MyPhoneRegistration - MyPhone MyA2

MyPhoneRegistration is an app that allows you to register your MyPhone device with MyPhone in order to ease things like accessing warranties, getting software updates and sending advertisement and promotional material. The app gets permissions to make and manage phone calls, to send and view SMS messages, and to access storage.

Observed Behaviour

 

The following is the output from MyPhone Registration of Exodus Standalone, by Exodus Privacy

{
  "trackers": [],
  "apk": {
    "path": "/media/transfer/AndroidAnaylsis/Library/OriginalAPKs/MyPhoneRegistration.apk",
    "checksum": "584fb7efe352024b52e2584de6afd6944d5bdf038c6459200c5e4a021d3f096a"
  },
  "application": {
    "libraries": [],
    "version_code": "1",
    "permissions": [
      "android.permission.DISABLE_KEYGUARD",
      "android.permission.RECEIVE_BOOT_COMPLETED",
      "android.permission.READ_PHONE_STATE",
      "android.permission.SEND_SMS",
      "android.permission.INTERNET",
      "android.permission.REORDER_TASKS",
      "android.permission.SYSTEM_ALERT_WINDOW",
      "android.permission.STATUS_BAR",
      "android.permission.DISABLE_STATUS_BAR",
      "android.permission.ACCESS_NETWORK_STATE",
      "android.permission.READ_LOGS",
      "android.permission.WRITE_EXTERNAL_STORAGE",
      "android.permission.READ_EXTERNAL_STORAGE"
    ],
    "name": "MyPhoneRegistration",
    "uaid": "B06D57C12A09AB0C1B0F79DE5F51D0CEAD67162F",
    "handle": "registration.pinoy.zed.com.myphoneregistration",
    "version_name": "2.1"
  }
}

The following information is exchanged unencrypted with Zed servers once the MyPhone Registration process has been "successfully" completed. (Redactions for the protection of personal data)

 

store_type:     
profession:     
store_name:     
age:            19XX-XX-XX
city:           
retail_partner: 
msisdn2:        0799XXXXXXX
name:           Eva Blum Dumontet
gender:         1
province:       
imei1:          35824005010XXXX

The POST request is such 

POST http://180.87.143.45/ph.zapp.api/user_info_reg.aspx HTTP/1.1
Content-Type:	application/x-www-form-urlencoded; charset=UTF-8
User-Agent:	Dalvik/2.1.0 (Linux; U; Android 6.0.1; MyPhone MyA2 My802)
Host:	180.87.143.45
Connection:	Keep-Alive
Accept-Encoding:	identity
Content-Length:	156

The request times out with the following error 

Server connection to ('180.87.143.45', 80) failed: Error connecting to "180.87.143.45": [Errno 110] Connection timed out

Due to the timeout, the app continues to try and send the data indefinitely 

Notes and Commentary

We also identified vulnerabilities that could allow a malicious individual with physical access to the phone to run their own code in the MyPhoneRegistration app context, allowing them to execute code with the same privileges as the MyPhoneRegistration app. When combined with other known vulnerabilities within Android 6.x, this could compromise the device remotely. As this app cannot be updated or deleted by the user, this vulnerability threatens the user permanently.

We will not be disclosing the nature of these vulnerabilities at this time

Company Response

MyPhone made the following statement via email:

"For the models we have launched before, we have lost access and support to update the apps we have pre-installed, but we remain committed to provide a secure platform to our new and upcoming devices by complying to the latest Google requirements to keep the devices secure."

Further statements are available in the full report

Date Tested
06/08/2019
App Version
2.1
Was the app pre-installed on the device
Yes
Associated Device
Opt out of Ads Personalisation (Google Settings)
Not Enabled (Default Setting)
This block is broken or missing. You may be missing content or you might need to enable the original module.