net4people / bbs

Forum for discussing Internet censorship circumvention
3.47k stars 82 forks source link

"Anti-fraud" (反诈) spyware apps, phone inspections in China #354

Open wkrp opened 7 months ago

wkrp commented 7 months ago

An article from Radio Free Asia (archive), via Human Rights in China's 2024-04-02 weekly brief (archive), says that police in China are inspecting people's phones to check for circumvention apps, and that people have been forced to install an "anti-fraud" (反诈骗) app that (at least) checks for installed circumvention software.

A resident of the southwestern province of Sichuan who gave only the surname Huang for fear of reprisals said he had recently been stopped on the subway in the provincial capital, Chengdu. “This happened to me in Chengdu,” Huang said. “A police officer stopped me on the subway and wanted to check my phone, but I didn't allow him to. I told him he had no law enforcement powers and he let it go,” he said. Huang said he has also seen police checking people’s phones on the streets of Shanghai and Beijing.

Chinese authorities have stepped up spot checking operations on the streets and on public transport in the years since the “white paper” protest movement of 2022, which the government blamed on infiltration by “foreign forces,” and have been forcing people to download an “anti-fraud” app that monitors their phone usage, according to recent interviews.

A mobile phone repair specialist in the southern province of Guangdong who declined to be named for fear of reprisals said the police-approved “anti-fraud” app can also detect the presence of circumvention tools on any phone where it has been installed. “As long as your phone has the anti-fraud app installed, they will know what you are doing,” she said.

It's not clear to me the circumstances under which someone might have such an "anti-fraud" app installed. Are they pre-installed by phone providers? Automatically installed by phone repair shops? Installed by the police after any police encounter?

Has anyone acquired a sample of an "anti-fraud" app, in APK format or similar?

254 is a previous thread that mentions "anti-fraud" apps.

Is there anything that can be done, in terms of circumvention, when the user's own device is not trustworthy? We almost always model the user's own computer as being uncontrolled by the censor. Is it an impossible situation, or are there any realistic countermeasures?

The Radio Free Asia article has a photograph of an SMS from the Hubei provincial police department notifying the owner that circumvention software was detected and telling them to uninstall it. Presumably the detection was the result of an "anti-fraud" app.

Photograph of a phone screen with the transcript below.

短信报警 12110

您好,我们检测到您正在使用“翻墙”软件,您的行为已经违反了《中华人民共和国网络安全法》,请您立刻停止使用,或前往就近的公安机关进行合法性登记。【湖北省公安厅】

???

您好,请您立即停止使用“翻墙”软件,并卸载相关软件!你的使用记录已经上传到国家信息技术安全研究中心!如无视劝告,我们将对您采取强制措施!联系电话:027-67122288【湖北省公安厅】

SMS Alert 12110

Hello, we have detected that you are using "wall-jumping" software, your behavior has violated the "Network Security Law of the People's Republic of China", please stop using it immediately, or go to the nearest public security organs to register the legality. [Hubei Public Security Bureau]

???

Hello, please stop using the "wall-jumping" software immediately and uninstall the related software! Your usage record has been uploaded to the National Information Technology Security Research Center! If you ignore the advice, we will take enforcement measures against you! Tel: 027-67122288 [Hubei Public Security Bureau]

In 2018, a spyware app called 净网卫士 (Jingwang Weishi) was reverse-engineered by the OTF Red Team. They found many security flaws and partially mapped the backend infrastructure. That app was targeted at the Uyghur ethnic minority—a reminder that surveillance systems are usually first tested on more vulnerable and marginalized people before moving on to the rest of society.

https://www.opentech.fund/news/app-targeting-uyghur-population-censors-content-lacks-basic-security/ https://public.opentech.fund/documents/OTF_JingWang_Report_v2.pdf

IrradiatedKiwi commented 7 months ago

@wkrp

Edited my post to make it simpler with additional information. And less human to be used to train "AI"

The "'Anti-fraud" spyware app is officially named as National Anti-Fraud Center.

https://en.wikipedia.org/wiki/National_Anti-Fraud_Center

"Are they pre-installed by phone providers?"

Xiaomi phones pre-install it on system level.

https://www.gizmochina.com/2022/01/03/miui-13-anti-fraud-scam/

https://chinadigitaltimes.net/chinese/675320.html

Besides Xiaomi, National Anti-Fraud Center is pre-installed on almost all new phones made in China. it is de facto mandatory by Chinese government.

or are there any realistic countermeasures?

Flush your phone and install a clean OS yourself which is, ironically, unrealistic for most people.

Has anyone acquired a sample of an "anti-fraud" app, in APK format or similar?

tencent provide binary for windows desktop and android phone.

sj.qq.com/appdetail/com.hicorenational.antifraud

Xiaomi app store also provide download

r.app.xiaomi.com/details?id=com.hicorenational.antifraud

the user's own device is not trustworthy?

National Anti-Fraud Center is not limited to android phones. there are other binaries for apple devices and windows desktop. National Anti-Fraud Center based plugins also reported found in residential FTTR modem named antifraudv3

https://chinadigitaltimes.net/chinese/701596.html

The auditors faced several limitations, including regional blocks pertaining to not having access to a China-based phone number

China-based phone numbers are linked to individual persons. To obtain a China-based phone number, real identification and possibly Facial recognition are required. I don't think anyone in China can safely provide a phone number for research.

but I don't know what "pt" is.

"pt" probably stands for Platform (PingTai).

I was tethering my laptop using my China Mobile cellular service on an iPhone (WITHOUT installing any related app)

gaukas post has important info I missed. I heard similiar cases too.

wkrp commented 7 months ago

Thanks. That is really helpful information. The Chinese term is 国家反诈中心 (guójiā fǎnzhà zhōngxīn) and here are the Wikipedia pages:

https://en.wikipedia.org/wiki/National_Anti-Fraud_Center https://zh.wikipedia.org/wiki/国家反诈中心

Clicking on wiki links, I get to this article (archive) and then the app's page in the Apple App Store:

https://apps.apple.com/cn/app/国家反诈中心/id1552823102 (archive)

(WTH, Apple? You delete VPN apps from the App Store at the request of the Chinese government, you delete communication apps from the App Store at the request of the Chinese government, at the same time you host spyware that violates the privacy of your customers? I guess we all know "what happens on your iPhone stays on your iPhone" is a lie.)

Here's the page at AppleCensorship:

https://applecensorship.com/app-store-monitor/app/1552823102 (archive)

The location test (archive) shows that the app only appears in the App Store for China and not for other countries:

Search result for “1552823102”: 国家反诈中心 shows a crossed-out eye for United States, and a checkmark for China.

I don't see the app in the Google Play store, at least when searching in Tor Browser:

https://play.google.com/store/search?q=国家反诈中心

wkrp commented 7 months ago

The OTF Red Team has reverse-engineered and analyzed the 国家反诈中心 National Anti-Fraud Center app in 2022. (Though they say: "Further investigation into the National Anti-Fraud Center app is necessary. The auditors faced several limitations, including regional blocks pertaining to not having access to a China-based phone number.")

China's National Anti-Fraud Center – Security Assessment National_AntiFraud_Center.pdf

Executive summary

The information discussed in this report is specifically in regard to the iOS application; the Android application was not examined.

The application utilizes many additional sensitive permissions as well; including but not limited to accessing location, using the camera and recording audio.

The application is only available for Apple accounts with China based locations and cannot be downloaded from accounts in other countries.

§1 Code obfuscation

In the native application functions (the ones not related to third-party code) an obfuscation system based on the insertion of "dead code" was used together with the creation of loops that make the logical application flow difficult to follow. … the authors of the application have taken steps to make the binary more difficult to analyze and understand.

Nonetheless, no obfuscation of the names of the functions or of the text contained within the functions was found, which make it possible to identify the application functions of interest.

§3 Protection of communications

All communications to the main backends (see the list below) are protected via certificate pinning. In iOS the application main backends are:

  • fzapp.gjfzpt.cn
  • fzapph5v1.gjfzpt.cn ( sometimes used but appears to not always work correctly)

["gjfz" is obviously 国家反诈 guójiā fǎnzhà "national anti-fraud" but I don't know what "pt" is.]

§4 Usage of free China based phone number

The application has a functionality wall such that the majority of functionality can not be accessed without a China based phone number. As such, Dynamic analysis has been severely limited by not having access to the application's authenticated area, therefore the requests that could have been analyzed for dynamic analysis are very small.

§6 Frameworks included in the IPA

The presence of a large number of different SDKs, including several that offer OCR, Face Recognition, Voice recognition and similar features is an important point of attention, these technologies can be used correctly for the application purpose, but they could also be used for malicious purposes without the user being notified.

§7 Privacy Policy

The privacy policy can be consulted at: https://fzapph5.gjfzpt.cn/Agreements/policy.html (archive)

The most controversial part of the privacy policy is the following sentence:

This Privacy Policy applies only to any information we collect, and does not apply to the services provided by any third party or the rules for the use of information by third parties, and we are not responsible for any third party's use of the information provided by you. For the privacy policy of third-party services, please refer to Antiy Mobile Security AVL SDK Privacy Policy and Youmeng+ Privacy Policy.

§11 Endpoint and information collected

In the iOS application the main backends are:

  • fzapp.gjfzpt.cn
  • fzapph5v1.gjfzpt.cn (used as backup but doesn't work correctly)

The application communicates also with the following hosts:

  • aaid.amap.com
  • dualstack-arestapi.amap.com
  • ios.bugly.qq.com
  • api.openinstall.io
  • msg.umengcloud.com
  • ulogs.umeng.com
  • api.weibo.com
  • log.umsns.com
  • ulogs.umengcloud.com

Further in this report please find "Appendix III. List of hostname and IP address" a list of all hostname identifiable from the binaries.

Appendix IV. API endpoint

api/Feedback/GetDetails… click for list
  • api/Feedback/GetDetails
  • api/Verification/create
  • api/area/getareajson?areaVersion=%@
  • api/Account/bindaccount
  • api/Account/changemobile
  • api/Account/checkisverify
  • api/Account/checksmscode
  • api/Account/haspwd
  • api/Account/login
  • api/Account/logout
  • api/Account/modifyregionv2
  • api/Account/regist
  • api/Account/userinfo
  • api/Account/verify
  • api/Account/verifyv2_1
  • api/AppConfig/checkrenew?warningVersion=%&version=%&date=%@
  • api/AppConfig/getalldictionary?dictionarykeys=%@
  • api/AppConfig/getalldictionary?dictionarykeys=ProtorolVersion,SecretVersion
  • api/AppConfig/getdictionary?dictionarykey=%@
  • api/AppConfig/getdictionary?dictionarykey=ExamShare
  • api/AppConfig/verifyversion
  • api/AppVersion/ioscheck
  • api/Area/checkareaversion?areaVersion=%@
  • api/Area/treejson
  • api/Banner
  • api/CaseReport/CaseReportNumCurrentDay?submitterID=%@
  • api/CaseReport/withoutreserve?recordid=%@
  • api/ChannelStatistics/addchannel
  • api/Concerns/getconcernslist
  • api/DK/getcasecategorys
  • api/EvidenceGather/withoutreserve?recordid=%@
  • api/EvidenceType
  • api/EvidenceType/getpaymenttypes
  • api/Feedback
  • api/Feedback/AddFeedBackv2
  • api/Feedback/GetDetails
  • api/File/cancelupdate?fileid=%@
  • api/File/checkfilestatus
  • api/File/endupload
  • api/File/listenapp
  • api/FraudGroup/addv2
  • api/FraudGroup/removeleaguerv2
  • api/HotInformation/gethotinformations?Page=1&Rows=30
  • api/HotInformation/gethotinformationtoshare?id=%@
  • api/Information/getinformationtoshare?informationID=%@
  • api/Information/querylatestcases?Page=%ld&Rows=%ld
  • api/Message/GetUnReadCount
  • api/Message/SetRead?messageId=%@
  • api/Notice/getlastestnoticeforuser
  • api/PoliceUser/policelogin
  • api/Popup/getpopup
  • api/QA/getqalist
  • api/QA/solve
  • api/RealNameAudit/getauditinfo?number=%@
  • api/RegionAccount/AppGetToken
  • api/RegionApp/GetCityByPcode?pcode=%@
  • api/RegionApp/GetOneRegionMain
  • api/System/check?str=%&type=%
  • api/Verification/verify
  • api/XC/GetBackCaseCount
  • api/XC/confirmwrite
  • api/XC/getaccounttype
  • api/XC/getdetails?id=%@
  • api/XC/getpaymenttype
  • api/XC/removepaymentdetail?id=%@
  • api/XC/removesuspectfile?id=%@
  • api/XC/removesuspectprintscreen?id=%@
  • api/XC/removeurldetail?id=%@
  • api/XC/removevictim?id=%@
  • api/XC/sacanqrcode
  • api/XC/savepayment
  • api/XC/savesuspectrequet
  • api/XC/saveurl
  • api/XC/updateurldetailv3
  • api/XC/uploadpaymentdetailv3
  • api/XC/uploadsuspectfilev3
  • api/XC/uploadsuspectprintscreenv3
  • api/XK/addsmsinfo
  • api/XK/deleteappinfo?id=%@
  • api/XK/deleteconversation
  • api/XK/deleteconversationdetail
  • api/XK/deletepaymentinfo?id=%@
  • api/XK/deletepersionnel?id=%@
  • api/XK/deletetelrecord
  • api/XK/deletetransferrecorddetail
  • api/XK/deleteurlinfo?id=%@
  • api/XK/getxkcasecategorys
  • api/XK/savecaseinfo
  • api/XK/savemobileinfo
  • api/XK/savetransferrecord
  • api/XK/sendsms
  • api/XK/smsverify
  • api/XK/uploadconversationdetail
  • api/XK/uploadtransferrecorddetail
  • api/account/sendidentitycode
  • api/currentcount/statistic
  • api/home/getreadpoint
  • api/policeuser/sendsms
  • api/file/upload
  • api/CaseReport/getdetail
  • api/CaseReport/getlist
  • api/CaseReport/initialuploading
  • api/CaseReport/iosreportapp
  • api/CaseReport/removeapprecord
  • api/CaseReport/submit
  • api/EvidenceGather/getdetail
  • api/EvidenceGather/getlist
  • api/EvidenceGather/initialuploading
  • api/EvidenceGather/iosreportapp
  • api/EvidenceGather/removeapprecord
  • api/EvidenceGather/submit
  • api/EvidenceType
  • api/EvidenceType/getsocialaccounttypes
  • api/Feedback/AddFeedBack
  • api/File/GetOssToken
  • api/XC/deleteapp
  • api/XC/getdocumenttypes
  • api/XC/getedubg
  • api/XC/getnations
  • api/XC/getsocialaccounttypes
  • api/XC/pagelist
  • api/XC/removepayment
  • api/XC/removesuspect
  • api/XC/removeurl
  • api/XC/saveappv3
  • api/XC/savevictim
  • api/XK/GetPersionnalNations
  • api/XK/addappinfo
  • api/XK/addpersionnel
  • api/XK/addtepaymentinfo
  • api/XK/addurlinfo
  • api/XK/getpersionnaldocumenttypes
  • api/XK/getpersionnaledubg
  • api/XK/saveconversation
  • api/XK/savetelnumber
  • api/XK/searchdivisions
  • api/XK/searchdivisions?codes=%@
  • api/XK/updateappinfo
  • api/XK/updatepaymentinfo
  • api/XK/updatepersionnel
  • api/XK/updateurlinfo
  • api/file/upload
  • api/xc/getxccasecategorys
wkrp commented 7 months ago

I am primarily interested in the "anti-fraud" app from the perspective of anti-circumvention. If the app can detect the presence of circumvention apps, then it is likely that there is a list of names of circumvention tools either included in the app itself, or queryable through one of the API endpoints, perhaps one of these:

UjuiUjuMandan commented 7 months ago

the app only appears in the App Store for China and not for other countries:

It existed in other countries before, at least in May 2021 as I remember.

The screenshot was from Japan App Store:

IMG_1570

The CCP fears people’s protest or gave it bad comments, so it asked Apple to close comment in Chinse App Store, but it has no such power in other countries. You can see in Japan all of the four comments are lowest star.

IMG_1569

The Japanese one comment:

Human rights violation This app collects more personal information than necessary, is designed to monitor citizens and suppress freedom of speech. Contrary to the fact that it collects information arbitrarily, the developers have blatantly stated the outright lie that "no information is collected." This is in violation of the App Store guidelines, so we ask Apple to reject the app and permanently suspend the developer account.

gaukas commented 7 months ago

I'd share my personal experience with this "Anti-Fraud" thing when I visited China quite a while ago. (Not directly involving the app)

I was tethering my laptop using my China Mobile cellular service on an iPhone (WITHOUT installing any related app), all of a sudden I got a text message from 96110 telling me I am visiting a scam website and ask me to stop (in Chinese). About a minute later I received a phone call from 96110, in which it is a prerecorded warning message in Chinese telling me I am visiting a scam website, stop immediately, press a number to connect to live agent, etc.

About a few minutes later I repeated everything and received another text message, but not phone call this time.

I am suspecting they are using DNS or TLS-SNI based filtering but I did not dig into it since it is too easy to backtrack from the cellular service and intense testing and triggering of the system will definitely alert someone in charge.

immartian commented 7 months ago

// Thanks for sharing. I used Newstr AI to create a quick summary of all the conversations above. Hopefully,it helps some external readers:

Comprehensive Analysis of China's National Anti-Fraud Center and Digital Surveillance Practices

Introduction

In recent years, the Chinese government has intensified its surveillance measures, notably through the mandatory installation of the "National Anti-Fraud Center" app. This initiative reflects a broader strategy to control and monitor the digital activities of its citizens. This article delves into the multifaceted aspects of the app and its integration into the broader surveillance infrastructure, examining its impact on privacy, freedom, and corporate compliance.

The National Anti-Fraud Center App: Overview and Functionality

The "National Anti-Fraud Center" app, developed under the auspices of the Chinese government, is designed ostensibly to combat fraud but is equipped with capabilities that extend far into surveillance. It monitors and controls the use of circumvention tools that allow users to bypass internet censorship, essentially serving as a gatekeeper against unauthorized information access.

Key Features and Technical Insights

Systemic Integration and International Reach

Unlike typical applications, the "National Anti-Fraud Center" is part of a larger surveillance ecosystem embedded within China's state-controlled telecommunications network. This system facilitates real-time monitoring and automated interventions, such as sending warnings to users visiting unapproved websites or using unauthorized apps.

International Availability and Corporate Compliance

Initially available internationally, such as in the Japan App Store, the app received significant backlash due to its intrusive nature. However, within China, corporate entities like Apple have complied with government directives to disable user feedback, highlighting the complex dynamics between global business practices and national surveillance laws.

User Experiences and Enforcement Mechanisms

Personal anecdotes and user reports reveal the extensive reach of China's surveillance apparatus. For instance, users have reported receiving immediate warnings via SMS and phone calls when engaging in activities deemed suspicious by the state, regardless of having the app installed. This suggests a pervasive monitoring system that taps directly into cellular services.

Ethical Considerations and Future Implications

The collaboration between Chinese authorities and international corporations in enforcing these surveillance measures raises significant ethical questions. The potential future integration of surveillance technologies into hardware and broader network infrastructure could lead to even more profound implications for global privacy and freedom.

China's "National Anti-Fraud Center" serves as a poignant example of how modern digital surveillance can transcend traditional boundaries between state control and personal freedom. The involvement of international corporations in these practices further complicates the landscape, challenging the global community to reconsider the balance between security and privacy.

References

IrradiatedKiwi commented 7 months ago

I used Newstr AI to create a quick summary

If you had written a summary yourself, I would have appreciated it. Instead you feed my post to proprietary machine learning software without my consent. It is creepy and can't be undone. I don't approve my post to be used in this way. And i don't want any of my contents to be used to train any 'AI'.

Your 'summary' is also misleading.

the "National Anti-Fraud Center" is part of a larger surveillance ecosystem embedded within China's state-controlled telecommunications network.

I assume this is base on my post "I think the "National Anti-Fraud Center" is a set of systems rather than a single app. "

That is my opinion and assumption, not necessarily a fact.

wkrp commented 7 months ago

China's Internet Emergency Response Center (CNCERT) publishes semiannual lists of "network security emergency service support units" (网络安全应急服务支撑单位名单):

The 8th and 9th editions have special categories of "anti-cyberfraud" (反网络诈骗领域) support units:

8th edition:

# Serial number Chinese name English name
1 CNCERT-2019-20210701FWLZP004 北京奇虎科技有限公司 Qihoo 360
2 CNCERT-2019-20210701FWLZP005 四川无声信息技术有限公司 Silence Information Technology
3 CNCERT-2019-20210701FWLZP001 网神信息技术(北京)股份有限公司 Legendsec
4 CNCERT-2019-20210701FWLZP002 恒安嘉新(北京)科技股份公司 Eversec
5 CNCERT-2019-20210701FWLZP003 神州网云(北京)信息技术有限公司 Shenzhou Wang Yun

9th edition:

# Serial number Chinese name English name
1 CNCERT-2021-20230831FWLZP001 北京鸿腾智能科技有限公司 Hongteng Intelligent Technology
2 CNCERT-2021-20230831FWLZP002 上海黑瞳信息技术有限公司 Hicore Tech
3 CNCERT-2021-20230831FWLZP003 北京中晟信达科技有限公司 Xindatek
4 CNCERT-2021-20230831FWLZP004 网神信息技术(北京)股份有限公司 Legendsec
5 CNCERT-2021-20230831FWLZP005 杭州云深科技有限公司 Hangzhou Yunshen Technology

The company 北京安天网络安全技术有限公司 (Antiy) that is mentioned in the anti-fraud app's privacy policy is not listed among the anti-cyberfraud units, but in both the 8th and 9th edition Antiy is one of the "national-level" (国家级) units.

IrradiatedKiwi commented 7 months ago

The National Anti-Fraud Center app also seem to has access to phone owner's contact list. Someone mentioned that they didn't pick up the phone from anti-fraud hotline so the police called their relatives in their contact list to ask them to pick up the phone.

Also since this issue seems to be focused on National Anti-Fraud Center app in phone. I opened a new issue and updated some additional info regarding the anti-fraud plugins in FTTR modem. And because I think that incident itself is quite concerning.

https://github.com/net4people/bbs/issues/355

the sniproxyv3 and antifraudv3 in that FTTR modem seems to be responsible of redirecting users to the anti-fraud webpage too. So I think that if you connect your phone to the internet via those compromised FTTR modem, you might get your website redirected to the anti-fraud webpage and called by the anti-fraud hotline too. even if the National Anti-Fraud Center app is not installed in your phone.

E8x6UDEm commented 6 months ago

All Chinese smartphone manufacturers have integrated anti-fraud features at the system level (not the national anti-fraud app), and Xiaomi is no exception.

Since 2023, smartphone manufacturers have once again tightened the unlocking permissions for Android bootloaders, making it difficult for new models to bypass the anti-fraud system monitoring by flashing third-party ROMs.

In fact, what we are facing is an expansion of public power under the guise of anti-fraud, which is far more extensive and deeper than before. A similar past instance was the Ministry of Industry and Information Technology's Green Dam software, which was eventually halted.

The nominal reason for implementing anti-fraud measures is the recent surge in telecommunication fraud, especially in the Southeast Asia region, notably northern Myanmar. The push under the guise of anti-fraud is not just about promoting the national anti-fraud app; it also includes actions by telecom operators, the GFW, banks, etc.

wkrp commented 6 months ago
  • ISPs by default redirect to anti-fraud pages.

I'll just link to measurements from 2022 about ISPs sending users to anti-fraud websites. It worked by either DNS injection or HTTP injection. It was considered significant because webpages in China are usually blocked by RST injection.

China "Anti-Fraud" Webpage Redirection Censorship

wkrp commented 3 months ago

The 8th and 9th editions have special categories of "anti-cyberfraud" (反网络诈骗领域) support units:

9th edition: # Serial number Chinese name English name
1 CNCERT-2021-20230831FWLZP001 北京鸿腾智能科技有限公司 Hongteng Intelligent Technology
2 CNCERT-2021-20230831FWLZP002 上海黑瞳信息技术有限公司 Hicore Tech
3 CNCERT-2021-20230831FWLZP003 北京中晟信达科技有限公司 Xindatek
4 CNCERT-2021-20230831FWLZP004 网神信息技术(北京)股份有限公司 Legendsec
5 CNCERT-2021-20230831FWLZP005 杭州云深科技有限公司 Hangzhou Yunshen Technology

The Android APK package name for the National Anti-Fraud Center app appears to be "com.hicorenational.antifraud" (see e.g. https://apkcombo.com/guo-jia-fan-zha-zhong-xin/com.hicorenational.antifraud), which I suppose is the same 上海黑瞳信息技术有限公司 / Hicore Tech listed in the CNCERT list of emergency support units.

https://github.com/starco1100/starco1100.github.io has an APK file, though it is quite small (5.7 MB).

wkrp commented 3 months ago

Jeffrey Knockel (@jknockel) looked at iOS and Android versions of the anti-fraud app in 2022. He has made available code and other artifacts, including original .apk and .ipa files. Jeff reports being able to decrypt some of the included databases, which contained what looked like antivirus signatures. The Android file "avlsdk" is a zip file containing encrypted signature files.

https://jeffreyknockel.com/fraud/fraud.tar.xz (265 MB)

Contents of fraud.tar.xz
       0 fraud/
       9 fraud/README.md
       0 fraud/android-bestmind/
       0 fraud/android-bestmind/avlsdk_FILES/
       0 fraud/android-bestmind/avlsdk_FILES/av/
       0 fraud/android-bestmind/avlsdk_FILES/av/avl/
       0 fraud/android-bestmind/avlsdk_FILES/av/avl/android/
  282955 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_ads.avl
   69845 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_amc.avl
  117207 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_apn.avl
 1924792 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_basic.avl
    9934 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_behav.avl
    9797 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_dhc.avl
   30314 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_emb.avl
     415 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_grayflag.avl
 2539361 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_herui.avl
   42349 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_kw.avl
  414536 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opc.avl
  445062 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opc_scdf.avl
   18359 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opd.avl
   22732 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_opg.avl
    9701 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_pack.avl
   76223 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_payware.avl
  469905 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_pornware.avl
   45193 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_sfmf.avl
    7638 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_sgnl.avl
 4063904 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_sign.avl
 1787761 fraud/android-bestmind/avlsdk_FILES/av/avl/android/avlpk_white.avl
       0 fraud/android-bestmind/avlsdk_FILES/av/avl/conf/
      11 fraud/android-bestmind/avlsdk_FILES/av/avl/conf/avllib.conf
     372 fraud/android-bestmind/avlsdk_FILES/av/avl/conf/liscense.conf
       0 fraud/android-bestmind/avlsdk_FILES/av/kw/
       0 fraud/android-bestmind/avlsdk_FILES/av/kw/common/
       0 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/
     477 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/behavior.des
     689 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/common.des
     259 fraud/android-bestmind/avlsdk_FILES/av/kw/common/en/recommend.des
       0 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/
     711 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/behavior.des
    1212 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/common.des
     274 fraud/android-bestmind/avlsdk_FILES/av/kw/common/zh/recommend.des
       0 fraud/android-bestmind/avlsdk_FILES/sdk_conf/
    2027 fraud/android-bestmind/avlsdk_FILES/sdk_conf/sdk.conf
     106 fraud/android-bestmind/avlsdk_FILES/sdk_conf/version.conf
       0 fraud/android-bestmind/avlsdk_FILES/url/
       0 fraud/android-bestmind/avlsdk_FILES/url/url/
       0 fraud/android-bestmind/avlsdk_FILES/url/url/conf/
      11 fraud/android-bestmind/avlsdk_FILES/url/url/conf/avllib.conf
     388 fraud/android-bestmind/avlsdk_FILES/url/url/conf/liscense.conf
     604 fraud/android-bestmind/avlsdk_FILES/url/url/fish_re_tag.avl
  311392 fraud/android-bestmind/avlsdk_FILES/url/url/fish_tag.avl
 1632972 fraud/android-bestmind/avlsdk_FILES/url/url/fish_url_tag.avl
   20832 fraud/android-bestmind/avlsdk_FILES/url/url/tag.avl
     108 fraud/android-bestmind/avlsdk_FILES/url/url/white_re_tag.avl
  255472 fraud/android-bestmind/avlsdk_FILES/url/url/white_tag.avl
       0 fraud/android-bestmind/blowfish.py -> ../android/blowfish.py
       0 fraud/android-bestmind/blowfishalt.py -> ../android/blowfishalt.py
50167255 fraud/android-bestmind/com.bestmind.antifraud_1.8.13_105.apk
       0 fraud/android-bestmind/decrypted/
       0 fraud/android-bestmind/decrypted/av/
       0 fraud/android-bestmind/decrypted/av/avl/
       0 fraud/android-bestmind/decrypted/av/avl/android/
       0 fraud/android-bestmind/decrypted/av/avl/android/avlpk_ads.avl
       0 fraud/android-bestmind/decrypted/av/avl/conf/
     363 fraud/android-bestmind/decrypted/av/avl/conf/liscense.conf
       0 fraud/android-bestmind/decrypted/url/
       0 fraud/android-bestmind/decrypted/url/url/
       0 fraud/android-bestmind/decrypted/url/url/conf/
     371 fraud/android-bestmind/decrypted/url/url/conf/liscense.conf
       0 fraud/android-bestmind/decrypt-avl.py -> ../android/decrypt-avl.py
       0 fraud/android-bestmind/decrypt-license.py -> ../android/decrypt-license.py
       0 fraud/android-bestmind/decrypt-url.py -> ../android/decrypt-url.py
       0 fraud/android-bestmind/dumpall.sh -> ../android/dumpall.sh
       0 fraud/android-bestmind/dump-url.py -> ../android/dump-url.py
       0 fraud/android-bestmind/inflate.py -> ../android/inflate.py
       0 fraud/android-bestmind/match-avl.py -> ../android/match-avl.py
       0 fraud/android-bestmind/parse-avl.py -> ../android/parse-avl.py
       0 fraud/android-bestmind/parse-url.py -> ../android/parse-url.py
       0 fraud/android-bestmind/search.py -> ../android/search.py
       0 fraud/android-bestmind/search-domain.py -> ../android/search-domain.py
       0 fraud/android-bestmind/search-url.py -> ../android/search-url.py
       0 fraud/android-bestmind/xxtea.py -> ../android/xxtea.py
       0 fraud/android/
   41075 fraud/android/av.csv
 2886313 fraud/android/avlsdk
       0 fraud/android/avlsdk_FILES/
       0 fraud/android/avlsdk_FILES-old/
       0 fraud/android/avlsdk_FILES-old/av/
       0 fraud/android/avlsdk_FILES-old/av/avl/
       0 fraud/android/avlsdk_FILES-old/av/avl/android/
    4212 fraud/android/avlsdk_FILES-old/av/avl/android/avlpk_dec.avl
    4118 fraud/android/avlsdk_FILES-old/av/avl/android/avlpk_kw.avl
       0 fraud/android/avlsdk_FILES-old/av/avl/android/rckl/
    1150 fraud/android/avlsdk_FILES-old/av/avl/android/rckl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES-old/av/avl/android/rugl/
     354 fraud/android/avlsdk_FILES-old/av/avl/android/rugl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES-old/av/avl/android/smcl/
     451 fraud/android/avlsdk_FILES-old/av/avl/android/smcl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES-old/av/avl/android/spdl/
     300 fraud/android/avlsdk_FILES-old/av/avl/android/spdl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES-old/av/avl/conf/
      11 fraud/android/avlsdk_FILES-old/av/avl/conf/avllib.conf
     372 fraud/android/avlsdk_FILES-old/av/avl/conf/liscense.conf
       0 fraud/android/avlsdk_FILES-old/av/kw/
       0 fraud/android/avlsdk_FILES-old/av/kw/common/
       0 fraud/android/avlsdk_FILES-old/av/kw/common/en/
     477 fraud/android/avlsdk_FILES-old/av/kw/common/en/behavior.des
     689 fraud/android/avlsdk_FILES-old/av/kw/common/en/common.des
     259 fraud/android/avlsdk_FILES-old/av/kw/common/en/recommend.des
       0 fraud/android/avlsdk_FILES-old/av/kw/common/zh/
     711 fraud/android/avlsdk_FILES-old/av/kw/common/zh/behavior.des
    1212 fraud/android/avlsdk_FILES-old/av/kw/common/zh/common.des
     274 fraud/android/avlsdk_FILES-old/av/kw/common/zh/recommend.des
       0 fraud/android/avlsdk_FILES-old/sdk_conf/
    2043 fraud/android/avlsdk_FILES-old/sdk_conf/sdk.conf
     106 fraud/android/avlsdk_FILES-old/sdk_conf/version.conf
       0 fraud/android/avlsdk_FILES-old/url/
       0 fraud/android/avlsdk_FILES-old/url/url/
       0 fraud/android/avlsdk_FILES-old/url/url/conf/
      11 fraud/android/avlsdk_FILES-old/url/url/conf/avllib.conf
     372 fraud/android/avlsdk_FILES-old/url/url/conf/liscense.conf
     604 fraud/android/avlsdk_FILES-old/url/url/fish_re_tag.avl
  802300 fraud/android/avlsdk_FILES-old/url/url/fish_tag.avl
 1991568 fraud/android/avlsdk_FILES-old/url/url/fish_url_tag.avl
   21072 fraud/android/avlsdk_FILES-old/url/url/tag.avl
     124 fraud/android/avlsdk_FILES-old/url/url/white_re_tag.avl
  244792 fraud/android/avlsdk_FILES-old/url/url/white_tag.avl
       0 fraud/android/avlsdk_FILES/av/
       0 fraud/android/avlsdk_FILES/av/avl/
       0 fraud/android/avlsdk_FILES/av/avl/android/
    3563 fraud/android/avlsdk_FILES/av/avl/android/avlpk_dec.avl
    4126 fraud/android/avlsdk_FILES/av/avl/android/avlpk_kw.avl
       0 fraud/android/avlsdk_FILES/av/avl/android/rckl/
    1150 fraud/android/avlsdk_FILES/av/avl/android/rckl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES/av/avl/android/rugl/
     354 fraud/android/avlsdk_FILES/av/avl/android/rugl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES/av/avl/android/smcl/
     451 fraud/android/avlsdk_FILES/av/avl/android/smcl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES/av/avl/android/spdl/
     300 fraud/android/avlsdk_FILES/av/avl/android/spdl/avlpk_grayflag.avl
       0 fraud/android/avlsdk_FILES/av/avl/conf/
      11 fraud/android/avlsdk_FILES/av/avl/conf/avllib.conf
     372 fraud/android/avlsdk_FILES/av/avl/conf/liscense.conf
       0 fraud/android/avlsdk_FILES/av/kw/
       0 fraud/android/avlsdk_FILES/av/kw/common/
       0 fraud/android/avlsdk_FILES/av/kw/common/en/
     477 fraud/android/avlsdk_FILES/av/kw/common/en/behavior.des
     689 fraud/android/avlsdk_FILES/av/kw/common/en/common.des
     259 fraud/android/avlsdk_FILES/av/kw/common/en/recommend.des
       0 fraud/android/avlsdk_FILES/av/kw/common/zh/
     711 fraud/android/avlsdk_FILES/av/kw/common/zh/behavior.des
    1212 fraud/android/avlsdk_FILES/av/kw/common/zh/common.des
     274 fraud/android/avlsdk_FILES/av/kw/common/zh/recommend.des
       0 fraud/android/avlsdk_FILES/sdk_conf/
    2779 fraud/android/avlsdk_FILES/sdk_conf/sdk.conf
     107 fraud/android/avlsdk_FILES/sdk_conf/version.conf
       0 fraud/android/avlsdk_FILES/url/
       0 fraud/android/avlsdk_FILES/url/url/
       0 fraud/android/avlsdk_FILES/url/url/conf/
      11 fraud/android/avlsdk_FILES/url/url/conf/avllib.conf
     372 fraud/android/avlsdk_FILES/url/url/conf/liscense.conf
     572 fraud/android/avlsdk_FILES/url/url/fish_re_tag.avl
  462884 fraud/android/avlsdk_FILES/url/url/fish_tag.avl
 2134432 fraud/android/avlsdk_FILES/url/url/fish_url_tag.avl
   21072 fraud/android/avlsdk_FILES/url/url/tag.avl
     124 fraud/android/avlsdk_FILES/url/url/white_re_tag.avl
  246660 fraud/android/avlsdk_FILES/url/url/white_tag.avl
   15683 fraud/android/blowfish.py
   15896 fraud/android/blowfishalt.py
59595782 fraud/android/com.hicorenational.antifraud_1.1.28_108.apk
       0 fraud/android/decrypted/
       0 fraud/android/decrypted-old/
       0 fraud/android/decrypted-old/av/
       0 fraud/android/decrypted-old/av/avl/
       0 fraud/android/decrypted-old/av/avl/android/
    4507 fraud/android/decrypted-old/av/avl/android/avlpk_dec.avl
   28730 fraud/android/decrypted-old/av/avl/android/avlpk_kw.avl
       0 fraud/android/decrypted-old/av/avl/android/rckl/
    3976 fraud/android/decrypted-old/av/avl/android/rckl/avlpk_grayflag.avl
       0 fraud/android/decrypted-old/av/avl/android/rugl/
    2224 fraud/android/decrypted-old/av/avl/android/rugl/avlpk_grayflag.avl
       0 fraud/android/decrypted-old/av/avl/android/smcl/
    1140 fraud/android/decrypted-old/av/avl/android/smcl/avlpk_grayflag.avl
       0 fraud/android/decrypted-old/av/avl/android/spdl/
     498 fraud/android/decrypted-old/av/avl/android/spdl/avlpk_grayflag.avl
       0 fraud/android/decrypted-old/av/avl/conf/
     357 fraud/android/decrypted-old/av/avl/conf/liscense.conf
       0 fraud/android/decrypted-old/url/
       0 fraud/android/decrypted-old/url/url/
       0 fraud/android/decrypted-old/url/url/conf/
     365 fraud/android/decrypted-old/url/url/conf/liscense.conf
     571 fraud/android/decrypted-old/url/url/fish_re_tag.avl
 1310126 fraud/android/decrypted-old/url/url/fish_tag.avl
 3252982 fraud/android/decrypted-old/url/url/fish_url_tag.avl
   39321 fraud/android/decrypted-old/url/url/tag.avl
      73 fraud/android/decrypted-old/url/url/white_re_tag.avl
  399786 fraud/android/decrypted-old/url/url/white_tag.avl
       0 fraud/android/decrypted/av/
       0 fraud/android/decrypted/av/avl/
       0 fraud/android/decrypted/av/avl/android/
    3761 fraud/android/decrypted/av/avl/android/avlpk_dec.avl
   28800 fraud/android/decrypted/av/avl/android/avlpk_kw.avl
       0 fraud/android/decrypted/av/avl/android/rckl/
    3976 fraud/android/decrypted/av/avl/android/rckl/avlpk_grayflag.avl
       0 fraud/android/decrypted/av/avl/android/rugl/
    2224 fraud/android/decrypted/av/avl/android/rugl/avlpk_grayflag.avl
       0 fraud/android/decrypted/av/avl/android/smcl/
    1140 fraud/android/decrypted/av/avl/android/smcl/avlpk_grayflag.avl
       0 fraud/android/decrypted/av/avl/android/spdl/
     498 fraud/android/decrypted/av/avl/android/spdl/avlpk_grayflag.avl
       0 fraud/android/decrypted/av/avl/conf/
     357 fraud/android/decrypted/av/avl/conf/liscense.conf
       0 fraud/android/decrypted/url/
       0 fraud/android/decrypted/url/url/
       0 fraud/android/decrypted/url/url/conf/
     365 fraud/android/decrypted/url/url/conf/liscense.conf
     534 fraud/android/decrypted/url/url/fish_re_tag.avl
  756424 fraud/android/decrypted/url/url/fish_tag.avl
 3487996 fraud/android/decrypted/url/url/fish_url_tag.avl
   39321 fraud/android/decrypted/url/url/tag.avl
      73 fraud/android/decrypted/url/url/white_re_tag.avl
  402730 fraud/android/decrypted/url/url/white_tag.avl
     510 fraud/android/decrypt-avl.py
     550 fraud/android/decrypt-license.py
    1835 fraud/android/decrypt-url.py
       0 fraud/android/dexdump_FILES/
  112068 fraud/android/dexdump_FILES/112068.dex
 5349828 fraud/android/dexdump_FILES/5349828.dex
 6599908 fraud/android/dexdump_FILES/6599908.dex
 7807708 fraud/android/dexdump_FILES/7807708.dex
10670736 fraud/android/dexdump_FILES/10670736.dex
    1178 fraud/android/dumpall.sh
    1235 fraud/android/dump-url.py
58091090 fraud/android/fraud_1.1.12_apkcombo.com.apk
 5002859 fraud/android/hashes.csv
   26576 fraud/android/hashmap-all.csv
   19044 fraud/android/hashmap-gfw-domains.csv
    3565 fraud/android/hashmap-phishing-domains.csv
    6702 fraud/android/hashmap-phishing-links.csv
       0 fraud/android/idb/
  198357 fraud/android/idb/libavlasys.idb
 4290937 fraud/android/idb/libavlm.idb
  934479 fraud/android/idb/libavlurl.idb
   80314 fraud/android/idb/liburldetectorsys.idb
     775 fraud/android/inflate.py
   32168 fraud/android/matched.csv
    1587 fraud/android/match-avl.py
    3900 fraud/android/parse-avl.py
    1369 fraud/android/parse-url.py
       0 fraud/android/search/
     939 fraud/android/search.py
    1290 fraud/android/search-domain.py
    2321 fraud/android/search-url.py
 9969395 fraud/android/search/ALL-phishing-domains.txt
61660162 fraud/android/search/ALL-phishing-links.txt
 2103242 fraud/android/search/gfw-domains.txt
    1048 fraud/android/search/selected.txt
    2029 fraud/android/xxtea.py
       0 fraud/ios/
    1205 fraud/ios/decrypt-localall.py
    4863 fraud/ios/labels-uniq.txt
 3440158 fraud/ios/localall.csv
 4387356 fraud/ios/localall.txt
61677688 fraud/ios/国家反诈中心.i64
47679704 fraud/ios/国家反诈中心.ipa