How Android smartphone is spying on you?

The fact that Android knows a lot about its user and don’t keep that information for itself is quite well known. But how much data is sent to the outside world on first connection to WiFi? Which apps are responsible for pushing the data into the web? I will try to show that on example of Xiaomi Redmi Go.

For the purpose of the test, I created network that is not forwarding any packet outside. Before performing the test I installed few APKs. Only one is known to contact strange servers – File Manager (com.rhmsoft.fm). I marked them with (*) on a list. Rest should not have any influence on the results. They were: Termux, AFWall+, F-Droid, Magisk and Aurora Store.

Reconnaissance on DNS queries

The first thing to check is DNS queries, the phone is sending to its primary DNS server. At this point, we won’t be able to learn which app is responsible for particular query, but we should get a feeling of what to expect. I started tcpdump on my access point and this is the list of queries I received.

  1. time.android.com
  2. mtalk.google.com
  3. alt6-mtalk.google.com
  4. sdkconfig.ad.intl.xiaomi.com
  5. cmdts.ksmobile.com*
  6. ufs.adkmob.com*
  7. unconf.adkmob.com*
  8. pegasus.cmcm.com*
  9. ssdk.adkmob.com*
  10. www.googleapis.com
  11. play.googleapis.com
  12. alt7-mtalk.google.com
  13. android.clients.google.com
  14. alt2-mtalk.google.com
  15. alt4-mtalk.google.com
  16. fonts.gstatic.com
  17. xtrapath1.izatcloud.net
  18. xtrapath3.izatcloud.net
  19. xtrapath2.izatcloud.net
  20. alt1-mtalk.google.com
  21. graph.facebook.com
  22. ads.flurry.com
  23. ads.mopub.com*
  24. ups.ksmobile.net*
  25. ws.ksmobile.net*
  26. up.cm.ksmobile.com*
  27. alt6-mtalk.google.com

Let’s try to identify services one by one.

Details

File Manager

There are a lot of queries done by File Manager app (com.rhmsoft.fm). This proves that this is not the most privacy-friendly app, to say the least. Complete list of spoils it is making can be found on Androlyzer: https://www.androlyzer.com/app/com.rhmsoft.fm/20520480/4f7812eec05596573a03e1abd4091d1cb24bf48b.

Real impact on privacy cannot be learned, because this thing is encrypting some of data it uploads to its servers (in my case they were in mainland China).

My advice is to allow it only to local LAN (via AFWall+, if FTP server functionality is needed) or disallow it completely to access any network.

Play Services (GMS)

This one is even harder to analyze, without doing reverse engineering. This is because it uses certificate pinning mechanism, so it is not possible to do man in the middle attack on this app. Google Play Services or com.google.android.gms is preinstalled on every Android phone (beside those sanctioned by US govt). It is crucial for some apps to work (e.g. banking APKs). Therefore it is not an option to uninstall it using root privilege (without root it is impossible to do anything).

Fortunately it does not require internet access directly. Then it can be safely blocked on firewall completely. I haven’t noticed any problems with other services, when this one can’t talk to its servers.

Most likely it tries to contact mtalk-related domains. Probably incomplete and not verified list of domains is:

  1. mtalk.google.com
  2. alt*-mtalk.google.com
  3. auditrecording-pa.googleapis.com
  4. play.googleapis.com
  5. android.clients.google.com
  6. fonts.gstatic.com
  7. www.googleapis.com

Together with File Manager, that’s most of the list.

Spock

This one is one of the most interesting apps I found on my device. It is provided by Xiaomi and lacks any description. Its full name is com.miui.spock and VirusTotal shows few interesting things about it (see strings section). For sure it is trying hard to connect to its home at domain sdkconfig.ad.intl.xiaomi.com providing to server few mysterious IDs (I removed sensitive parts and replaced with <>):

GET /api/detail/<const-32b-id>?ts=1573409059486&nonce=<32b-id>&sign=<32b-id> HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Dalvik/2.1.0 (Linux; U; Android <x>.<x>.<x>; Redmi Go Build/<full-build-id>)
Host: sdkconfig.ad.intl.xiaomi.com
Connection: Keep-Alive


As can be seen, it is leaking system version, device model and exact firmware build in the first request it sends. And for sure there are more to come, if this one succeeds. Therefore, it might be worth investigating, if this can safely be removed from system. Fortunately this one respects firewall, proxy and hosts file, so it can be easily cut off from internet access.

Mi Drop

Another Xiaomi stuff, another bunch of connections attempted. None of them seem to be requested at boot, only after opening the app, but still it is leaking. This seems like useless app for a hacker, but it is not possible even to turn it off. I advice blocking and here is a list of domains worth adding to hosts file:

  1. graph.facebook.com
  2. settings.crashlytics.com
  3. sa.api.intl.miui.com
  4. data.mistat.intl.xiaomi.com
  5. app-measurement.com

Those using Facebook might want to leave first one unblocked. All in all DNS is not a huge problem.

NTP to time.android.com

This domain is used to update current time via NTP client running on the device. The only result of blocking ntp on firewall should be inability of a device to fix its current time, so user must do it manually. It does not respect proxy settings configured on WiFi connection, likely because it is based on UDP. When allowed on firewall, it should not leak any information about the device.

GPS

GPS service tries to connect to servers in domain izatcloud.net. They might be used for A-GPS (Assisted GPS) to make GPS faster and more precise. Other than that it should not have other consequences to block it. Request sent are for sure like below (xtrapath 1 to 3 were appearing in my case):

GET /xtra3grc.bin HTTP/1.1
Host: xtrapath1.izatcloud.net 
Accept: */*, application/vnd.wap.mms-message, application/vnd.wap.sic
x-wap-profile: http://www.openmobilealliance.org/tech/profiles/UAPROF/ccppschema-20021212#
User-Agent: A/<x>.<x>.<x>/Xiaomi/Redmi#Go/QC_Reference_Phone/unknown/QCX3/<lot-of-mysterious-data>


<x>.<x>.<x> is exact version number of Android. It is worth noting that this data, together with device model and a lot of numeric values of unknown meaning were sent with no encryption. So, access point administrator can easily spy on a device that sends this kind of requests. I recommend to unblock only in secure environment for the purpose of updating GPS data from time to time and block again.

More info on this can be found on Qualcomm website: https://www.qualcomm.com/site/privacy/services under XTRA chapter.

Additionally to that it also uses its own NTP server, independent of the one used by NTP client. Its address is time.izatcloud.net. Same as with primary NTP server, it does not leak anything, but may suggest that device is running Android.

Gboard

This is default keyboard app in my case. Its full name is com.google.android.inputmethod.latin.It is developed by Google, so I expect it is common to have this preinstalled. It does not send any request at startup, but while using it (so while typing something) it generates some requests from time to time. Its servers are at www.google.com and www.gstatic.com. Unfortunately it utilizes certificate pinning to secure its requests, so it is not possible to reveal contents with MitM attack.

Can be blocked and it works as usual afterwards.

Google Partner Setup

I was not able to catch what this app is sending, because it does not do it often. Certainly it does it in background from time to time. According to VirusTotal, it knows following domains:

  • accounts.google.com
  • www.facebook.com

Whatever the reason for connecting to Facebook is… It is safe to block it on firewall.

Dialer

Now its getting creepy. Yes. On Android even phone app is trying to send telemetric data to its server. Its home seems to be at ssl.google-analytics.com, but there is more of that. When started, it tries to get into fonts.gstatic.com constantly.

Messaging

SMS app also tries to connect to internet. This one is quieter, because it only tries usual fonts.gstatic.com, but still. It does not need it.

Clock

This is quite interesting. Clock app that tries to connect to internet. I was not able to see any requests, but AFWall+ seen some. For sure it knows ssl.google-analytics.com. Block, don’t hesitate.

F-Droid

First open source app in the list. This one by default tries to connect to its servers to check for updates. This feature can easily be disabled in settings. Despite that, it is better to use this one, than Google Play Store that does nobody knows what.

Magisk

Similarly to F-Droid, this could be silenced by editing its settings. However, when opened from app list, it is going to try checking for updates anyway. The best approach would be to block it and allow for the time of update.

Conclusion

Is it all? For sure not. Almost every app I tried to find on VirusTotal knew some domain names. Usually they don’t spill the requests all the time, though. Then, I was not able to see them. For sure I blocked those that were trying most often. The rest should be limited by block-by-default setting in AFWall+. But the conclusion is that it is impossible to reclaim privacy at the moment. It already went too far. Using old Nokia phone is the only way to reclaim privacy for the moment.

At last, I am posting a table, where I gathered most notorious apps and what can be done with them. Here it is:

APK behavior summary
App name Package
CaptivePortalLogin com.android.captiveportallogin Blocked Used Used Build No
File manager* com.rhmsoft.fm Blocked Used Used *** No
Spock com.miui.spock Blocked Used Used Build,? Yes
Google Play Services com.google.android.gms Blocked Used Used *** Yes
Mi Drop com.xiaomi.midrop Blocked Used ** *** Yes
ntp Blocked Ignored Used No
gps Blocked Ignored Ignored Model No
Gboard com.google.android.inputmethod.latin Blocked Used ** *** Yes
Google Partner Setup com.google.android.partnersetup Blocked ? ? ? ?
Dialer com.google.android.dialer Blocked Used Ignored *** Yes
Messaging com.google.android.apps.messaging Blocked ? ? ? ?
Clock com.google.android.deskclock Blocked ? ? ? ?
F-Droid* org.fdroid.fdroid Blocked Used Used *** Yes
Magisk* com.topjohnwu.magisk Blocked Used ** *** Yes

* – not preinstalled
** – domains that might be needed by other apps or web browser
*** – certificate pinned, cannot be investigated with MitM attack

Keep in mind firewall is not completely reliable way of blocking access to internet. During the boot there is few seconds wide window, when it is disabled, so any app can send its data. Also all DNS traffic passes through the firewall.

Leave a Reply

Your email address will not be published. Required fields are marked *