25
Jun 19

Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]comwere seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.

A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:

Domain Name      Create Date   Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD

Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”

Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.

The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.

The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.

“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”

That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme

WHO IS BLAZEFIRE/YEHUO?

Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.

Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.

“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.

The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”

It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.

According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.

Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.

It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.

Tags: , , , , , , , , , , , , , , , , , ,

46 comments

  1. Huh, not sure if it’s related at all, as it isn’t mobile based, and might just be a naming coincidence, but I recently came across a bit of spyware/browser hijacking ad revenue malware that reached out to subwayblaze.com, and appeared to originate from some kind of game install.

  2. Brian Fiori (AKA The Dean)

    “…Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

    Wow, that’s some heady stuff, right there. Ha!

  3. Ray Antonelli

    Hey Brian,
    I think you should have named the Android phone models and suggested ways to remove the malware.

    • I’m guessing they’re primarily phones distributed in Asia. If they’re rooting them prior to distribution, removing the malware is going to be a more difficult process than the typical phone user can handle.

    • Ray, I don’t believe Google said which models were impacted in its blog post. However, they did reference the same Dr.Web article linked to in this story, and I also reference a BleepingComputer story from last year on the Dr.Web report, which named the following models:

      Leagoo M5
      Leagoo M5 Plus
      Leagoo M5 Edge
      Leagoo M8
      Leagoo M8 Pro
      Leagoo Z5C
      Leagoo T1 Plus
      Leagoo Z3C
      Leagoo Z1C
      Leagoo M9
      ARK Benefit M8
      Zopo Speed 7 Plus
      UHANS A101
      Doogee X5 Max
      Doogee X5 Max Pro
      Doogee Shoot 1
      Doogee Shoot 2
      Tecno W2
      Homtom HT16
      Umi London
      Kiano Elegance 5.1
      iLife Fivo Lite
      Mito A39
      Vertex Impress InTouch 4G
      Vertex Impress Genius
      myPhone Hammer Energy
      Advan S5E NXT
      Advan S4Z
      Advan i5E
      STF AERIAL PLUS
      STF JOY PRO
      Tesla SP6.2
      Cubot Rainbow
      EXTREME 7
      Haier T51
      Cherry Mobile Flare S5
      Cherry Mobile Flare J2S
      Cherry Mobile Flare P1
      NOA H6
      Pelitt T1 PLUS
      Prestigio Grace M5 LTE
      BQ 5510

    • Agreed. So many today are buying less expensive units.

  4. Ready for Freddy

    Chuda has taste, I guess – I see the good luck cat with the waving paw up there. What a mess.

    • Seriously… wonder what kind of watch he’s wearing there and why it’s been covered-up on that image.

  5. What a twisty rabbit hole BK had to follow in order for the supply chain miscreant (and his company) to be revealed in the end — kudos again, Brian!

  6. Well – I see not much has changed since the end of the last century when it was common to receive PCs with factory installed bundled crapware. These problems still exist, except it takes more serious means to remove it than before, so more serious actions need to be imposed upon any OEM , ISP, or other originating organization that tolerates it.

    I still, to this day, will not use the original CD provided for drivers for many devices, because the 3rd party company burning them, so often has a snake in the grass working for them, and installing out and out malware to boot! I have better luck going to the OEM’s web-site and downloading the latest driver and/or software to run the device. Too bad it is not that simple for smart phones! 🙁

    • …i haven’t heard of drivers using CDs in a long time…lately devices i’ve seen are plug in and go auto-updates the driver off the internet

  7. That is a _bass_ guitar, my friends. That right there should indicate a low level of trustworthiness.

  8. The Sunshine State

    Great article !

  9. Brian, you absolutely amaze me. I can only imagine the time and effort that went into this article. You truly are one great reporter. I am so glad I found you because you make everything understandable to a lay person like me. Thank You

    • Thank you. Yes, this story involved a ton of research, which began shortly after Google published its post at the beginning of the month. I didn’t publish it until now because I wanted to give both Google and Blazefire ample opportunity to respond.

    • I have to second this.
      Time after time, I’ve read your investigations and you never fail to impress.

      Great work Brian, keep it up!

  10. Probably better to dump the phones then remove the malware. Google should recall phones IMO and replace.

    • +1. If you get a device — whether it’s a computer or mobile phone or tablet or whatever — that gets rooted by malware before it even ships, the best advice would be to walk away from that device and start over. I will say that it appears a large number of the affected devices are far more popular in China and surrounding countries than they are elsewhere. And I agree with you that Google’s response to this has been underwhelming to say the least.

  11. Apple does not care what’s on the App Store!

    Few months ago I have report an App from a famous scammer, double-check everything… Was still there. Sorry don’t have the names at hand, I deal with so many spams/scams… Can try to search my archives if you want…

    Just look at all mac repair/clean/fix/speedup… tools, so many duplicates, some have even the same GUI… For Apple it’s just more money!

    Another subject, while registrars will not be held responsibles to close spams/scams accounts asap… badware have a very bright future

  12. Is there risk of malware transference between these infected devices and other non-infected devices? TIA!

  13. I’m concerned as I’ve been using Xiaomi and Huawei over the last 4 years. I know there are models mentioned in previous comment but any suggestions that these phones/brand might also be effected? I would appreciate any advice as now I’m thinking of going back to feature phones or…

    • Povl H.Pedersen

      You are afraid your Xiaomi and Huawei might be infected ?
      Don’t be. It is low cost devices.

      These devices has a much more complicated backdoor that the chinese government will not use before it the initial phases of war. Their users are too valuable to allow simple profiting malware. [This is just a conspiracy theory in line with the US Prez – But nobody knows if it is sure – Even with source code, they could have embeeded something in another chip – Like the SuperMicro rumors]

      • There are plenty of sources of good reliable info about the Huawei phones, enough to make any rational person not want to use them. Everyone can do their own research. Best to leave your politics out of it, clearly you suffer from TDS.

  14. Brian,

    Great article, as always.

    2 questions:

    What’s the purpose of putting the period in a domain name in square braces? [.]

    Are any of those phones even available in the US?

  15. Great article! Guess one of the takeaways on supply chain control is that if you make your home a smart home with cheap devices you are likely building a very leaky home. Your smart TV, digital assistant, smart fridge, to say nothing of your thermostat, door locks, security camera, and light switches, will all leak data.

    The same concern can likely be extrapolated to smart cars or smart cities in the future, unless there are some drastic changes in who can collect what about you.

    As the cost of data collection, storage, and transmission keeps going down, more information about individuals will be tracked.

  16. Nice work Brian.

    Mr. CEO in the pic is using Apple products (computer and monitor). Could those be payment in kind (by Apple) for his services? Just wondering…

    • Do you really think that someone who’s involved in such a complex supply chain compromise can’t afford to buy Apple products on his own…

      • Or such a fool as not to use the safest device possible in an environment (the WWW) that he helps to pollute.

  17. Excellent article, great research as usual Brian! Your Domaintools acc. is worth every penny 😉

  18. Jeff Strubberg

    If the name include “Blaze” or “Fire” and the company behind the product is Chinese, throw it in the trash. Not joking at all. These are the same government-backed (or bullied) companies that brought you the exploding lithium cell battery.

  19. the doofus user

    If you buy a low cost Android phone from a storefront of your service provider, shoud it be possible for you the phone owner to uninstall apps that you do not use?

  20. Brian
    I am trying to understand whose article this really is:

    https://bdmanagedit.com/tracing-the-supply-chain-attack-on-andriod/
    Looks like a cut n paste with some links at the end tags linksing back to your site. The article at that site is attributed to a Ashley Robison, is she an employee of yours?
    PS keep up the great work.

    • There are countless sites completely republishing my stories (and in many cases the comments, too) without permission. I used to ping these sites to say this is not okay, but it became too time-consuming. The few I managed to get responses from invariably said oh sorry we were just republishing your RSS feed, which — unlike the vast majority of news sites out there — is full text instead of just a paragraph or two. Reminds me that I need to just stop doing that, since it’s being widely abused and there isn’t much I can do about it otherwise.

  21. Well that suxx
    guess that is just life in the modern age. I really offends me that some one would pass off anothers hard work as their own. Sounds like you just got used to it, I know you have seen worse.
    If their was an easy way for me to black list sites like that from the google search engine results I would, enough static out there, this included 😉