{
	"id": "6f3e795d-0dc0-4ddf-8f1e-7a810927aa7c",
	"created_at": "2026-04-06T00:15:33.720971Z",
	"updated_at": "2026-04-10T13:12:26.669815Z",
	"deleted_at": null,
	"sha1_hash": "f501e4376263cddf8d11709b8de3beb9789aff90",
	"title": "Tracing the Supply Chain Attack on Android",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 267352,
	"plain_text": "Tracing the Supply Chain Attack on Android\r\nPublished: 2019-06-25 · Archived: 2026-04-05 23:06:47 UTC\r\nEarlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious\r\nsoftware being pre-installed on millions of new budget Android devices. Google didn’t exactly name those\r\nresponsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is\r\na deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing\r\nthe envelope on mobile malware.\r\n“Yehuo” (野火) is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps\r\nusing another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in\r\nquestion appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the\r\nsame entity.\r\nAn online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which\r\nuses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on\r\ngamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at\r\nblazefire[.]com.\r\nResearch on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called\r\n“Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using\r\nthe email address “tosaka1027@gmail.com“.\r\nThe Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed\r\nsoftware.”\r\nhttps://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/\r\nPage 1 of 5\n\n“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip\r\nmanufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile\r\nterminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.\r\nA historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24\r\nInternet domain names, including at least seven that have been conclusively tied to the spread of powerful\r\nAndroid mobile malware.\r\nTwo of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were\r\nimplicated in propagating the Triada malware. Triada is the very same malicious software Google said was found\r\npre-installed on many of its devices and being used to install spam apps that display ads.\r\nIn July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by\r\ndefault on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the\r\nTriada malware installed on 40 different models of Android devices.\r\nAt least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com,\r\nkelisrim[.]com, opnixi[.]com and sonyba[.]com — were seen as early as 2016 as distribution points for the\r\nHummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the\r\ninfected device.\r\nA records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including\r\nblazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the\r\nbolded domain names below:\r\nDomain Name      Create Date   Registrar\r\n2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\n52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\n91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\nblazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\nblazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\nhsuheng[.]com 2015-03-09 GODADDY.COM, LLC\r\njyhxz.net 2013-07-02 —\r\nlongmen[.]com 1998-06-19 GODADDY.COM, LLC\r\nlongmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\noppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\ntongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD\r\nFollowing the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with\r\nmultiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou\r\nNetwork Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet\r\nmobile games.”\r\nLike the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and\r\nsoon changed to Shanghai Blazefire as the owner.\r\nhttps://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/\r\nPage 2 of 5\n\nThe offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd,\r\nShanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at\r\nRoom 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.\r\nThe domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to\r\nbe either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According\r\nto its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai\r\nQuianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.\r\n“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published\r\nby Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”\r\nThat particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal\r\ncandidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the\r\nresponsibilities for this position were:\r\n-Crack the restrictions imposed by the manufacturer on the mobile phone.\r\n-Research and master the android [operating] system\r\n-Reverse the root software to study the root of the android mobile phone\r\n-Research the anti-brushing and provide anti-reverse brushing scheme\r\nWHO IS BLAZEFIRE/YEHUO?\r\nhttps://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/\r\nPage 3 of 5\n\nMany of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the\r\nemail address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and\r\nemail addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname\r\n“Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.\r\nSearching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site\r\nYouxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers\r\nto the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.\r\n“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre\r\n(playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire\r\nproduct line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore\r\nAlliance.”\r\nInterestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com,\r\nperhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu\r\nDa’s email address as yehuo@blazefire.com.\r\nThe CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”\r\nIt’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company\r\nlists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled\r\nChinese telecom giant by the same name.\r\nAccording to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a\r\nsenior executive at six other companies.\r\nhttps://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/\r\nPage 4 of 5\n\nGoogle declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for\r\ncomment.\r\nIt’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire\r\nNetwork Technology Co., Apple still has several of the company’s apps available for download from the iTunes\r\nstore, as well as others from Shanghai Qianyou Network Technology.\r\nSource: https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/\r\nhttps://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/"
	],
	"report_names": [
		"tracing-the-supply-chain-attack-on-android-2"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f501e4376263cddf8d11709b8de3beb9789aff90.pdf",
		"text": "https://archive.orkl.eu/f501e4376263cddf8d11709b8de3beb9789aff90.txt",
		"img": "https://archive.orkl.eu/f501e4376263cddf8d11709b8de3beb9789aff90.jpg"
	}
}