Threat Research

Your Gossip Is Public

By Axelle Apvrille | April 22, 2016

From time to time, AV analysts encounter "funny" Android malware or PUA: Riskware/Secretmimi!Android is one of those. 

This riskware is a social app used to share secrets (gossip). The "fun" part is that you certainly should not use it if you expect them to remain secret ;)

Besides using aggressive adkits such as Umeng, the application obviously does not know about HTTPS and posts everything in clear text.

For example, when you register your birthday and gender are posted in the clear (see Figure 1). So, too bad if you wanted those private.

Registration packet capture for (fake!) user named 'taratata', male, born in 1970. The device_id field corresponds to an MD5 hash of the android IMEI, a hash of the Android ID and serial number, and an MD5 hash of ro.serialno

Your secrets are also posted in plain text (see Figure 3). The title and contents of the gossip are base64 encoded:

$ echo "dGVzdGluZw==" | base64 -d
$ echo "eW91IHNob3VsZCBzdGF5IGF3YXkgZnJvbSByaXNrd2FyZSA7LSk=" | base64 -d
you should stay away from riskware ;-)

A (not so) secret we are sharing to the community ;)

Packet capture of a "secret"

It is true there are far more scary malware applications in the wild. However, knowing some of our human inclination for gossip, such an application may tempt teenagers (or adults), and we feel it is important to remind the end-user that his/her "secrets" are all but "secret". And additionally, they're publishing your GPS coordinates (longitude, latitude, city...) and feeding up advertisement SDKs with juicy information such as gender and birthdate.


This sample was picked up by SherlockDroid/Alligator. The analysis was done by Matteo Bertolino (student at Eurecom) under the supervision of Ludovic Apvrille (Telecom ParisTech) and mine ;)


-- the Crypto Girl

Join the Discussion