This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Examining a Suspect Android Apk - FCC Speed Test

Recently the FCC released a "FCC Speed Test" application for Android.

Of course, the paranoid among us will claim that the app may be designed to secretly spy on you.

Fortunately there are Android app analysis sites out there, such as Anubis. These sites will automatically analyze an application for you and tell you everything it does.

I went ahead and analyzed the FCC Speed Test application, and the report is available here.

I have to admit, looking at the results doesn't feel very reassuring. The app is supposed to measure broadband speeds and report back to the FCC. But an interesting question is, why does the app contain IP addresses used to connect to internal networks?


Below is a list of all URLs inside the FCC Speed Test application.
https://settings.crashlytics.com/spi/v1/platforms/android/apps/%s/settings
http://txweb2.samknows.com/mobile.php/
http://192.168.1.69:6013
http://192.168.1.110:6013
https://www.googleapis.com/auth/plus.me
http://10.0.2.2:6013
http://plus.google.com/
https://www.appcred.com
http://192.168.1.185:6013
http://192.168.1.80:6013
https://api.crittercism.com
http://txweb2.samknows.com/mobile.php/user/getAllowedUnits
http://192.168.1.100:6013
http://192.168.2.1:6013
http://txweb2.samknows.com/mobile.php/reports/getResults
http://www.crashlytics.com/api/v1/%s/android/confirm/%s
https://www.googleapis.com/auth/plus.login
http://schemas.android.com/apk/lib/com.google.android.gms.plus
http://txweb2.samknows.com/mobile.php/reports/getResults?unit_id=
http://schemas.android.com/apk/res/android
http://192.168.1.55:6013
http://10.0.1.7:6013
192.168.x.x is commonly used for private home networks, while 10.x.x.x is commonly used for corporate networks. What's even more interesting is that the requests are being made on port 6013 - which is the port used by X Windows for Linux.

These IP addresses appear to be quite specific. What is the app looking for?

It may be possible that these URLs are remnants of development debugging - but this could be dangerous. Hard coded debug IPs on a private network could possibly be exploited to manipulate the application by an attacker. A likely scenario would be someone setting up a malicious server on port 6013 on one of the above IP addresses on a public WiFi at a coffee shop or fast food restaurant. Once again, this is speculation and it is possible that no vulnerabilities exist.

Within every Android app is a file called "classes.dex". This is a dalvik executable, and essentially the "guts" of the app. Using the Android SDK, we can examine this file and peek under the hood, using this command:
dexdump -d classes.dex > classes.dex.dump
Unfortunately I'm not an Android app expert, but looking at the dump, it would appear the IP addresses are related to something called "Crittercism"

0bae20:                                        |[0bae20] crittercism.android.g.a:()Ljava/lang/String;
0bae30: 6200 3713                              |0000: sget-object v0, Lcrittercism/android/g$1;.a:[I // field@1337
0bae34: 6201 4413                              |0002: sget-object v1, Lcrittercism/android/g;.a:Lcrittercism/android/g$a; // field@1344
0bae38: 6e10 6427 0100                         |0004: invoke-virtual {v1}, Lcrittercism/android/g$a;.ordinal:()I // method@2764
0bae3e: 0a01                                   |0007: move-result v1
0bae40: 4400 0001                              |0008: aget v0, v0, v1
0bae44: 2b00 2400 0000                         |000a: packed-switch v0, 0000002e // +00000024
0bae4a: 1a00 a526                              |000d: const-string v0, "https://api.crittercism.com" // string@26a5
0bae4e: 1100                                   |000f: return-object v0
0bae50: 1a00 8726                              |0010: const-string v0, "http://10.0.2.2:6013" // string@2687
0bae54: 28fd                                   |0012: goto 000f // -0003
0bae56: 1a00 8e26                              |0013: const-string v0, "http://192.168.2.1:6013" // string@268e
0bae5a: 28fa                                   |0015: goto 000f // -0006
0bae5c: 1a00 8926                              |0016: const-string v0, "http://192.168.1.110:6013" // string@2689
0bae60: 28f7                                   |0018: goto 000f // -0009
0bae62: 1a00 8d26                              |0019: const-string v0, "http://192.168.1.80:6013" // string@268d
0bae66: 28f4                                   |001b: goto 000f // -000c
0bae68: 1a00 8626                              |001c: const-string v0, "http://10.0.1.7:6013" // string@2686
0bae6c: 28f1                                   |001e: goto 000f // -000f
0bae6e: 1a00 8a26                              |001f: const-string v0, "http://192.168.1.185:6013" // string@268a
0bae72: 28ee                                   |0021: goto 000f // -0012
0bae74: 1a00 8826                              |0022: const-string v0, "http://192.168.1.100:6013" // string@2688
0bae78: 28eb                                   |0024: goto 000f // -0015
0bae7a: 1a00 a726                              |0025: const-string v0, "https://www.appcred.com" // string@26a7
0bae7e: 28e8                                   |0027: goto 000f // -0018
0bae80: 1a00 8b26                              |0028: const-string v0, "http://192.168.1.55:6013" // string@268b
0bae84: 28e5                                   |002a: goto 000f // -001b
0bae86: 1a00 8c26                              |002b: const-string v0, "http://192.168.1.69:6013" // string@268c
0bae8a: 28e2                                   |002d: goto 000f // -001e
0bae8c: 0001 0a00 0100 0000 0600 0000 0900 ... |002e: packed-switch-data (24 units)
What exactly is "Crittercism"? According to their website, they're a mobile application performance monitoring API. Unfortunately this doesn't explain the mystery URLs, but it makes me feel slightly better that the app is most likely not probing your local network for X Windows installations.

Unfortunately the full dump file is much too large to upload to PasteBin or Google Code, so if you're interested in what other interesting information is inside the dump, you'll need to perform this procedure yourself using the Android SDK.

By the way, this app is actually Open Source. Feel free to browse the source code and see if it matches the apk file.

No comments:

Post a Comment