Samsung services dialling home to China (360.cn and 360safe.com) after Pie upgrade

[sengork]

Having ran NetGuard in logging mode for a few days now I've noticed that many of Samsung's in-built services are contacting web services associated at multiple DNS subdomains under:
- *.360.cn
- *.cloud.360safe.com

A lot of them on unsecured HTTP port 80 (some go via HTTPS port 443).

Services I've observed this behaviour so far are:
- Samsung ApexService
- ANT+ HAL Service
- Application installer (com.sec.android.preloadinstaller)
- Assistant Menu
- AirCommandManager (com.samsung.android.aircommandmanager)
- Plus too many other default services to list (most of which cannot be disabled)

Phone's running on stock unbranded SM-N960F build number PPR1.180610.011.N960FXXU2CSA2.

I've scanned the phone using bundled Device Care's McAfee security scan with no findings.

Has anyone else observed this behaviour?

 

[KOLIOSIS]

Having ran NetGuard in logging mode for a few days now I've noticed that many of Samsung's in-built services are contacting web services associated at multiple DNS subdomains under:
- *.360.cn
- *.cloud.360safe.com

A lot of them on unsecured HTTP port 80 (some go via HTTPS port 443).

Services I've observed this behaviour so far are:
- Samsung ApexService
- ANT+ HAL Service
- Application installer (com.sec.android.preloadinstaller)
- Assistant Menu
- AirCommandManager (com.samsung.android.aircommandmanager)
- Plus too many other default services to list (most of which cannot be disabled)

Phone's running on stock unbranded SM-N960F build number PPR1.180610.011.N960FXXU2CSA2.

I've scanned the phone using bundled Device Care's McAfee security scan with no findings.
Has anyone else observed this behaviour?

I haven't looked at this as closely as you have,but,I'm guessing it's all tied-in from the Device Maintenance section of the phone.
The name of the company Samsung is currently in bed with is QIHOO:
https://en.wikipedia.org/wiki/Qihoo_360
https://seekingalpha.com/article/4165136-cheetah-mobile-lost-samsung-relevant-risks

Remember/heard of Cheetah Mobile (of Clean Master infamy) ?
https://www.prnewswire.com/news-rel...mobile-security-and-innovation-300043298.html
Well,that's who used to be in partnership w/Samsung & the Device Maintenance aka built-in Clean Master to most,if not all Samsung mobile products.
Fast-Forward to present day & we still have the crapware on our phones,likely scraping info & selling it to anyone interested.
Now,it's just with another company,presumably one with friendlier terms for Samsung.

As you've probably noticed,you can't fully disengage/disable/deny all permissions here,less root (or ADB disabling/package disabler apps).
At least you have a phone that's rootable & can cruise the ROM scene for one that leaves this crap off the phone.
If root isn't an option:
Set up your phone & apps,fine-tune as you like for battery optimization on a per app basis/permissions/etc....
Then,either via ADB or a package disabler,disable the apps responsible for the crapware,especially the ones related to Device Maintenance.

https://forum.xda-developers.com/ga...laxy-note-9-bloatware-removal-thread-t3857508
Follow the link in the OP to the S9/S9+ forum/thread,it gives a better idea of what each .apk actually is/ties into.

Here's the app I use to disable crapware/things I don't use:
https://play.google.com/store/apps/details?id=com.wakasoftware.appfreezer

As to which apps to disable,the S9/S9+ thread,while not an exact match,should give you info on what to disable to stop the phone from pinging the 360 mothership & hopefully,not having any ill effects on the apps you want to keep on-board.

If you want a better idea of how each app is interconnected throughout the phone,use these two apps to take a look:
https://play.google.com/store/apps/details?id=com.ubqsoft.sec01

SD Maid (Pro):
https://play.google.com/store/apps/details?id=eu.thedarken.sdm&hl=en_US
(See the App Control & file manager sections of SD Maid for detailed app info).


Anyhoo,back to curbing the nonsense:
Whichever method you use to disable,should you choose to do so,start with this one:
com.samsung.android.lool (Device Maintenance).

This will make the entire Device Maintenance section inaccessible as well.
That is why I suggest disabling vs outright uninstalling (which necessitates a factory reset to get it back).
You may need to access Device Maintenance for whatever reason from time to time,hence the recommendation for disabling vs uninstalling.

Continue monitoring for a day or so & see if the pinging to the Mothership subsides,or hopefully puts a full-stop to it.

Please keep us updated on what,if any actions you take w/the results. :good:

 

[sengork]

Excellent overview, it's quite an eye opener thanks for the info.

I've disabled and force-stopped "com.samsung.android.lool" (amongst other junkware) and so far NetGuard hasn't shown a single network log entry to any of the 360 domains. I've uninstalled all 4 Facebook packages. Continuing to monitor this closely. My thought is that I can re-enable "com.samsung.android.lool" from time to time whenever maintenance is needed and then disable it again. Even better Adhell3 might be useful for blocking "com.samsung.android.lool" network attempts whilst retaining it for device management purposes however I haven't tried this yet.

For reference, here is my current list of disabled packages:

package:com.monotype.android.font.rosemary
package:com.samsung.android.app.ledcoverdream
package:com.sec.android.widgetapp.samsungapps
package:com.samsung.android.app.galaxyfinder
package:com.samsung.svoice.sync
package:com.cnn.mobile.android.phone.edgepanel
package:com.samsung.android.easysetup
package:com.samsung.android.provider.stickerprovider
package:com.samsung.android.app.sbrowseredge
package:com.samsung.android.rubin.app
package:com.sec.android.cover.ledcover
package:com.samsung.faceservice
package:com.monotype.android.font.foundation
package:com.sec.android.widgetapp.easymodecontactswidget
package:com.samsung.android.app.settings.bixby
package:com.sec.android.app.billing
package:com.samsung.android.app.selfmotionpanoramaviewer
package:com.samsung.android.game.gamehome
package:com.samsung.daydream.customization
package:com.sec.enterprise.knox.attestation
package:com.samsung.systemui.bixby2
package:com.dsi.ant.service.socket
package:com.microsoft.skydrive
package:com.samsung.SMT
package:com.samsung.android.drivelink.stub
package:com.android.hotwordenrollment.xgoogle
package:com.samsung.android.sm.devicesecurity
package:com.dsi.ant.sample.acquirechannels
package:com.samsung.android.aircommandmanager
package:com.samsung.android.bixby.service
package:com.samsung.android.smartface
package:com.android.egg
package:com.samsung.android.emojiupdater
package:com.samsung.android.bixby.agent
package:com.android.printspooler
package:com.android.hotwordenrollment.okgoogle
package:com.samsung.android.hmt.vrsvc
package:com.samsung.storyservice
package:com.android.dreams.basic
package:com.android.bips
package:com.samsung.android.game.gametools
package:com.samsung.android.app.simplesharing
package:com.samsung.android.service.peoplestripe
package:com.samsung.android.da.daagent
package:com.dsi.ant.plugins.antplus
package:com.samsung.android.app.taskedge
package:com.google.android.webview
package:com.samsung.android.app.mirrorlink
package:com.dsi.ant.server
package:com.samsung.android.allshare.service.fileshare
package:com.samsung.android.universalswitch
package:com.sec.android.app.apex
package:flipboard.boxer.app
package:com.google.android.printservice.recommendation
package:com.monotype.android.font.chococooky
package:com.android.dreams.phototable
package:com.samsung.android.bixbyvision.framework
package:com.samsung.android.game.gos
package:com.android.wallpaper.livepicker
package:com.samsung.android.beaconmanager
package:com.sec.enterprise.mdm.services.simpin
package:com.samsung.android.stickercenter
package:com.samsung.android.bixby.wakeup
package:com.samsung.android.samsungpass
package:com.samsung.android.spayfw
package:com.linkedin.android
package:com.samsung.android.lool
package:com.samsung.android.knox.analytics.uploader
package:com.samsung.android.sm.policy
package:com.sec.android.emergencylauncher
package:com.samsung.android.visionintelligence
package:com.samsung.android.app.watchmanagerstub
package:com.samsung.android.svoiceime
package:com.samsung.android.mateagent
package:com.enhance.gameservice
package:com.google.vr.vrcore
package:com.hiya.star
package:com.sec.enterprise.knox.cloudmdm.smdms
package:com.samsung.android.app.appsedge
package:com.samsung.android.samsungpassautofill
package:com.monotype.android.font.cooljazz
package:com.samsung.android.allshare.service.mediashare
package:com.samsung.android.app.clipboardedge
package:com.samsung.android.app.motionpanoramaviewer
package:com.samsung.android.bio.face.service
package:com.samsung.android.bixby.agent.dummy

 

[KOLIOSIS]

Excellent overview, it's quite an eye opener thanks for the info.

I've disabled and force-stopped "com.samsung.android.lool" (amongst other junkware) and so far NetGuard hasn't shown a single network log entry to any of the 360 domains. I've uninstalled all 4 Facebook packages. Continuing to monitor this closely. My thought is that I can re-enable "com.samsung.android.lool" from time to time whenever maintenance is needed and then disable it again. Even better Adhell3 might be useful for blocking "com.samsung.android.lool" network attempts whilst retaining it for device management purposes however I haven't tried this yet.

For reference, here is my current list of disabled packages:

package:com.monotype.android.font.rosemary
package:com.samsung.android.app.ledcoverdream
package:com.sec.android.widgetapp.samsungapps
package:com.samsung.android.app.galaxyfinder
package:com.samsung.svoice.sync
package:com.cnn.mobile.android.phone.edgepanel
package:com.samsung.android.easysetup
package:com.samsung.android.provider.stickerprovider
package:com.samsung.android.app.sbrowseredge
package:com.samsung.android.rubin.app
package:com.sec.android.cover.ledcover
package:com.samsung.faceservice
package:com.monotype.android.font.foundation
package:com.sec.android.widgetapp.easymodecontactswidget
package:com.samsung.android.app.settings.bixby
package:com.sec.android.app.billing
package:com.samsung.android.app.selfmotionpanoramaviewer
package:com.samsung.android.game.gamehome
package:com.samsung.daydream.customization
package:com.sec.enterprise.knox.attestation
package:com.samsung.systemui.bixby2
package:com.dsi.ant.service.socket
package:com.microsoft.skydrive
package:com.samsung.SMT
package:com.samsung.android.drivelink.stub
package:com.android.hotwordenrollment.xgoogle
package:com.samsung.android.sm.devicesecurity
package:com.dsi.ant.sample.acquirechannels
package:com.samsung.android.aircommandmanager
package:com.samsung.android.bixby.service
package:com.samsung.android.smartface
package:com.android.egg
package:com.samsung.android.emojiupdater
package:com.samsung.android.bixby.agent
package:com.android.printspooler
package:com.android.hotwordenrollment.okgoogle
package:com.samsung.android.hmt.vrsvc
package:com.samsung.storyservice
package:com.android.dreams.basic
package:com.android.bips
package:com.samsung.android.game.gametools
package:com.samsung.android.app.simplesharing
package:com.samsung.android.service.peoplestripe
package:com.samsung.android.da.daagent
package:com.dsi.ant.plugins.antplus
package:com.samsung.android.app.taskedge
package:com.google.android.webview
package:com.samsung.android.app.mirrorlink
package:com.dsi.ant.server
package:com.samsung.android.allshare.service.fileshare
package:com.samsung.android.universalswitch
package:com.sec.android.app.apex
package:flipboard.boxer.app
package:com.google.android.printservice.recommendation
package:com.monotype.android.font.chococooky
package:com.android.dreams.phototable
package:com.samsung.android.bixbyvision.framework
package:com.samsung.android.game.gos
package:com.android.wallpaper.livepicker
package:com.samsung.android.beaconmanager
package:com.sec.enterprise.mdm.services.simpin
package:com.samsung.android.stickercenter
package:com.samsung.android.bixby.wakeup
package:com.samsung.android.samsungpass
package:com.samsung.android.spayfw
package:com.linkedin.android
package:com.samsung.android.lool
package:com.samsung.android.knox.analytics.uploader
package:com.samsung.android.sm.policy
package:com.sec.android.emergencylauncher
package:com.samsung.android.visionintelligence
package:com.samsung.android.app.watchmanagerstub
package:com.samsung.android.svoiceime
package:com.samsung.android.mateagent
package:com.enhance.gameservice
package:com.google.vr.vrcore
package:com.hiya.star
package:com.sec.enterprise.knox.cloudmdm.smdms
package:com.samsung.android.app.appsedge
package:com.samsung.android.samsungpassautofill
package:com.monotype.android.font.cooljazz
package:com.samsung.android.allshare.service.mediashare
package:com.samsung.android.app.clipboardedge
package:com.samsung.android.app.motionpanoramaviewer
package:com.samsung.android.bio.face.service
package:com.samsung.android.bixby.agent.dummy

:good: THX for the update,much appreciated! :good:

I was gonna post this in a bit (just noticed it myself this afternoon,LOL) ,but,it looks like you have added the other two .apks to your disabled list:
https://forum.xda-developers.com/showpost.php?p=78103170&postcount=123

It'a a shame the mfgs aren't required to be more up-front & state ,in common use language where the print is larger than a gnat's ass, the exact nature of the .apks & even more control over the services installed on them.

 

[sengork]

It'a a shame the mfgs aren't required to be more up-front & state ,in common use language where the print is larger than a gnat's ass, the exact nature of the .apks & even more control over the services installed on them.

The closest to a manufacturer application list I came across was:
- https://support.samsungknox.com/hc/en-us/articles/115015195728-Common-Criteria-Mode
- For example https://docs.samsungknox.com/CCMode/N960F_O.pdf

This seems to relate to computer security certification known as Common Criteria:
- https://en.wikipedia.org/wiki/Common_Criteria

So the dial home behaviour seems to have passed this security certification (or perhaps the network flows were not part of the certification process). We can only guess...

 

[sengork]

I've had to reenable the following items to get APK installs to function (either through Play Store or locally stored APKs):

com.samsung.android.sm.policy
com.samsung.android.sm.devicesecurity

https://forum.xda-developers.com/ga...val-thread-t3857508/post78744845#post78744845

Continuing to monitor with NetGuard. So far ~1hr I haven't seen the packets repeat.

 

[KOLIOSIS]

I've had to reenable the following items to get APK installs to function (either through Play Store or locally stored APKs):

https://forum.xda-developers.com/ga...val-thread-t3857508/post78744845#post78744845

Continuing to monitor with NetGuard. So far ~1hr I haven't seen the packets repeat.

IIRC,something like this was mentioned in the S9/S9+ debloat thread.
I didn't mention it earlier as you hadn't reported any issues,but,glad you were able to figure it out/find the same info I'd stumbled upon.

 

[sengork]

Well after a day of usage I can say that battery life is poorer without "com.samsung.android.lool". I've enabled it again now and blocked its domains via Adhell 3:

360.cn
360safe.com
*.360.cn
*.360safe.com

Furthermore I have disabled its WiFi and Mobile network access in Adhell 3. However this block is bypassed whenever applications using Android's native VPN facility are switched on so its not absolutely fool proof. Similar blocking can be done using NetGuard itself as long as you keep it switched on and filtering continuously.

I'll keep an eye on which other domains it attempts to contact.

 

[KOLIOSIS]

Well after a day of usage I can say that battery life is poorer without "com.samsung.android.lool". I've enabled it again now and blocked its domains via Adhell 3:

360.cn
360safe.com
*.360.cn
*.360safe.com

Furthermore I have disabled its WiFi and Mobile network access in Adhell 3. However this block is bypassed whenever applications using Android's native VPN facility are switched on so its not absolutely fool proof. Similar blocking can be done using NetGuard itself as long as you keep it switched on and filtering continuously.

I'll keep an eye on which other domains it attempts to contact.

How much of a difference in battery life are we talking about?

 

[sengork]

It felt to be about 20%. Is Pie without Device Maintenance expected to put applications to sleep? I am guessing sleep is the major factor here (opposed to cleaning up caches and other storage capacity functions of Device Maintenance app).

 

[KOLIOSIS]

It felt to be about 20%. Is Pie without Device Maintenance expected to put applications to sleep? I am guessing sleep is the major factor here (opposed to cleaning up caches and other storage capacity functions of Device Maintenance app).

I would like to think so,hoping Device Maintenance isn't ingrained to the level where it breaks the native Doze feature in Android.
JMHO,Device Maintenance seems to be just like Clean Master,running on top of Android/counterproductive,putting a hat on a hat,so to speak,LOL.
I haven't had a Nexus device since the N6 & never had a Pixel,but,I'm pretty sure none of 'em have DM..................................

Whenever I decide to update to Pie,I'm going to continue as I am now:
Battery Optimize all apps that I don't rely on for auto-updating or push notifications & then disabling Device Maintenance.
If something starts acting up,only then do I re-enable DM,take a look at Battery Optimizing for whatever is affected & again,disabling DM.

Guessing you've just recently updated to Pie.......
If it were me,I'd continue to disable DM & give the new OS upgrade a week or so,see what your battery life looks like then.
Battery life loss could be due to some user-installed apps that aren't playing nice w/Pie & not due to DM being disabled.

 

[hinnn]

You will find the logo or text "powered by 360" on storage screen in Samsung device management app.

 

[sengork]

Battery Optimize all apps that I don't rely on for auto-updating or push notifications & then disabling Device Maintenance.
If something starts acting up,only then do I re-enable DM,take a look at Battery Optimizing for whatever is affected & again,disabling DM.

I have taken your advise a few weeks ago and have concluded that removing DM whilst manually optimising all individual apps has resulted in no battery loss (in fact it has probably improved but this is within a margin of error). Thanks for your guidance.

 

[Nastrahl]

Unless you need to connect to a Chinese domain for whatever reason, just block *. cn for good and forever about it.

 

[sandro comaia]

hello guys i have bought galaxy note 9 in China and there is not preinstalled google play store app...
can anyone tell me how to install safely ))?? thank you ...

 

[sandro comaia]

hey thanks for your attention but i dont need to access i have vpn i know how to access i want to know how to install because it is not installed so do you have some ideas ?))) how to do it

 

[KOLIOSIS]

hey thanks for your attention but i dont need to access i have vpn i know how to access i want to know how to install because it is not installed so do you have some ideas ?))) how to do it

Just side-load this .apk & you should be good to go:

https://www.apkmirror.com/apk/googl...5-22-all-0-pr-254908059-android-apk-download/

 

[Nameduser6]

Was original poster was the only one who had this issue?
Is this a samsung thing or all androids?
Can this be a security risk?

There was a link to the s9 bloatware thread but it doesn't work
https://forum.xda-developers.com/ga...laxy-note-9-bloatware-removal-thread-t3857508
Says 404 not found for me

 

[sengork]

Was original poster was the only one who had this issue?
Is this a samsung thing or all androids?
Can this be a security risk?

There was a link to the s9 bloatware thread but it doesn't work
https://forum.xda-developers.com/ga...laxy-note-9-bloatware-removal-thread-t3857508
Says 404 not found for me

Should be only Samsung phones. Interestingly i haven't seen it dial home since my original post and up until i uninstalled the Device Care package. Samsung might have changed the domains the tool dials home to.

Sent from my SM-N960F using Tapatalk