appdev128

Introduction

The app is similar in functionality to a group of apps called Cordova pin620pong. The names of some of the variables in the getting data are also the same. This information suggests that the customer of the application is the same, but the developers are different.

Analysis

The analysis is shown using the com.tododo.app application as an example.

The app looks like a simple to-do list:

Application screenshot

Traffic capturing showed the initial link:

Traffic analyzer screenshot

The "data" parameter contains information encoded in base64:

eyJhcGlVcmwiOiJodHRwczpcL1wvZ29uLmFwcGRldjEyOC5iZXN0XC9hcnNjZm51dXMiLCJhZkFwcEtleSI6IlY2TWF3RXVURkMyMnVnaldrUTNaTUgiLCJhZkRhdGFXaGl0ZSI6dHJ1ZSwieWFtQXBwS2V5IjoiYzRlNDM0NWEtODU4Yi00M2QxLTkwNGUtYjE2ZTE5YzJkZTQ1Iiwib3NBcHBJZCI6IjZkNjkxZGM3LTY4NzEtNDAxNy04MjI4LTZhYjUzZmQyZWIwNSJ9

Decoded from Base64 data

Decoded data looks like this:

{"apiUrl":"https:\/\/gon.appdev128.best\/arscfnuus","afAppKey":"V6MawEuTFC22ugjWkQ3ZMH","afDataWhite":true,"yamAppKey":"c4e4345a-858b-43d1-904e-b16e19c2de45","osAppId":"6d691dc7-6871-4017-8228-6ab53fd2eb05"}

The "apiUrl" parameter contains a link, which you can see in the another traffic analyzer screenshot:

Another traffic analyzer screenshot

No links were found in the response, but the initial link dns.google will can help in analyzing the code.

An initial link and functions to retrieve data from it were found in the code:

Screenshot of the code using the initial link

Manually formatted code for retrieve data using dns.google (Original source)

screenshot of the source code to get the apiUrl

After receiving data from the dns.google service, the post request is sent to the address that is in the apiUrl variable.

Screenshot of the code for getting data from the post request

The code contains checks for several variables that are not yet present in the response from the server: url_force and url.

To check the application for the ability to show third-party websites, we decided to supplement the response from the server by adding the two missing variables. The modified response from the server will look like this:

{
"init":true,
"first_init":true,
"fb_event_name":"sentFriendRequest",
"fb_event_sum":0,
"event_rec_timer":300,
"fb_event_page_count":0,
"fb_event_page_sum":0.05,
"event_web_page_count":0,
"event_web_change_timer":5,
"af_event_content_view":false,
"web_sec_redirect":1000,
"fcm_os_empty":true,
"c_id":"4052799",
"url_force":true, "url":"https://www.arm17.com"
}

In the modified answer, the last two variables were added manually. A random site is used as the url parameter, in our case it is https://www.arm17.com. The result of the spoofing answer can be seen in the video:

The result of the spoofing answer

Conclusion

This app has built-in functionality to show third-party sites and is not secure. It has notable similarities to the group Cordova pin620pong.
Another app from this group is blue.myst676night.dwo

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/WvjGELze

Password: cfumSha8b9