Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious code in Flix Vision app #2835

Open
lineredux opened this issue Jan 12, 2025 · 1 comment
Open

Malicious code in Flix Vision app #2835

lineredux opened this issue Jan 12, 2025 · 1 comment

Comments

@lineredux
Copy link

lineredux commented Jan 12, 2025
edited
Loading

Type

Bad sites

Add additional context

Decompilation and source code analysis was performed on app version v3.0.1r, retrieved from the official source that is provided on FMHY (https://linktr.ee/flixvision), using jadx.

A few months ago, users reported on Reddit that the Flix Vision app was making unsolicited network requests (signs of internet sharing/botnet). Being a reverse engineer myself, I decided to look into the latest version of the app and check for potential malicious code.

I have discovered that the Flix Vision app has code that, at the developer's discretion, can remotely enable an internet-sharing SDK called TraffMonetizer that runs in the background. This turns the users of the Flix Vision app into exit nodes for residential proxy services that can perform web scraping and other malicious/illegal activities 1,2, using the user's internet connection, without their consent or knowledge. The developers of Flix Vision get revenue from TraffMonetizer for selling user's internet connections.

The following is the flow:

On app start and in the background, a configuration file is retrieved which has the base settings for Flix Vision. There is a primary and backup URL (t.ly/gcCVh, github.com/fvision8/publish/releases/download/12/conf.json).
vmware_C8iTyNOmZD
vmware_2VVYIGLN7f

As of 1/11/2025, the JSON file returns the following:
vmware_QepRzUBSIx

Take note of the traff_sd value.

Once retrieval is complete, parseRemoteConfig is called. At its core, it's nothing special, but there's this code that checks the traff_sd boolean and sets it accordingly in pref_traff_1. It also initializes a new package with a key if it's true, and stops if it is false. What is this "hy1" package?
vmware_84jpn0QwyI

Looking into the package, it is initializing the TraffMonetizer SDK.
vmware_b19j1KyIQ4

Per TraffMonetizer:

After integrating our SDK your free users will be sharing a tiny portion of their Internet bandwidth with our network (you can adjust the maximum shared traffic in your dashboard) - and we will pay you for this traffic.

This isn't the first time an Android app has been (mis)used for this purpose, but in some cases the app asks for consent. Flix Vision clearly does not.

I would recommend removing Flix Vision from the FMHY directory https://fmhy.net/android-iosguide#android-streaming, or at the least flagging a warning for this code being present as there are a number of users that may have installed this app on their Android TV device, especially as it was spread pretty widely on YouTube and various sources.
@nbats
Copy link
Collaborator

nbats commented Jan 12, 2025

thank you for the heads up, I'll get it removed now and we'll take a closer look at all this

@nbats nbats closed this as completed Jan 12, 2025
@nbats nbats reopened this Jan 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nbats @lineredux