-2019-20210701FWLZP004 | 北京奇虎科技有限公司 | Qihoo 360 |
2 | CNCERT-2019-20210701FWLZP005 | 四川无声信息技术有限公司 | Silence Information Technology |
3 | CNCERT-2019-20210701FWLZP001 | 网神信息技术(北京)股份有限公司 | Legendsec |
4 | CNCERT-2019-20210701FWLZP002 | 恒安嘉新(北京)科技股份公司 | Eversec |
5 | CNCERT-2019-20210701FWLZP003 | 神州网云(北京)信息技术有限公司 | Shenzhou Wang Yun |
9th edition:
# | Serial number | Chinese name | English name |
---|---|---|---|
1 | CNCERT-2021-20230831FWLZP001 | 北京鸿腾智能科技有限公司 | Hongteng Intelligent Technology |
2 | CNCERT-2021-20230831FWLZP002 | 上海黑瞳信息技术有限公司 | Hicore Tech |
3 | CNCERT-2021-20230831FWLZP003 | 北京中晟信达科技有限公司 | Xindatek |
4 | CNCERT-2021-20230831FWLZP004 | 网神信息技术(北京)股份有限公司 | Legendsec |
5 | CNCERT-2021-20230831FWLZP005 | 杭州云深科技有限公司 | Hangzhou Yunshen Technology |
The company 北京安天网络安全技术有限公司 (Antiy) that is mentioned in the anti-fraud app's privacy policy is not listed among the anti-cyberfraud units, but in both the 8th and 9th edition Antiy is one of the "national-level" (国家级) units.
The National Anti-Fraud Center app also seem to has access to phone owner's contact list. Someone mentioned that they didn't pick up the phone from anti-fraud hotline so the police called their relatives in their contact list to ask them to pick up the phone.
Also since this issue seems to be focused on National Anti-Fraud Center app in phone. I opened a new issue and updated some additional info regarding the anti-fraud plugins in FTTR modem. And because I think that incident itself is quite concerning.
https://github.com/net4people/bbs/issues/355
the sniproxyv3
and antifraudv3
in that FTTR modem seems to be responsible of redirecting users to the anti-fraud webpage too. So I think that if you connect your phone to the internet via those compromised FTTR modem, you might get your website redirected to the anti-fraud webpage and called by the anti-fraud hotline too. even if the National Anti-Fraud Center app is not installed in your phone.
All Chinese smartphone manufacturers have integrated anti-fraud features at the system level (not the national anti-fraud app), and Xiaomi is no exception.
Since 2023, smartphone manufacturers have once again tightened the unlocking permissions for Android bootloaders, making it difficult for new models to bypass the anti-fraud system monitoring by flashing third-party ROMs.
In fact, what we are facing is an expansion of public power under the guise of anti-fraud, which is far more extensive and deeper than before. A similar past instance was the Ministry of Industry and Information Technology's Green Dam software, which was eventually halted.
The nominal reason for implementing anti-fraud measures is the recent surge in telecommunication fraud, especially in the Southeast Asia region, notably northern Myanmar. The push under the guise of anti-fraud is not just about promoting the national anti-fraud app; it also includes actions by telecom operators, the GFW, banks, etc.
- ISPs by default redirect to anti-fraud pages.
I'll just link to measurements from 2022 about ISPs sending users to anti-fraud websites. It worked by either DNS injection or HTTP injection. It was considered significant because webpages in China are usually blocked by RST injection.
China "Anti-Fraud" Webpage Redirection Censorship
The 8th and 9th editions have special categories of "anti-cyberfraud" (反网络诈骗领域) support units:
9th edition: # Serial number Chinese name English name 1 CNCERT-2021-20230831FWLZP001 北京鸿腾智能科技有限公司 Hongteng Intelligent Technology 2 CNCERT-2021-20230831FWLZP002 上海黑瞳信息技术有限公司 Hicore Tech 3 CNCERT-2021-20230831FWLZP003 北京中晟信达科技有限公司 Xindatek 4 CNCERT-2021-20230831FWLZP004 网神信息技术(北京)股份有限公司 Legendsec 5 CNCERT-2021-20230831FWLZP005 杭州云深科技有限公司 Hangzhou Yunshen Technology
The Android APK package name for the National Anti-Fraud Center app appears to be "com.hicorenational.antifraud" (see e.g. https://apkcombo.com/guo-jia-fan-zha-zhong-xin/com.hicorenational.antifraud), which I suppose is the same 上海黑瞳信息技术有限公司 / Hicore Tech listed in the CNCERT list of emergency support units.
https://github.com/starco1100/starco1100.github.io has an APK file, though it is quite small (5.7 MB).
Jeffrey Knockel (@jknockel) looked at iOS and Android versions of the anti-fraud app in 2022. He has made available code and other artifacts, including original .apk and .ipa files. Jeff reports being able to decrypt some of the included databases, which contained what looked like antivirus signatures. The Android file "avlsdk" is a zip file containing encrypted signature files.
https://jeffreyknockel.com/fraud/fraud.tar.xz (265 MB)
0 fraud/ 9 fraud/README.md 0 fraud/android-bestmind/ 0 fraud/android-bestmind/avlsdk_FILES/ 0 fraud/android-bestmind/avlsdk_FILES/av/ 0 fraud/android-bestmind/avlsdk_FILES/av/avl/ 0 fraud/android-bestmind/avlsdk_FILES/av/avl/android/ 282955 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_ads.avl 69845 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_amc.avl 117207 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_apn.avl 1924792 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_basic.avl 9934 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_behav.avl 9797 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_dhc.avl 30314 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_emb.avl 415 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_grayflag.avl 2539361 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_herui.avl 42349 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_kw.avl 414536 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opc.avl 445062 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opc_scdf.avl 18359 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opd.avl 22732 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opg.avl 9701 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_pack.avl 76223 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_payware.avl 469905 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_pornware.avl 45193 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_sfmf.avl 7638 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_sgnl.avl 4063904 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_sign.avl 1787761 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_white.avl 0 fraud/android-bestmind/avlsdk_FILES/av/avl/conf/ 11 fraud/android-bestmind/avlsdk_FILES/av/avl/conf/avllib.conf 372 fraud/android-bestmind/avlsdk_FILES/av/avl/conf/liscense.conf 0 fraud/android-bestmind/avlsdk_FILES/av/kw/ 0 fraud/android-bestmind/avlsdk_FILES/av/kw/common/ 0 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/ 477 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/behavior.des 689 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/common.des 259 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/recommend.des 0 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/ 711 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/behavior.des 1212 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/common.des 274 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/recommend.des 0 fraud/android-bestmind/avlsdk_FILES/sdk_conf/ 2027 fraud/android-bestmind/avlsdk_FILES/sdk_conf/sdk.conf 106 fraud/android-bestmind/avlsdk_FILES/sdk_conf/version.conf 0 fraud/android-bestmind/avlsdk_FILES/url/ 0 fraud/android-bestmind/avlsdk_FILES/url/url/ 0 fraud/android-bestmind/avlsdk_FILES/url/url/conf/ 11 fraud/android-bestmind/avlsdk_FILES/url/url/conf/avllib.conf 388 fraud/android-bestmind/avlsdk_FILES/url/url/conf/liscense.conf 604 fraud/android-bestmind/avlsdk_FILES/url/url/fish_re_tag.avl 311392 fraud/android-bestmind/avlsdk_FILES/url/url/fish_tag.avl 1632972 fraud/android-bestmind/avlsdk_FILES/url/url/fish_url_tag.avl 20832 fraud/android-bestmind/avlsdk_FILES/url/url/tag.avl 108 fraud/android-bestmind/avlsdk_FILES/url/url/white_re_tag.avl 255472 fraud/android-bestmind/avlsdk_FILES/url/url/white_tag.avl 0 fraud/android-bestmind/blowfish.py -> ../android/blowfish.py 0 fraud/android-bestmind/blowfishalt.py -> ../android/blowfishalt.py 50167255 fraud/android-bestmind/com.bestmind.antifraud_1.8.13_105.apk 0 fraud/android-bestmind/decrypted/ 0 fraud/android-bestmind/decrypted/av/ 0 fraud/android-bestmind/decrypted/av/avl/ 0 fraud/android-bestmind/decrypted/av/avl/android/ 0 fraud/android-bestmind/decrypted/av/avl/android/avlpk_ads.avl 0 fraud/android-bestmind/decrypted/av/avl/conf/ 363 fraud/android-bestmind/decrypted/av/avl/conf/liscense.conf 0 fraud/android-bestmind/decrypted/url/ 0 fraud/android-bestmind/decrypted/url/url/ 0 fraud/android-bestmind/decrypted/url/url/conf/ 371 fraud/android-bestmind/decrypted/url/url/conf/liscense.conf 0 fraud/android-bestmind/decrypt-avl.py -> ../android/decrypt-avl.py 0 fraud/android-bestmind/decrypt-license.py -> ../android/decrypt-license.py 0 fraud/android-bestmind/decrypt-url.py -> ../android/decrypt-url.py 0 fraud/android-bestmind/dumpall.sh -> ../android/dumpall.sh 0 fraud/android-bestmind/dump-url.py -> ../android/dump-url.py 0 fraud/android-bestmind/inflate.py -> ../android/inflate.py 0 fraud/android-bestmind/match-avl.py -> ../android/match-avl.py 0 fraud/android-bestmind/parse-avl.py -> ../android/parse-avl.py 0 fraud/android-bestmind/parse-url.py -> ../android/parse-url.py 0 fraud/android-bestmind/search.py -> ../android/search.py 0 fraud/android-bestmind/search-domain.py -> ../android/search-domain.py 0 fraud/android-bestmind/search-url.py -> ../android/search-url.py 0 fraud/android-bestmind/xxtea.py -> ../android/xxtea.py 0 fraud/android/ 41075 fraud/android/av.csv 2886313 fraud/android/avlsdk 0 fraud/android/avlsdk_FILES/ 0 fraud/android/avlsdk_FILES-old/ 0 fraud/android/avlsdk_FILES-old/av/ 0 fraud/android/avlsdk_FILES-old/av/avl/ 0 fraud/android/avlsdk_FILES-old/av/avl/android/ 4212 fraud/android/avlsdk_FILES-old/av/avl/android/avlpk_dec.avl 4118 fraud/android/avlsdk_FILES-old/av/avl/android/avlpk_kw.avl 0 fraud/android/avlsdk_FILES-old/av/avl/android/rckl/ 1150 fraud/android/avlsdk_FILES-old/av/avl/android/rckl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES-old/av/avl/android/rugl/ 354 fraud/android/avlsdk_FILES-old/av/avl/android/rugl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES-old/av/avl/android/smcl/ 451 fraud/android/avlsdk_FILES-old/av/avl/android/smcl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES-old/av/avl/android/spdl/ 300 fraud/android/avlsdk_FILES-old/av/avl/android/spdl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES-old/av/avl/conf/ 11 fraud/android/avlsdk_FILES-old/av/avl/conf/avllib.conf 372 fraud/android/avlsdk_FILES-old/av/avl/conf/liscense.conf 0 fraud/android/avlsdk_FILES-old/av/kw/ 0 fraud/android/avlsdk_FILES-old/av/kw/common/ 0 fraud/android/avlsdk_FILES-old/av/kw/common/en/ 477 fraud/android/avlsdk_FILES-old/av/kw/common/en/behavior.des 689 fraud/android/avlsdk_FILES-old/av/kw/common/en/common.des 259 fraud/android/avlsdk_FILES-old/av/kw/common/en/recommend.des 0 fraud/android/avlsdk_FILES-old/av/kw/common/zh/ 711 fraud/android/avlsdk_FILES-old/av/kw/common/zh/behavior.des 1212 fraud/android/avlsdk_FILES-old/av/kw/common/zh/common.des 274 fraud/android/avlsdk_FILES-old/av/kw/common/zh/recommend.des 0 fraud/android/avlsdk_FILES-old/sdk_conf/ 2043 fraud/android/avlsdk_FILES-old/sdk_conf/sdk.conf 106 fraud/android/avlsdk_FILES-old/sdk_conf/version.conf 0 fraud/android/avlsdk_FILES-old/url/ 0 fraud/android/avlsdk_FILES-old/url/url/ 0 fraud/android/avlsdk_FILES-old/url/url/conf/ 11 fraud/android/avlsdk_FILES-old/url/url/conf/avllib.conf 372 fraud/android/avlsdk_FILES-old/url/url/conf/liscense.conf 604 fraud/android/avlsdk_FILES-old/url/url/fish_re_tag.avl 802300 fraud/android/avlsdk_FILES-old/url/url/fish_tag.avl 1991568 fraud/android/avlsdk_FILES-old/url/url/fish_url_tag.avl 21072 fraud/android/avlsdk_FILES-old/url/url/tag.avl 124 fraud/android/avlsdk_FILES-old/url/url/white_re_tag.avl 244792 fraud/android/avlsdk_FILES-old/url/url/white_tag.avl 0 fraud/android/avlsdk_FILES/av/ 0 fraud/android/avlsdk_FILES/av/avl/ 0 fraud/android/avlsdk_FILES/av/avl/android/ 3563 fraud/android/avlsdk_FILES/av/avl/android/avlpk_dec.avl 4126 fraud/android/avlsdk_FILES/av/avl/android/avlpk_kw.avl 0 fraud/android/avlsdk_FILES/av/avl/android/rckl/ 1150 fraud/android/avlsdk_FILES/av/avl/android/rckl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES/av/avl/android/rugl/ 354 fraud/android/avlsdk_FILES/av/avl/android/rugl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES/av/avl/android/smcl/ 451 fraud/android/avlsdk_FILES/av/avl/android/smcl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES/av/avl/android/spdl/ 300 fraud/android/avlsdk_FILES/av/avl/android/spdl/avlpk_grayflag.avl 0 fraud/android/avlsdk_FILES/av/avl/conf/ 11 fraud/android/avlsdk_FILES/av/avl/conf/avllib.conf 372 fraud/android/avlsdk_FILES/av/avl/conf/liscense.conf 0 fraud/android/avlsdk_FILES/av/kw/ 0 fraud/android/avlsdk_FILES/av/kw/common/ 0 fraud/android/avlsdk_FILES/av/kw/common/en/ 477 fraud/android/avlsdk_FILES/av/kw/common/en/behavior.des 689 fraud/android/avlsdk_FILES/av/kw/common/en/common.des 259 fraud/android/avlsdk_FILES/av/kw/common/en/recommend.des 0 fraud/android/avlsdk_FILES/av/kw/common/zh/ 711 fraud/android/avlsdk_FILES/av/kw/common/zh/behavior.des 1212 fraud/android/avlsdk_FILES/av/kw/common/zh/common.des 274 fraud/android/avlsdk_FILES/av/kw/common/zh/recommend.des 0 fraud/android/avlsdk_FILES/sdk_conf/ 2779 fraud/android/avlsdk_FILES/sdk_conf/sdk.conf 107 fraud/android/avlsdk_FILES/sdk_conf/version.conf 0 fraud/android/avlsdk_FILES/url/ 0 fraud/android/avlsdk_FILES/url/url/ 0 fraud/android/avlsdk_FILES/url/url/conf/ 11 fraud/android/avlsdk_FILES/url/url/conf/avllib.conf 372 fraud/android/avlsdk_FILES/url/url/conf/liscense.conf 572 fraud/android/avlsdk_FILES/url/url/fish_re_tag.avl 462884 fraud/android/avlsdk_FILES/url/url/fish_tag.avl 2134432 fraud/android/avlsdk_FILES/url/url/fish_url_tag.avl 21072 fraud/android/avlsdk_FILES/url/url/tag.avl 124 fraud/android/avlsdk_FILES/url/url/white_re_tag.avl 246660 fraud/android/avlsdk_FILES/url/url/white_tag.avl 15683 fraud/android/blowfish.py 15896 fraud/android/blowfishalt.py 59595782 fraud/android/com.hicorenational.antifraud_1.1.28_108.apk 0 fraud/android/decrypted/ 0 fraud/android/decrypted-old/ 0 fraud/android/decrypted-old/av/ 0 fraud/android/decrypted-old/av/avl/ 0 fraud/android/decrypted-old/av/avl/android/ 4507 fraud/android/decrypted-old/av/avl/android/avlpk_dec.avl 28730 fraud/android/decrypted-old/av/avl/android/avlpk_kw.avl 0 fraud/android/decrypted-old/av/avl/android/rckl/ 3976 fraud/android/decrypted-old/av/avl/android/rckl/avlpk_grayflag.avl 0 fraud/android/decrypted-old/av/avl/android/rugl/ 2224 fraud/android/decrypted-old/av/avl/android/rugl/avlpk_grayflag.avl 0 fraud/android/decrypted-old/av/avl/android/smcl/ 1140 fraud/android/decrypted-old/av/avl/android/smcl/avlpk_grayflag.avl 0 fraud/android/decrypted-old/av/avl/android/spdl/ 498 fraud/android/decrypted-old/av/avl/android/spdl/avlpk_grayflag.avl 0 fraud/android/decrypted-old/av/avl/conf/ 357 fraud/android/decrypted-old/av/avl/conf/liscense.conf 0 fraud/android/decrypted-old/url/ 0 fraud/android/decrypted-old/url/url/ 0 fraud/android/decrypted-old/url/url/conf/ 365 fraud/android/decrypted-old/url/url/conf/liscense.conf 571 fraud/android/decrypted-old/url/url/fish_re_tag.avl 1310126 fraud/android/decrypted-old/url/url/fish_tag.avl 3252982 fraud/android/decrypted-old/url/url/fish_url_tag.avl 39321 fraud/android/decrypted-old/url/url/tag.avl 73 fraud/android/decrypted-old/url/url/white_re_tag.avl 399786 fraud/android/decrypted-old/url/url/white_tag.avl 0 fraud/android/decrypted/av/ 0 fraud/android/decrypted/av/avl/ 0 fraud/android/decrypted/av/avl/android/ 3761 fraud/android/decrypted/av/avl/android/avlpk_dec.avl 28800 fraud/android/decrypted/av/avl/android/avlpk_kw.avl 0 fraud/android/decrypted/av/avl/android/rckl/ 3976 fraud/android/decrypted/av/avl/android/rckl/avlpk_grayflag.avl 0 fraud/android/decrypted/av/avl/android/rugl/ 2224 fraud/android/decrypted/av/avl/android/rugl/avlpk_grayflag.avl 0 fraud/android/decrypted/av/avl/android/smcl/ 1140 fraud/android/decrypted/av/avl/android/smcl/avlpk_grayflag.avl 0 fraud/android/decrypted/av/avl/android/spdl/ 498 fraud/android/decrypted/av/avl/android/spdl/avlpk_grayflag.avl 0 fraud/android/decrypted/av/avl/conf/ 357 fraud/android/decrypted/av/avl/conf/liscense.conf 0 fraud/android/decrypted/url/ 0 fraud/android/decrypted/url/url/ 0 fraud/android/decrypted/url/url/conf/ 365 fraud/android/decrypted/url/url/conf/liscense.conf 534 fraud/android/decrypted/url/url/fish_re_tag.avl 756424 fraud/android/decrypted/url/url/fish_tag.avl 3487996 fraud/android/decrypted/url/url/fish_url_tag.avl 39321 fraud/android/decrypted/url/url/tag.avl 73 fraud/android/decrypted/url/url/white_re_tag.avl 402730 fraud/android/decrypted/url/url/white_tag.avl 510 fraud/android/decrypt-avl.py 550 fraud/android/decrypt-license.py 1835 fraud/android/decrypt-url.py 0 fraud/android/dexdump_FILES/ 112068 fraud/android/dexdump_FILES/112068.dex 5349828 fraud/android/dexdump_FILES/5349828.dex 6599908 fraud/android/dexdump_FILES/6599908.dex 7807708 fraud/android/dexdump_FILES/7807708.dex 10670736 fraud/android/dexdump_FILES/10670736.dex 1178 fraud/android/dumpall.sh 1235 fraud/android/dump-url.py 58091090 fraud/android/fraud_1.1.12_apkcombo.com.apk 5002859 fraud/android/hashes.csv 26576 fraud/android/hashmap-all.csv 19044 fraud/android/hashmap-gfw-domains.csv 3565 fraud/android/hashmap-phishing-domains.csv 6702 fraud/android/hashmap-phishing-links.csv 0 fraud/android/idb/ 198357 fraud/android/idb/libavlasys.idb 4290937 fraud/android/idb/libavlm.idb 934479 fraud/android/idb/libavlurl.idb 80314 fraud/android/idb/liburldetectorsys.idb 775 fraud/android/inflate.py 32168 fraud/android/matched.csv 1587 fraud/android/match-avl.py 3900 fraud/android/parse-avl.py 1369 fraud/android/parse-url.py 0 fraud/android/search/ 939 fraud/android/search.py 1290 fraud/android/search-domain.py 2321 fraud/android/search-url.py 9969395 fraud/android/search/ALL-phishing-domains.txt 61660162 fraud/android/search/ALL-phishing-links.txt 2103242 fraud/android/search/gfw-domains.txt 1048 fraud/android/search/selected.txt 2029 fraud/android/xxtea.py 0 fraud/ios/ 1205 fraud/ios/decrypt-localall.py 4863 fraud/ios/labels-uniq.txt 3440158 fraud/ios/localall.csv 4387356 fraud/ios/localall.txt 61677688 fraud/ios/国家反诈中心.i64 47679704 fraud/ios/国家反诈中心.ipa
An article from Radio Free Asia (archive), via Human Rights in China's 2024-04-02 weekly brief (archive), says that police in China are inspecting people's phones to check for circumvention apps, and that people have been forced to install an "anti-fraud" (反诈骗) app that (at least) checks for installed circumvention software.
It's not clear to me the circumstances under which someone might have such an "anti-fraud" app installed. Are they pre-installed by phone providers? Automatically installed by phone repair shops? Installed by the police after any police encounter?
Has anyone acquired a sample of an "anti-fraud" app, in APK format or similar?
254 is a previous thread that mentions "anti-fraud" apps.
Is there anything that can be done, in terms of circumvention, when the user's own device is not trustworthy? We almost always model the user's own computer as being uncontrolled by the censor. Is it an impossible situation, or are there any realistic countermeasures?
The Radio Free Asia article has a photograph of an SMS from the Hubei provincial police department notifying the owner that circumvention software was detected and telling them to uninstall it. Presumably the detection was the result of an "anti-fraud" app.
In 2018, a spyware app called 净网卫士 (Jingwang Weishi) was reverse-engineered by the OTF Red Team. They found many security flaws and partially mapped the backend infrastructure. That app was targeted at the Uyghur ethnic minority—a reminder that surveillance systems are usually first tested on more vulnerable and marginalized people before moving on to the rest of society.
https://www.opentech.fund/news/app-targeting-uyghur-population-censors-content-lacks-basic-security/ https://public.opentech.fund/documents/OTF_JingWang_Report_v2.pdf