How Your Phone Betrays You

Or

How You Have Betrayed Your Phone — This Relationship is Dysfunctional

Overview -

For this discussion, we are changing the focus from the office to something a bit more intimate, your phone, specifically your Android phone. You may have a Samsung, perhaps a Google Pixel, a OnePlus, possibly even a Huawei (though at the stage things are going politically you may not) — Nokia, Motorola, and LG (wonderful alternatives). The manufacturer maybe different, but the operating system is still Android. There are various versions of the Android operating system, and each phone maybe different depending on your provider. Fragmentation has always been a problem because of the bizarre and obtuse agreements between manufacturers, mobile providers, and Google (though things have been slightly better as of late).

The current version of the Android operating system is Version 11 which is available on Google Pixel devices. For other brands usually one can find Version 10, however there is still a lot of devices out there with Version 9. The binding for all those fragmented devices rest in the hands of Google, specifically the Google Play store. While yes there are other app stores specifically:

a) Amazon

b) GetJar

c) The Opera Mobile Store

d) AppsZoom

e) Appolicious

f) Kongregate

g) Appland

h) APKPure

i) APKMirror

That is a long list, and I am willing to postulate that you — humble reader were not aware of these alternate stores. The store that most if not all people know is the Google Play Store. When an app is needed that is usually the first place the user will go, apps are also updated via the Google Play Store. One of the most fundamental issues that come to play with most Android phones is the lack of anti-virus / anti-malware.

As a rule, for our clients we always load up Malwarebytes on to the phone, but sometimes this only gets you so far. I will scream this while they are nailing my coffin shut, signatures are not an alternative to using common sense. Still, anomalous / malicious entities will make there way through as most individuals are not obsessively paranoid about what they do on their phone.

This bring us to Google Protect. Google Play Protect is Google’s built-in malware defense for the Play Store. It scans all the apps on the phone and attempt to prevent the installation of harmful apps, as most systems, Play Protect is always learning. For the most part, if the user is downloading a malicious app, Play Protect will detect it. Permissions change the dynamics of this formula. Much like the phisher who sends you an email that is targeted, if the malicious app developer truly wants the data he/she will steal, they are going to go out of their way to convince you that the app is legitimate. If an app has “REQUEST_INSTALL_PACKAGES” then this is an issue of concern.

The malicious app needs the above permission otherwise nothing will occur. Permissions that you give to an app allow it to literally do whatever it wants depending on how generous you intend to be. The app will always be considered unknown because it was not installed via the Google Play store, and the way you attempt to bypass this is by installing an app from Google Play which then prompts you for another installation which most likely will have the same icon and look virtually identical. Permissions and accessibility allow an app to achieve its functions. Malware is software, and just like other software you must give it to the authority to execute.

Therefore, with that knowledge now in hand, I introduce you to:

Hola_VPN_Proxy_Premium_v1.172.622.apk

SHA256–82ba51d25ed27d0331b700146ea67422e8f6e1b5e92228b877b14d78ff018f02

This software provides a form of virtual private network through a peer to peer network. Its an Israeli company that basically allows the user to access sites which they otherwise be locked out due to geo-blocking. All this thing really does is turn your phone into an exit node. Now just like malware on the desktop, the phone tells us a lot, it wants to tell you what its doing. For the purpose of this exercise we look at:

a) The actual code

b) The logs off the phone

c) Network activity

Section One: Code

Ghidra did not help us here, so we went to the ground level and unzipped the apk, and converted the

An apk at its core is a zip file with Java code that is already compiled and going to work so it can be installed on your phone. Code is marvelous in that there is so much in there that tells you what is going on. Now one does not have to be an expert in reverse engineering, nor does have to understand Java (unless you want to). What you do have to understand is the basic tenet that if you are building something, you do not insert other material into the mixture that has no bearing whatsoever on what you are building.

When we go hunting, we search for strings, strings are sequence of characters, either as a literal constant or as a variable. It can be words, or it will look like gibberish. It helps to know or have an idea of what to look for. As we are discussing malware one of things, one of things I like to look for is the url string.

Figure One:

public final void Aby(Bundle paramBundle, FragmentActivity paramFragmentActivity, 0Pp param0Pp) {
Uri uri = (Uri)paramBundle.getParcelable(“uri”);
if (uri != null && paramBundle.getBoolean(“should_land_on_web”)) {
5hf.A02((Activity)paramFragmentActivity, param0Pp, uri, paramBundle.getString(“com.instagram.url.constants.ARGUMENTS_KEY_ANALYTICS_MODULE_NAME”));
paramFragmentActivity.finish();
return;
}

The first thing that stands our here is Instagram. This software is supposed to be a vpn. A VPN at most we will allow for permissions to execute on a reboot — though I would counter by saying any good vpn should be on demand and only persistent if the user deems it and it need not be all the time. There is no reason whatsoever for your VPN software to have code referencing Instagram.

Figure Two:

public static VideoUrlImpl parseFromJson(0i1 param0i1) {
VideoUrlImpl videoUrlImpl2 = new VideoUrlImpl();
if (param0i1.A0g() != 0i5.A09) {
param0i1.A0f();
return null;

As this is a vpn the concept of a video url being referenced is bad enough, but it is also parsing to a json file. There is no place for this here and its existence is suspect.

Figure Three:

package com.facebook.video.heroplayer.client;

import X.1m7;
import android.os.Bundle;
import android.os.ResultReceiver;

public class HeroServiceClient$HeroServiceEventReceiver extends ResultReceiver {
public HeroServiceClient$HeroServiceEventReceiver(1m7 param1m7) {
super(null);
}
There is a video player here and a reference to a Facebook package. Safe vpn this is not.

Figure Four:

public final class 2g8 {
public static final ImmutableList A02;

public static final ImmutableList A03 = ImmutableList.A08(new 2g8(“laughing”, “😂”), new 2g8(“surprised”, “😮”), new 2g8(“heart_eyes”, “😍”), new 2g8(“crying”, “😢”), new 2g8(“applause”, “👏”), new 2g8(“fire”, “🔥”), new 2g8(“party”, “🎉”), new 2g8(“perfect”, “💯”));

public static final 2g8 A04;

public final String A00;

public final String A01;

static {
2g8 2g81 = new 2g8(“heart”, “❤️”);
A04 = 2g81;
A02 = ImmutableList.A07(2g81, new 2g8(“laughing”, “😂”), new 2g8(“surprised”, “😮”), new 2g8(“crying”, “😢”), new 2g8(“angry”, “😡”), new 2g8(“thumbs-up”, “👍”), new 2g8(“thumbs-down”, “👎”));
}

An ImmutableList in Java means the content of the List are fixed or constant after declaration, or in otherwords read-only. This list was imported from com.google.common.collect.ImmutableList found in 2g8.class. One would think that this is a social networking app instead of a secure vpn.

Figure Five:

case 164:
return “https://help.instagram.com/";

the above is from 000.class

Figure Six:

public 0EF() {
Math.random();
this.A02 = “https://b-www.facebook.com/mobile/reliability_event_log_upload/";
this.A00 = 30000;
this.A01 = null;

Math.random is used to return a pseudorandom double type number greater than or equal to 0.0 and less than 1. To get a specific range of values, you must multiply the returned value with magnitude of the range. Whatever this log is, it’s from Facebook and its being factored into the random number generation.

Figure Seven:

AE6 = new 0Ht(“app_url”, 0L219, “”, new String[] { “”, “https://www.fburl.com/threadsandroid" }, null);

Located in the 0lf.class area, this is a broken Facebook URL.

Figure Eight:

public 0U6(JSONObject paramJSONObject) {
this.A0R = paramJSONObject.optString(“host_name_v6”, “mqtt-mini.facebook.com”);
this.A0S = paramJSONObject.optString(“php_sandbox_host_name”, null);
this.A0Q = paramJSONObject.optString(“analytics_endpoint”, “https://b-api.facebook.com/method/logging.clientevent");
this.A0K = paramJSONObject.optInt(“default_port”, 443);
this.A07 = paramJSONObject.optInt(“backup_port”, 443);
this.A0B = paramJSONObject.optInt(“dns_timeout_sec”, 60);
this.A0N = paramJSONObject.optInt(“socket_timeout_sec”, 60);
this.A0H = paramJSONObject.optInt(“mqtt_connect_timeout_sec”, 60);
this.A0I = paramJSONObject.optInt(“response_timeout_sec”, 59);
this.A02 = paramJSONObject.optInt(“back_to_back_retry_attempts”, 3);
this.A05 = paramJSONObject.optInt(“background_back_to_back_retry_attempts”, 1);
this.A03 = paramJSONObject.optInt(“back_to_back_retry_interval_sec”, 0);
this.A00 = paramJSONObject.optInt(“back_off_initial_retry_interval_sec”, 2);
this.A04 = paramJSONObject.optInt(“background_back_off_initial_retry_interval_sec”, 10);
this.A01 = paramJSONObject.optInt(“back_off_max_retry_interval_sec”, 900);
this.A0C = paramJSONObject.optInt(“foreground_keepalive_interval_sec”, 60);
this.A06 = paramJSONObject.optInt(“background_keepalive_interval_persistent_sec”, 900);
this.A0M = paramJSONObject.optInt(“skip_ping_threshold_s”, 10);
this.A0J = paramJSONObject.optInt(“ping_delay_s”, 60);
this.A0T = paramJSONObject.optBoolean(“force_server_ping”, false);
this.A0E = paramJSONObject.optInt(“happy_eyeballs_delay_ms”, 25);
this.A0F = paramJSONObject.optInt(“mqtt_client_thread_priority_ui”, 5);
this.A0G = paramJSONObject.optInt(“mqtt_client_thread_priority_worker”, 5);
this.A0P = paramJSONObject.optLong(“analytics_log_min_interval_for_sent_ms”, 0L);
this.A0O = paramJSONObject.optLong(“analytics_log_min_interval_for_received_ms”, 0L);
this.A0D = paramJSONObject.optInt(“gcm_ping_mqtt_delay_sec”, 30);
this.A0V = paramJSONObject.optBoolean(“use_ssl”, true);
this.A0U = paramJSONObject.optBoolean(“use_compression”, true);
this.A08 = paramJSONObject.optInt(“ct”, 60000);
this.A0L = paramJSONObject.optInt(“short_mqtt_connection_sec”, 5);
this.A0A = paramJSONObject.optInt(“connect_rate_limiter_limit”, 40);
this.A09 = paramJSONObject.optInt(“connect_rate_limiter_interval_s”, 2400);
}

Located in 0u6.class

The above is disturbing, the vpn software obviously has a loving relationship with Facebook and Instagram. JSON objects are being passed to the values above. php_sandbox_host_name is something I have seen before in an apk malware called Facebook Lite.

Figure Nine:

public final void A0k(Context paramContext, 0CA param0CA) {
Aav aav = new Aav(“https://help.instagram.com/398754794295670");
aav.A03 = paramContext.getResources().getString(2131824721);
SimpleWebViewActivity.A04(paramContext, param0CA, aav.A00());
}

Located in 0qS.class –

Webview allows for open a windows for viewing a URL. The URL mentioned here is the Shopping from Creators page on Instagram

Figure Ten:

public static 0zB A00(2Gt param2Gt) {
0fO 0fO1 = param2Gt.A00;
if (0fO1 != null)
param2Gt.A06.A05((0nN)0fO1.get(), null);
param2Gt.A06.A06(“access_token”, param2Gt.A03);
StringBuilder stringBuilder = new StringBuilder(0Ot.A05(“https://graph.%s/”, new Object[] { PreferenceManager.getDefaultSharedPreferences(0QR.A00).getString(“com.instagram.common.api.facebook.FacebookURLBuilder.KEY_FACEBOOK_ENDPOINT”, “facebook.com”) }));
String str2 = param2Gt.A04;
if (str2 != null) {
stringBuilder.append(str2);
stringBuilder.append(“/”);
}

located at in 2gt.class

The URL builder is similar to Google’s analytics service. This VPN service feeds Facebook and Instagram

Section Two:

Every app must have a manifest and the name is always AndroidManifest.xml. This manifest describes information about app and tools. Manifest declare the following:

· The app’s package name and Android build tools.

· The components of the app, which include all activities, services, broadcast receivers, and content providers.

· The permissions that the app needs in order to access protected parts of the system or other apps. It also declares any permissions that other apps must have if they want to access content from this app.

Let’s focus on permissions as it is significant as to what an app needs to achieve its objectives.

Figure One:

<uses-permission android:name=”android.permission.RECEIVE_BOOT_COMPLETED”/>

This permission allows for execution of code after reboot. Unless there is an inherent need for this it is something should be avoided. VPN access need not be on automatically after a reboot, so care should be taken with this permission or any other software for that matter that would ask for such authority.

Figure Two:

<receiver android:name=”org.hola.bcast_recv”>

<intent-filter>

<action android:name=”android.intent.action.MEDIA_EJECT”/>

<action android:name=”android.intent.action.MEDIA_MOUNTED”/>

<action android:name=”android.intent.action.MEDIA_UNMOUNTED”/>

<data android:scheme=”file”/>

</intent-filter>

<intent-filter>

<action android:name=”android.intent.action.ACTION_SHUTDOWN”/>

<action android:name=”android.intent.action.ACTION_POWER_CONNECTED”/>

<action android:name=”android.intent.action.ACTION_POWER_DISCONNECTED”/>

<action android:name=”android.intent.action.PHONE_STATE”/>

<action android:name=”android.net.conn.CONNECTIVITY_CHANGE”/>

<action android:name=”android.intent.action.BOOT_COMPLETED”/>

</intent-filter>

<intent-filter>

<action android:name=”android.intent.action.PACKAGE_REPLACED”/>

<data android:path=”org.hola.prem” android:scheme=”package”/>

</intent-filter>

<intent-filter>

<action android:name=”android.intent.action.PACKAGE_ADDED”/>

<action android:name=”android.intent.action.PACKAGE_REMOVED”/>

<action android:name=”android.intent.action.MY_PACKAGE_REPLACED”/>

<data android:scheme=”package”/>

</intent-filter>

I copied the full receiver that was defined in the manifest. The reason for this is that it is important to note that there is a pattern of events to be found here. Specific attention should be to the PHONE_STATE. When an app reads the PHONE_STATE not only is it reading the phone number, but it reads the current cellular network information, the status of any ongoing calls, and any phone accounts registered with the device. Followed by CONNECTIVITY_CHANGE notes a change in network connectivity. A package is replaced here, for the most part if the phone state is read and modified this means a receiver is being registered, usually to feed back your activity. In this case most likely Facebook or Instagram based on what was in the code.

Figure Three:

<uses-permission android:name=”com.android.browser.permission.READ_HISTORY_BOOKMARKS”/>

<uses-permission android:name=”com.android.browser.permission.WRITE_HISTORY_BOOKMARKS”/>

<uses-permission android:name=”android.permission.ACCESS_FINE_LOCATION”/>

<uses-feature android:name=”android.hardware.location.gps” android:required=”false”/>

<uses-feature android:name=”android.hardware.location” android:required=”false”/>

The VPN seeks to read your internet bookmarks and find out where you are. By this point you the reader have already figured out that this is a data collector.

Section Three:

Our test device was a Pixel 3a running Android 11. There was nothing special installed, stock Android apps which include the Google Play Store, Gmail, YouTube. I must note that there is no instance of Facebook or Instagram to be found here. Much like a computer, your phone has logs and these logs have a story to tell.

Figure One:

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

08–12 17:11:49.341 12298 12298 I Hola/conf: set list_popular_site={“arr”:[{“_id”:”site+m.bbc.com”,”display”:”BBC”,”image”:”http:\/\/hola.org\/img\/popular\/android\/bbc.png”,”url”:”m.bbc.com”},{“_id”:”site+twitter.com”,”display”:”Twitter”,”image”:”http:\/\/hola.org\/img\/popular\/android\/twitter.png”,”url”:”twitter.com”},{“_id”:”site+slice.ca”,”display”:”Slice”,”image”:”http:\/\/hola.org\/img\/popular\/android\/slice.png”,”url”:”slice.ca”},{“_id”:”site+channel4.com”,”display”:”Channel4",”image”:”http:\/\/hola.org\/img\/popular\/android\/channel4.png”,”url”:”channel4.com”},{“_id”:”site+netflix.com”,”display”:”Netflix”,”image”:”http:\/\/hola.org\/img\/popular\/android\/netflix.png”,”url”:”netflix.com”},{“_id”:”site+in.com”,”display”:”In.com”,”image”:”http:\/\/hola.org\/img\/popular\/android\/in.com.png”,”url”:”in.com”}],”site_on_top”:false}

The above appears to be a popular site list that the program uses. It is unclear as to why a program that calls itself a secure vpn would set this list. As you can see below, we did not see any of this after installation. The program earlier polled the Android apps to see what was there including the camera app, while not damning still I view this with great suspicion. A secure vpn should be from the ground up and once I am secure it should not care where I go.

The Hola Plus VPN main screen

Figure Two:

During the installation of the app, the user is prompted with a connection request where HOLA VPN service wants to monitor network traffic, the unsuspecting user would surely click this, after all it is a VPN app.

Figure Three:

Changing your location

As in any good VPN we want to change our location to keep our privacy

Figure Four:

While the above is going on something rude is happening.

08–12 17:11:49.606 12298 12298 I Hola/auth: req https://client.hola.org/client_cgi/background_apk_init?login=1&uuid=apk-2e6d477521c640a5822d42efdde046b3&os_ver=Android+11&ver=1.172.622&apkid=org.hola.prem&flags=0x40000 response {“ver”:”1.172.734",”country”:”US”,”key”:4286710122,”unblocker_conf”:{“unblocker_globals”:{“all_browser”:{“client_only”:true,”match”:{“root_urls”:[“all_browser”],”rules”:[{“proxy_country”:[“ES”,”FR”,”GB”,”US”,”CA”,”KR”,”BR”,”NL”,”IT”,”JP”],”cmds”:[{“root_urls”:[“all_browser”],”then”:”PROXY XX.POOL”,”if”:[]}]},{“cmds”:[{“root_urls”:[“all_browser”],”then”:”PROXY XX”}]}]}},”ads”:{“cmds”:[{“hosts”:[“google-analytics.com”,”analytics.twitter.com”,”googleadservices.com”,”p.adsymptotic.com”,”googletagmanager.com”,”bat.bing.com”,”adservice.google.com”,”doubleclick.net”,”gstatic.com”,”googlesyndication.com”,”2mdn.net”,”q.quora.com”,”analytics.edgekey.net”,”amazon-adsystem.com”,”users.quantumgraph.com”,”images-na.ssl-images-amazon.com”,”bh.contextweb.com”,”pixel-sync.sitescout.c…

08–12 17:11:49.606 12298 12298 I Hola/auth: req https://client.hola.org/client_cgi/background_apk_init?login=1&uuid=apk-2e6d477521c640a5822d42efdde046b3&os_ver=Android+11&ver=1.172.622&apkid=org.hola.prem&flags=0x40000 response {“ver”:”1.172.734",”country”:”US”,”key”:4286710122,”unblocker_conf”:{“unblocker_globals”:{“all_browser”:{“client_only”:true,”match”:{“root_urls”:[“all_browser”],”rules”:[{“proxy_country”:[“ES”,”FR”,”GB”,”US”,”CA”,”KR”,”BR”,”NL”,”IT”,”JP”],”cmds”:[{“root_urls”:[“all_browser”],”then”:”PROXY XX.POOL”,”if”:[]}]},{“cmds”:[{“root_urls”:[“all_browser”],”then”:”PROXY XX”}]}]}},”ads”:{“cmds”:[{“hosts”:[“google-analytics.com”,”analytics.twitter.com”,”googleadservices.com”,”p.adsymptotic.com”,”googletagmanager.com”,”bat.bing.com”,”adservice.google.com”,”doubleclick.net”,”gstatic.com”,”googlesyndication.com”,”2mdn.net”,”q.quora.com”,”analytics.edgekey.net”,”amazon-adsystem.com”,”users.quantumgraph.com”,”images-na.ssl-images-amazon.com”,”bh.contextweb.com”,”pixel-sync.sitescout.c…

08–12 17:11:49.606 12298 12298 I Hola/auth: req https://client.hola.org/client_cgi/background_apk_init?login=1&uuid=apk-2e6d477521c640a5822d42efdde046b3&os_ver=Android+11&ver=1.172.622&apkid=org.hola.prem&flags=0x40000 response {“ver”:”1.172.734",”country”:”US”,”key”:4286710122,”unblocker_conf”:{“unblocker_globals”:{“all_browser”:{“client_only”:true,”match”:{“root_urls”:[“all_browser”],”rules”:[{“proxy_country”:[“ES”,”FR”,”GB”,”US”,”CA”,”KR”,”BR”,”NL”,”IT”,”JP”],”cmds”:[{“root_urls”:[“all_browser”],”then”:”PROXY XX.POOL”,”if”:[]}]},{“cmds”:[{“root_urls”:[“all_browser”],”then”:”PROXY XX”}]}]}},”ads”:{“cmds”:[{“hosts”:[“google-analytics.com”,”analytics.twitter.com”,”googleadservices.com”,”p.adsymptotic.com”,”googletagmanager.com”,”bat.bing.com”,”adservice.google.com”,”doubleclick.net”,”gstatic.com”,”googlesyndication.com”,”2mdn.net”,”q.quora.com”,”analytics.edgekey.net”,”amazon-adsystem.com”,”users.quantumgraph.com”,”images-na.ssl-images-amazon.com”,”bh.contextweb.com”,”pixel-sync.sitescout.c…

The user should not be seeing any type of ad networks in the logs when it comes to a secure vpn — there is simply no reason for this to be there and if one can surmise a reason, then its not a secure vpn.

Figure Five:

Instead of going to Afghanistan, Hola wanted to go to New York as evident when we checked the IP address to confirm that the vpn was working

Figure Six:

All the while we get an alert from Malwarebytes.

Figure Seven:

08–12 17:11:49.612 12298 12298 I Hola/conf: set hidden_apks={“list”:[“launcher”,”calendar”,”contact”,”message”,”messaging”,”file”,”calculator”,”com.microsoft”,”org.hola”,”com.avast.android”,”virus”,”recorder”,”battery”,”screen”,”com.samsung”,”com.skype”,”com.google.android.googlequicksearchbox”,”com.android.vending”]}

08–12 17:11:49.612 12298 12298 I Hola/conf: set hidden_apks={“list”:[“launcher”,”calendar”,”contact”,”message”,”messaging”,”file”,”calculator”,”com.microsoft”,”org.hola”,”com.avast.android”,”virus”,”recorder”,”battery”,”screen”,”com.samsung”,”com.skype”,”com.google.android.googlequicksearchbox”,”com.android.vending”]}

The software then attempts to set a new list called hidden_apks. I can only imagine on a Samsung or a fully stock Android this would not be going over well.

Figure Eight:

08–12 17:11:49.764 12298 12298 I Hola/conf: set agents_list_json={“agents”:[{“name”:”zagent98",”ip”:”66.85.185.69",”port”:22224},{“name”:”zagent608",”ip”:”167.172.27.90",”port”:22224},{“name”:”zagent604",”ip”:”192.241.167.34",”port”:22224},{“name”:”zagent644",”ip”:”192.241.250.119",”port”:22224},{“name”:”zagent1685",”ip”:”38.32.25.106",”port”:22224}],”updated_ts”:1597255205622,”ttl_ms”:28800000}

08–12 17:11:49.764 12298 12298 I Hola/conf: set agents_list_ts=1597266709764

08–12 17:11:49.765 12298 12298 I Hola/zajax: fetched proxy zagent 66.85.185.69 port 22224

08–12 17:11:49.765 12298 12298 I Hola/zajax: fetched proxy zagent 167.172.27.90 port 22224

08–12 17:11:49.765 12298 12298 I Hola/zajax: fetched proxy zagent 192.241.167.34 port 22224

08–12 17:11:49.765 12298 12298 I Hola/zajax: fetched proxy zagent 192.241.250.119 port 22224

08–12 17:11:49.765 12298 12298 I Hola/zajax: fetched proxy zagent 38.32.25.106 port 22224

Welcome to the rancid world of peer to peer!

Figure Nine:

08–12 16:25:44.152 5460 9525 D GetConfigurationSnapsho: byFlagStorageType, addSet = Flag(AcceleratorCache__enable_download_from_accelerator, true, 2, 0), Flag(AccountInstallState__enable_account_install_state, false, 2, 0), Flag(AccountsCache__cache_all_accounts, true, 2, 0), Flag(AccountsChanged__accounts_changed_hygiene_throttling_enabled, false, 2, 0), Flag(AccountsChanged__enable_google_account_change_broadcast, true, 2, 0), Flag(AccountsChanged__min_accounts_changed_hygiene_window_millis, 43200000, 1, 0), Flag(AcquirePurchaseCodegen__kill_switch_make_purchase_params_for_subs_acquire_from_rewards, false, 2, 0), Flag(AcquisitionFlow__enable_forward_acquiring_package_as_calling_package, true, 2, 0), Flag(AcquisitionFlow__enable_request_token_and_acquisition_id, true, 2, 0), Flag(AcquisitionFlow__fetch_payments_client_token_timeout_ms, 8000, 1, 0), Flag(AcquisitionFlow__kill_switch_use_presenter_on_response_directly_on_start, true, 2, 0), Flag(AdIds__enable_log_ad_id_lookup_events, false, 2, 0), Flag(AdSupportedMovies__video_app_min_version_for_ad_playback, 41531001, 1, 0), Flag(AddFormOfPaymentDeepLink__disable_add_form_of_payment_deep_link, false, 2, 0), Flag(AllCategoriesRtl__enable_all_categories_rtl_fix, false, 2, 0), Flag(AlleyOopD30__enable_alleyoop_d30, false, 2, 0), Flag(AlleyOopDeprecateV1__approve_whitelist, ‘com.google.android.youtube’, 4, 0), Flag(AlleyOopDeprecateV1__enable, true, 2, 0), Flag(AlleyOopDeprecateV1__redirect_whitelist, ‘com.android.chrome’, 4, 0), Flag(AlleyOopInstallBehavior__relaunch_initial_dialog_on_install_cancel, true, 2, 0), Flag(AlleyOopRedirectPaidAppToDetails__allow_paid_apps_calling_package_whitelist, ‘com.google.android.play.games’, 4, 0), Flag(AlleyOopV3Holdback__redirect_to_details, false, 2, 0), Flag(AlleyOopV3Whitelisting__enable_overlay_test_app, true, 2, 0), Flag(AlleyOopV3Whitelisting__first_party_caller_packages_post_purchase_sponsor_cluster, ‘com.test.overlay,com.google.android.apps.kids.home,com.google.android.apps.messaging,com.google.android.apps.youtube.creator,com.google.android.apps.youtube.gaming,com.google.android.apps.youtube.kids,com.google.android.apps.youtube.mango,com.google.android.apps.youtube.music,com.google.android.apps.youtube.vr,com.google.android.contacts,com.google.android.dialer,com.google.android.youtube,com.google.android.youtube.tv,com.google.android.vr.home,com.google.android.vr.home.dev,com.google.android.googlequicksearchbox,com.google.android.play.games,com.google.android.apps.chromecast.app,com.google.android.instantapps.supervisor,com.google.android.videos,com.google.android.apps.freighter,com.google.android.apps.freighter.beta,com.google.android.apps.travel.onthego,com.google.android.gms,com.google.android.inputmethod.latin,com.google.android.inputmethod.latin.dev,com.google.android.inputmethod.latin.canary,com.google.vr.apps.ornament,com.google.vr.apps.ornament.dev,com.google.android.apps.vega,com.google.android.apps.tycho,com.google.ar.lens,com.google.ar.lens.dev,com.google.android.apps.dreamliner,com.google.android.deskclock,com.google.android.apps.tachyon,com.google.android.gm,com.google.samples.apps.cardboarddemo,com.google.vr.cardboard.paperscope,com.google.android.apps.tips,com.google.android.apps.nbu.files’, 4, 0), Flag(AlleyOopV3Whitelisting__whitelisted_packages, ‘com.facebook.katana,com.facebook.wakizashi,com.google.android.apps.kids.home,com.google.android.apps.messaging,com.google.android.apps.youtube.creator,com.google.android.apps.youtube.gaming,com.google.android.apps.youtube.kids,com.google.android.apps.youtube.mango,com.google.android.apps.youtube.music,com.google.android.apps.youtube.vr,com.google.android.contacts,com.google.android.dialer,com.google.android.youtube,com.google.android.youtube.tv,com.kakao.talk,com.linkedin.android,com.pinterest,com.twitter.android,flipboard.app,net.daum.android.daum,ru.yandex.metro,ru.yandex.searchplugin,ru.yandex.test.promolib,ru.yandex.weatherplugin,ru.yandex.yandexbus,ru.yandex.yandexmaps,ru.yandex.yandexnavi’, 4, 0), Flag(AlleyOopV3Whitelisting__whitelist

This line was much bigger than the above. GetConfigurationSnapsho is exactly what it sounds like it is.

Figure Ten:

08–12 17:11:48.029 12298 12298 W com.facebook.e0: Please set a value for AutoLogAppEventsEnabled. Set the flag to TRUE if you want to collect app install, app launch and in-app purchase events automatically. To request user consent before collecting data, set the flag value to FALSE, then change to TRUE once user consent is received. Learn more: https://developers.facebook.com/docs/app-events/getting-started-app-events-android#disable-auto-events.

08–12 17:11:48.029 12298 12298 W com.facebook.e0: You haven’t set a value for AdvertiserIDCollectionEnabled. Set the flag to TRUE if you want to collect Advertiser ID for better advertising and analytics results. To request user consent before collecting data, set the flag value to FALSE, then change to TRUE once user consent is received. Learn more: https://developers.facebook.com/docs/app-events/getting-started-app-events-android#disable-auto-events.

As mentioned previously Facebook is not installed on this phone, but this was in our logs and we know based on the code that the app has some sort of technical relationship with Facebook, it most likely is collecting information and sends it to Facebook.

Conclusion:

This is a horrible program made by horrible people. We ran this on the most current version of the Android operating system, now imagine how bad it would be if had we done so on an earlier version. The average user cannot sit here and reverse engineer a program nor are they going to run it in a controlled environment. However, what they can do, is use common sense, install Malwarebytes on your phone, and do not download something that is unknown to you. Alternate apk/stores should be used with caution, and I would submit to you that if you have enough knowledge that you know about an alternate store for apks that you should have the common sense to scan it before installing.

Regardless I will stand by my Android phone because I prefer freedom that a pretty walled in garden.