Trustlook's Integration with OKC (OKX Chain)
San Jose, California, Oct. 19, 2022, Trustlook, the global leader ...
Since Android ecosystem is more open to users, you can download and install any App from many sources instead of just Google Play Store if you want. However, the same convenience was brought to App developers and Malware authors too. Security concern is always a big topic for Android users, especially for Chinese users. For this reason, there are a lot of security App published for Android in the market. In this series, we will go through some of the well known security mobile App to see how they perform. Let's start with a very popular application in Play store: Power Clean - Antivirus & Phone Cleaner App from Lionmobi.
Open Play store from Google, you can see there are several security related tools from Lionmobi. We have reviewed and analyzed all of them, but in this topic we will focus on Power Clean. All other App which has the overlapped features has the similar code and performance.
Power Clean itself has more than 100 millions downloads and currently still have more than 2.5 millions active users for the timeline of the writing. Besides the popularity of the App, the reason why we focus on this App is that it has a very wide range of security and utility tool features, include but not limited virus/malware scan, wifi security scan, CPU cool down, memory/storage clean. Some of the features sound really cool and helpful for Android users. But will it work well as it claimed? Let's have a deeper look.
The UI of the App looks cool and professional, it shows some status on the top and features on the bottom. Since we are more concerned with the security features. Let's start from the Antivirus part. If you click on the Antivirus, a radar animation is shown to start scanning your phone for WiFi security and other threats:
For Wifi security, it is claimed to detect DNS hijacking, SSL hijacking, ARP spoofing and WiFi encryption method. However, from our testing, those features always return the same result even we tested it in some phishing hotspot environment or under ARP spoofing attacks. So we went to the code of the App and found some very interesting result from it:
public static int getEncryptionType() {
try {
WifiInfo connectionInfo = a.getConnectionInfo();
if (connectionInfo != null) {
String bssid = connectionInfo.getBSSID();
try {
List scanResults = a.getScanResults();
if (scanResults != null) {
String str;
for (int i = 0; i < scanResults.size(); i++) {
ScanResult scanResult = (ScanResult) scanResults.get(i);
if (scanResult.BSSID.equals(bssid)) {
str = scanResult.capabilities;
break;
}
}
str = null;
if (str != null) {
if (str.contains("WPA2")) {
return 3;
}
if (str.contains("WPA")) {
return 2;
}
return str.contains("WEP") ? 1 : 0;
}
}
} catch (Exception e) {
return -1;
}
}
} catch (Exception e2) {
}
return -1;
}
public static boolean checkDnsFake() {
return true;
}
public static boolean checkArp() {
return false;
}
public static boolean checkHttpsHookFake() {
return false;
}
It seems only function getEncryptionType has done some real logic to get the WiFi encryption type, for other WiFi related threads detection, it just returns constant results and does nothing. Then it is not surprised it will always tell your WiFi environment is secure even you were under attacks.
After the WiFi scan, the App will continue on scanning virus and malware. To test the detection of malware, we downloaded 50 malware samples from VirusTotal. All of them were reported as malware from the most of major Anti Virus (AV) vendors. Since the Power Clean App only scan installed App other than files or folders, we need to install all of the testing samples on the phone. After installing all 50 samples with help of xargs and adb, we can see a lot of App was installed on the phone:
After what we have observed from its WiFi scanning functions, we did not expect too much on the detection rate of the malware scanning part. However, since the 50 samples are from 2018 and most of the AV vendors report them, we still think it would not be too bad to detect most of them. But the result is still disappointing:
Besides an AD was successfully shown on the screen, nothing was alarmed by the App. Considering what we have seen from the WiFi part we can say Lionmobi Power Clean actually has done almost nothing to secure your phone except putting some ADs on the interface. For all the testing sample list, you can refer to the Appendix A. Then we tested the same 50 samples to another Lionmobi App Power Security, whose major functionality is for mobile security. The result is the same:
After testing and analyzed the security part of the App, we also went through some of the interesting features. For example, “cool down”:
When your CPU show red words with high temperature like 150F, you can click on the Cool Down and after some animation down, you will see some degree was dropped. However, if you really looked at the code of the cooling down logic, you will observe following code snippet:
private void b(boolean z) {
if (!isFinishing()) {
if (z) {
aaj.setLong("last_cooler_time", Long.valueOf(System.currentTimeMillis()));
int i = this.e - this.g;
if (i >= 45) {
i = 45 - ((int) ((Math.random() * 1.0d) + 1.0d));
}
aaj.setKeepTemperature(i);
}
uv.scheduleTaskOnUiThread(800, new Runnable() {
public void run() {
Intent createActivityStartIntent = aim.createActivityStartIntent(CoolerActivity.this, CoolerResultActivity.class);
createActivityStartIntent.putExtra("intent_data", Long.valueOf((long) CoolerActivity.this.g));
createActivityStartIntent.putExtra("back_to_main", CoolerActivity.this.shouldBackToMain());
CoolerActivity.this.startActivity(createActivityStartIntent);
CoolerActivity.this.onFinish(true);
}
});
}
}
It just generates some random number to tell you how many degrees it helped to cool down and actually had done nothing. It also use the similar method to tell how much it can speed up your device by using some random numbers too.
After testing the Power Clean - Antivirus & Phone Cleaner App from Lionmobi App, the only expression for us is they faked several features that they claimed to have and has almost no real working security features to prevent any real threats for endpoints. Besides that, they have very heavy AD delivery for almost any functionality. For example, when they claimed they are downloading fraud phone numbers, it actually did nothing other than just showing you some AD on the screen. It wasted a lot of storage and resource to Android users by claiming it as a security App.
The Apps reviewed from Lionmobi are all from Google Play Store.
They are:
Network Master Speed Test_v1.9.82 - 306030a2040861e0ce52e736cd396e05
Power Battery Battery Life Saver Health Test_v1.9.8.6 - 6736e8db37df6ad04dbf827b2c8b60ec
Power Clean Antivirus Phone Cleaner App_v2.9.9.64 - c06b7b8e78202ead80a2a1ec5ed1120f
Power Security Anti Virus Phone Cleaner_v2.1.6 - c9d069ff45397fdf7b6412093b59e80c
Thanks Yue luo for all the code review and analysis.
Appendix A