3887b663709c5f4b586289d25449a740f268a3b2c66f78a53ab33a124c9e9208
) 1e6f1a0151c2655069e45c1d858b5541a017b474c520c73b615cba6fa57a394f
)8e29e190e9b0879960dac27d73a63100959ef52aada1baa51cf45eccfc5beeb2
).SecNeo/BangCle
protection scheme 9 is used, which decrypts several Dex
files and loads them in memory.libDexHelper.so
. This library is obfuscated using code flattening and almost all the strings are decrypted on the stack before use.jadx
12 in order to analyze it.XOR
based scheme. The key used for the decryption is the same in both samples and a decryption script was reimplemented. This script was then executed on each decompiled java file, which resulted in almost all the strings being decrypted.JNI
wrapped linking to the libwaes.so
library.0x5004
)0xFF0
and 0x12EC
) in a python scriptdji.log
. Logs are encrypted with AES 256 CBC with a PBKDF2 derived password. This could appears as a strong mechanism, but password is defined in the dji.log.impl.SimpleEncryption
:e9e856d55943731ac585dcda656f95c5
. The IV is hardcoded: 9d6c5cab5b0281255a222d1c861ddfdf
. All logs are splitted and stored in /storage/emulated/0/DJI/dji.go.v4/LOG/CACHE/
such as log-2020-02-18.log
or BatteryEmbed/log-2020-02-02.log
.DJISelfUpgradeManager
class.hxxps://service-adhoc.dji.com/app/upgrade/public/check
for a configuration file and can even force the update of the application if the flag forceUpdate
is set in the JSON answer.com.sina.weibo.sdk
. When initiated, this SDK starts by checking an application specific token by using the WbAppActivator
class, then two message handlers are registered by this class: AppInvokeCmdExecutor
and AppInstallCmdExecutor
.WbAppActivator
then creates a new thread, querying each hour (by default) new commands on the URL hxxp://api.weibo.cn/2/client/common_config
.Stark
).AppInstallCmdExecutor
.hxxps://mydjiflight.dji.com/api/v2/register_device
with information related to the app.hxxps://www.skypixel.com
social network.hxxps://mydjiflight.dji.com/api/v2/flight_log/profile?user_id=<numerical id>
hxxps://mydjiflight.dji.com/flight/overview?token=<token>
flysafe-api.dji.com
terra-2-g.djicdn.com
account-api.dji.com
djigo-hk.djiservice.org
djigoapi.djiservice.org
developer.dji.com
store.dji.com
statistical-report.djiservice.org
bugly
is a crash reporting module provided by the Chinese company Tencent
.v4.1.22
we analyzed).hxxp://android.bugly.qq.com/rqd/async
).android_id
of the phonecom/mob/tools/utils/DeviceHelper.java
classes, almost any data which can be used to track a user is queried. It goes from screen size and brightness to WLAN address and MAC, BSSIDs, Bluetooth addresses, Mac addresses from neighbors, IMEI and IMSI, carrier name, SIM serial Number, SD card information, OS language and kernel version, Location and language and so on.Study the Great Nation
21 : obfuscation for hiding functionalities, information gathering including information on the phone, cellular network ID and GPS location of the user or the drone and execution of code without the control of the user (forced updates). Thus, the application should not be used for sensitive purpose.hxxp://api.weibo.cn/2/client/common_config
hxxps://service-adhoc.dji.com/app/upgrade/public/check
hxxp://android.bugly.qq.com/rqd/async
hxxp://wb.testing.amap.com
hxxp://group.myamap.com
hxxp://m.map.so.com
hxxp://114.247.50.32
180.96.64.225/mo