Need disassembly gurus: a privacy/security issue with one of Mi A1 apps, Spock

[birdie]

I've discovered a strange app in Mi A1 (com.miui.spock) which always runs, which is subscribed to certain events (apps install/uninstall/update) and which sends data to Xiaomi.

Could anyone look into it?

You can download it from here.

 

[pooniaprashant]

I've discovered a strange app in Mi A1 (com.miui.spock) which always runs, which is subscribed to certain events (apps install/uninstall/update) and which sends data to Xiaomi.

Could anyone look into it?

You can download it from here.

I know previously a guy mentioned the same app in beta Oreo builds.
How you monitored its activity?

Sent from my Mi A1 using Tapatalk

 

[birdie]

I know previously a guy mentioned the same app in beta Oreo builds.
How you monitored its activity?

Sent from my Mi A1 using Tapatalk

I didn't. I just see that it's always running and I don't like what VirusTotal says about it and the strings this app has.

Since I cannot read Java code I have no idea what it does.

 

[_mysiak_]

I don't like it either, so I greenified it. On my phone it uses about 50kb of data per month - probably nothing to worry about, but I have disabled background data for it totally now. My guess would be that it's part of Mi services app (voluntary automatic feedback).

 

[pooniaprashant]

i have created a thread on mi community regarding this, lets see what they have to say about it
http://c.mi.com/thread-665575-1-1.html

---------- Post added at 07:33 PM ---------- Previous post was at 07:24 PM ----------

I didn't. I just see that it's always running and I don't like what VirusTotal says about it and the strings this app has.

Since I cannot read Java code I have no idea what it does.

i uploaded it to virustotal and it came clean, can u link/screenshot your scan results?

 

[konradit]

Just an analytics app.

 

[birdie]

Just an analytics app.

Which leaks your data to Xiaomi without your consent? Thank you, but no thank you.

 

[pooniaprashant]

Which leaks your data to Xiaomi without your consent? Thank you, but no thank you.

You can remove it if you want to, run these commands via ADB
ADB shell
pm uninstall -k --user 0 com.miui.spock

Remember to backup your personal data before doing this as I don't know what functionality you might be breaking removing this app, incase anything goes wrong just factory reset the device and the "just an analytics app" will return.

Sent from my Mi A1 using Tapatalk

 

[surajsun22]

Which leaks your data to Xiaomi without your consent? Thank you, but no thank you.

Actually not without your consent.. I've disabled both options in mi services menu in settings. And it has used zero data for me.

 

[alkesh95]

Actually not without your consent.. I've disabled both options in mi services menu in settings. And it has used zero data for me.

Same here.
Live long and prosper.

 

[_mysiak_]

Which leaks your data to Xiaomi without your consent? Thank you, but no thank you.

Do you have proof? Captured data for example?

 

[pooniaprashant]

Actually not without your consent.. I've disabled both options in mi services menu in settings. And it has used zero data for me.

Same here.
Live long and prosper.

My consent: https://imgur.com/FC3Ceso

And spock's data usage: https://imgur.com/FihequW

 

[alkesh95]

My consent: https://imgur.com/FC3Ceso

And spock's data usage: https://imgur.com/FihequW

Okay that's an issue.

 

[birdie]

Actually not without your consent.. I've disabled both options in mi services menu in settings. And it has used zero data for me.

I'm now running stock Android O release (after factory resetting my phone), I've never enabled any feedback or subscribed to Xiaomi services yet I see that this app sends data and uses CPU time.

 

[birdie]

My consent: https://imgur.com/FC3Ceso

And spock's data usage: https://imgur.com/FihequW

The same on my end. No consent, yet data is being collected and sent.

 

[surajsun22]

My consent: https://imgur.com/FC3Ceso

And spock's data usage: https://imgur.com/FihequW

That's strange. I've disabled mi services and check the data usage and background usage on my phone..

Btw, can you confirm if you have a made in china or India version?

 

[sandrocks]

I'm now running stock Android O release (after factory resetting my phone), I've never enabled any feedback or subscribed to Xiaomi services yet I see that this app sends data and uses CPU time.

The same on my end. No consent, yet data is being collected and sent.

Why not use firewall and block its internet access?

We don't know what data it sends. It could be just diagnostic data or it might be part of data mining.

 

[pooniaprashant]

That's strange. I've disabled mi services and check the data usage and background usage on my phone..

Btw, can you confirm if you have a made in china or India version?

India, anyways that doesn't matter.

Sent from my Mi A1 using Tapatalk

 

[billysam]

The same on my end. No consent, yet data is being collected and sent.

The app is self upgradable, means that it will not require my consent to check from time to time and update itself just like google apps in the device. hence the background/foreground usage and cpu time.
the app is secured with md5. and every time it is installed/upgraded/updated/removed, the server checks for the official md5 signature of the apk file. as far as I last checked they also enabled https on their servers so less possibility of it being hacked and exploited by hackers.
Its a 100 percent analytics app that tracks Usage activity and improve overall experience(I can see that in the app's code), only if you allow it in the first place. I found nothing to suspect that it's leaking my data in the source code. No leakage, but collecting data with my consent to improve user experience, sure it does, how? by catching thrown exceptions and errors and sending those in logs. since logs have private info as well in them, they mentioned it in their disclaimer, unlike some others where they don't even care to tell you about this.

Here's the android manifest from the file you provided. I can see they last updated to version 1.1.1 on august 30, 2017. so yes, they were installed/updated/run without your consent and installed again if you tried deleting, force stopping, clear data, and came back with updates as long as you're using official.

<?xml version="1.0" encoding="utf-8"?>
<manifest
 xmlns:android="http://schemas.android.com/apk/res/android"
 android:versionCode="20170830"
 android:versionName="1.1.1"
 package="com.miui.spock"
 platformBuildVersionCode="22"
 platformBuildVersionName="5.1.1-1819727"
 >
 <uses-sdk
  android:minSdkVersion="14"
  android:targetSdkVersion="23"
  >
 </uses-sdk>
 <uses-permission
  android:name="android.permission.INTERNET"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.ACCESS_NETWORK_STATE"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.READ_PHONE_STATE"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.READ_PRIVILEGED_PHONE_STATE"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.ACCESS_WIFI_STATE"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.READ_SYNC_SETTINGS"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.PACKAGE_USAGE_STATS"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.WRITE_SECURE_SETTINGS"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.WRITE_SETTINGS"
  >
 </uses-permission>
 <uses-permission
  android:name="android.permission.RECEIVE_BOOT_COMPLETED"
  >
 </uses-permission>
 <application
  android:label="@7F020000"
  android:name="com.miui.analytics.App"
  >
  <receiver
   android:name="com.miui.analytics.AnalyticsReceiver"
   >
   <intent-filter
    >
    <action
     android:name="android.intent.action.BOOT_COMPLETED"
     >
    </action>
   </intent-filter>
   <intent-filter
    >
    <action
     android:name="android.net.conn.CONNECTIVITY_CHANGE"
     >
    </action>
   </intent-filter>
  </receiver>
  <receiver
   android:name="com.miui.analytics.internal.ApkReceiver"
   android:exported="true"
   >
   <intent-filter
    >
    <action
     android:name="android.intent.action.PACKAGE_ADDED"
     >
    </action>
    <action
     android:name="android.intent.action.PACKAGE_REMOVED"
     >
    </action>
    <action
     android:name="android.intent.action.PACKAGE_REPLACED"
     >
    </action>
    <data
     android:scheme="package"
     >
    </data>
   </intent-filter>
  </receiver>
  <service
   android:name="com.miui.analytics.AnalyticsService"
   android:exported="true"
   >
   <intent-filter
    >
    <action
     android:name="com.miui.action.ANALYTICS_SERVICE"
     >
    </action>
   </intent-filter>
  </service>
  <service
   android:name="com.miui.analytics.EventService"
   android:exported="true"
   >
  </service>
  <service
   android:name="com.miui.analytics.internal.WakeupService"
   >
  </service>
  <service
   android:name="com.miui.analytics.internal.JobSchedulerService"
   android:permission="android.permission.BIND_JOB_SERVICE"
   >
  </service>
 </application>
</manifest>

I see no permission for camera, mic, contacts, read messages, make phone calls. that's more than enough for me to trust it as safe.

 

[sandrocks]

The app is self upgradable, means that it will not require my consent to check from time to time and update itself just like google apps in the device. hence the background/foreground usage and cpu time.

I see no permission for camera, mic, contacts, read messages, make phone calls. that's more than enough for me to trust it as safe.

More about xiaomi analytics can be found here.

http://blog.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered/

Attached screenshot for the domain it tries to connect.