Chinese mobile malware controversy: Are Feiliu and Netqin in cahoots?

Filed Under: Malware, Mobile

Money on hook
According to Mobile Crunch, Chinese mobile security firm NetQin is accused of secretly installing malware, but it turns out that the story might be a little bit more complicated than that.

3.15 Gala is an annual event in China - similar to the UK's Watchdog programme - designed to protect consumer rights by exposing fake, low-quality and below-standard products. It is hosted by Chinese State TV (CCTV).

On 3.15 Gala night, March 15, CCTV stated that some Chinese phone dealers were installing an application created by Feiliu, a mobile software provider, onto the phones during the process of firmware flashing.

Firmware flashing is often used to hack phones for unintended regions (for example, a US or UK phone hacked to be used in China).

Now, phone dealers are often financially incentivised to install third-party applications, all prior to selling the phones to Chinese customers. Roughly RMB 2 Yuan (about .30 US cents or 15p UK) per application per handset is paid to phone dealers by software providers. The Feiliu application is among these.

So, what does this Feiliu app do? It attempts to download and upload data whenever an internet connection is available. It also calls home for verification every 6 hours. If the app is not running correctly - perhaps because the owner deletes it, it secretly installs again and attempts to hide its presence.

Four Symbian OS Installer files have been confirmed to be downloaded by the Feiliu app, all without the knowledge or consent of the phone owner:


pro20.sisx:
installs an application called OVI Game Update, with process name 200353A9.exe;
200353D8_Express_Signed.sis: installs an application called Open C Libssl Common Plugin, with process name 200353D8.exe;
20035933_Express_Signed.sis: installs an application called AdvBrain Trl, with process name 20035933.exe;
20035015_Express_Signed_P22.sis: installs an application called Open C++ Class Update, with process name 20035015.exe.

The Installer files and their associated applications share version information, supplier information and digital certificates.

The Feiliu app tries to uninstall any other vendor’s AV products. The app also causes the phone to run very slowly and/or crash.

Surprisingly, this behaviour seems to be by design, encouraging the phone owner to seek out a fix. An annoyed user might try to download NetQin AV scanner. NetQin currently holding a market leader position in China for mobile security.

When the user runs the NetQin scan, an infection is reported. The user is reportedly made to pay RMB 2 Yuan to remove the Feiliu app, which NetQin detects as malware, from the phone.

So we have a seemingly dodgy app that is removed by mobile security product. But CCTV show revealed a few other interesting tidbits.

The official CCTV video and transcript (in Mandarin Chinese) is available. My colleague Xiaochuan Zhang explains that in the transcript, NetQin employees say that NetQin and Feiliu do indeed have a close partnership.

And staff from Feiliu reveal that co-founders for Netqin and Feiliu worked on their PhDs together. The transcript also claims that NetQin had an investment of RMB 495,000 Yuan (about $75,000 USD) in Feiliu, making the security company the second largest shareholder.

All this certainly doesn't look good for any of the parties involved.

And the timing is not great for NetQin, as the company just submitted the IPO application in mid-march. You can read more about on ichinastock.com

Now, NetQin is claiming innocence here. Look at the following, which was added to the bottom of this Cellular news article:

Update: 24th March 2011: We have received a legal letter from NetQin stating that the article above is based on incorrect information - we have requested a statement confirming the facts.

It will certainly be interesting to see what happens next. Who said the murky worlds of mobiles, apps and security was dull?

(Thank you to Sophos malware researcher Xiaochuan Zhang, who helped me unravel this story. )

(Picture of mobile with China flag courtesy of mtsoft.com)

, , , , , , , ,

You might like

6 Responses to Chinese mobile malware controversy: Are Feiliu and Netqin in cahoots?

  1. D. Doyle · 1255 days ago

    It makes me nervous that so many of our electronics are made in China. Who knows what is really installed? I got a Seagate backup hard drive 15 months ago; it operated very oddly and was difficult to uninstall. Finally I wiped the computer drive clean and reinstalled my software and docs...but not the Seagate. I've wondered what was really on that drive, made, of course, in China.

    • PK · 118 days ago

      It makes me nervous that so many of our electronics are made in the USA. Who knows what the NSA has installed?

  2. hannah · 1254 days ago

    that's not true, it is more like they are trapped by the company whoes product is 360, they use the same way in blaming Tencent.

  3. Yu Lin · 1253 days ago

    If Netqin is offered and IPO from SEC, then there is really no justice in China because not only fraud but the revenue of Netqin is also fake and forged.

  4. Ilgaz · 1247 days ago

    I had a strange directory name (Felilu) with junk like data on my s60v3 with netqin products installed and I am NOT in China, I also carry a strict "signed only" with online cert check and "no piracy or hacks" policy myself.

    Sad thing is, I reinstalled firmware to my phone (because of problems) and I don't have that directory to share content (or image if possible) with av companies.

    The dumbest of all is, they HAVE good products shipped, especially that mobile manager. That thing amazes me, with some polish and better UI gfx/ui language, they could be king of mobile utility market.

    Absurd. Really absurd. You know the real mystery? My device -too- slowed down for a while, that was one of reasons I got into trouble of reinstall flrmware w/o backup.

  5. Ilgaz · 1247 days ago

    Sorry for double comment but you "real" security companies, like Sophos, F-secure, Kaspersky, Intego (Mac) and Clam project should setup an organisation for industry at least for an unified statement for such scandals and share data in more official way.

    Perhaps membership should be invite only for new comers.

    What Netqin did may have cost bilions to real security industry with mlllions of hours wasted. Why? Because that crook managed to let hopeless paranoids have some kind of verification. You know "av companies code viruses" guys. Now, they will say "didn't I say so?"

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .