Chinese mobile malware controversy: Are Feiliu and Netqin in cahoots?

Money on hook
According to Mobile Crunch, Chinese mobile security firm NetQin is accused of secretly installing malware, but it turns out that the story might be a little bit more complicated than that.

3.15 Gala is an annual event in China – similar to the UK’s Watchdog programme – designed to protect consumer rights by exposing fake, low-quality and below-standard products. It is hosted by Chinese State TV (CCTV).

On 3.15 Gala night, March 15, CCTV stated that some Chinese phone dealers were installing an application created by Feiliu, a mobile software provider, onto the phones during the process of firmware flashing.

Firmware flashing is often used to hack phones for unintended regions (for example, a US or UK phone hacked to be used in China).

Now, phone dealers are often financially incentivised to install third-party applications, all prior to selling the phones to Chinese customers. Roughly RMB 2 Yuan (about .30 US cents or 15p UK) per application per handset is paid to phone dealers by software providers. The Feiliu application is among these.

So, what does this Feiliu app do? It attempts to download and upload data whenever an internet connection is available. It also calls home for verification every 6 hours. If the app is not running correctly – perhaps because the owner deletes it, it secretly installs again and attempts to hide its presence.

Four Symbian OS Installer files have been confirmed to be downloaded by the Feiliu app, all without the knowledge or consent of the phone owner:

installs an application called OVI Game Update, with process name 200353A9.exe;
200353D8_Express_Signed.sis: installs an application called Open C Libssl Common Plugin, with process name 200353D8.exe;
20035933_Express_Signed.sis: installs an application called AdvBrain Trl, with process name 20035933.exe;
20035015_Express_Signed_P22.sis: installs an application called Open C++ Class Update, with process name 20035015.exe.

The Installer files and their associated applications share version information, supplier information and digital certificates.

The Feiliu app tries to uninstall any other vendor’s AV products. The app also causes the phone to run very slowly and/or crash.

Surprisingly, this behaviour seems to be by design, encouraging the phone owner to seek out a fix. An annoyed user might try to download NetQin AV scanner. NetQin currently holding a market leader position in China for mobile security.

When the user runs the NetQin scan, an infection is reported. The user is reportedly made to pay RMB 2 Yuan to remove the Feiliu app, which NetQin detects as malware, from the phone.

So we have a seemingly dodgy app that is removed by mobile security product. But CCTV show revealed a few other interesting tidbits.

The official CCTV video and transcript (in Mandarin Chinese) is available. My colleague Xiaochuan Zhang explains that in the transcript, NetQin employees say that NetQin and Feiliu do indeed have a close partnership.

And staff from Feiliu reveal that co-founders for Netqin and Feiliu worked on their PhDs together. The transcript also claims that NetQin had an investment of RMB 495,000 Yuan (about $75,000 USD) in Feiliu, making the security company the second largest shareholder.

All this certainly doesn’t look good for any of the parties involved.

And the timing is not great for NetQin, as the company just submitted the IPO application in mid-march. You can read more about on

Now, NetQin is claiming innocence here. Look at the following, which was added to the bottom of this Cellular news article:

Update: 24th March 2011: We have received a legal letter from NetQin stating that the article above is based on incorrect information - we have requested a statement confirming the facts.

It will certainly be interesting to see what happens next. Who said the murky worlds of mobiles, apps and security was dull?

(Thank you to Sophos malware researcher Xiaochuan Zhang, who helped me unravel this story. )

(Picture of mobile with China flag courtesy of