QKSMS compromised?

Over the time I’ve been using this app, there have been a total of three instances when I received SMS messages from attempted account registrations that I didn’t commence. The shocking thing is, they went through. SMS verification codes were clearly being leaked.

Russian post, Nov 12 2020 - someone uses my phone number to receive a parcel. Before that, they must have registered my number, the only other message with a verification code from the Russian Post comes on September 23rd. When I came to the post office this year, they claimed that someone filled in their information in connection with my phone number, for easy receipt of packages. I’ve changed the data since.

April 15 2021 - Someone registers at Microsoft. I managed to recover that account, it was largely empty, but it existed and was full of another person’s details.

January 19 2022 - I receive a verification code from Aliexpress. Trying to register my number reveals that it is already in use. Unfortunately, they do not yet allow recovery via SMS.

To be clear: I am using a Moto G7 Play with Stock ROM. I never rooted the thing or unlocked the bootloader. The only app that had SMS access at the time was QKSMS, installed from F-Droid.

I also seem to be not the only one experiencing the issue. https://4pda.to/forum/index.php?showtopic=576815&view=findpost&p=105851339 https://user-images.githubusercontent.com/1058851/151103666-6882e75f-a927-4d0d-a7fa-48ad2513a647.png

1 Like

If someone tries to use your number for SMS verification you do get an SMS, now the second part is the tricky one, how do they get the code out?

Eg. Use Netguard to block QKSMS from accessing the internet and check if it tries to connect

Now, SMS is not encrypted (unless both users use the app Silence I guess) so it’s not only you how can read it, your Telecom provider can too…

/PS: What does Приторговывают, собаки. even mean? :slight_smile:

What does Приторговывают, собаки. even mean?

It means I suspect someone in the supply/trust chain to be paid off by one of those “disposable phone number” companies. There has to be a customer on the other end that’s been using my number for their purposes.

Eg. Use Netguard to block QKSMS from accessing the internet and check if it tries to connect

I have stripped the app of its SMS access and wiped its data, I don’t want to risk it again. I am unable to access that account that’s been made at Aliexpress and its frigthening what amount of trouble something like this can get me into. I am keeping it installed to may be do a little more forensics, like figuring out first install date and getting the APK that’s specifically on my phone.

I would honestly like for it to not be the app’s fault, but then I am not sure what course of action I have. Messing with the firmware without proof there’s any issue with it? I did a virus scan with Dr. Web’s free app, it came up clean. I don’t tend to install any suspicious apps either.

If any of this seems like tin-foil hat bs, unfortunately, it isn’t. Some local manufacturers of even the most basic non-smartphone cellphones were caught embedding their malware that mostly does exactly this: uses the phone numbers without the user’s consent to provide them as a service.

There’s Lineage for your device: https://download.lineageos.org/channel

Actually not coincidence. I faced the same issue 3 times. Someone got hold of my number and tried to register for some government ID and 3rd time someone tried to login to my net banking. Banking one I could stop that very moment, but for the gov one it took me 4.months with a lot of tussle to get corrected. Apparently when I tried other than for trying in MMS, the app does not show any pings or evwn home calls. However, I am sure there is something amiss here.

Edit: I forgot to add, it indeed happened with QKSMS only, and not with any other SMS app. Apologies for the miss.

So it’s not dependent on SMS app?

Can you provide a little more clarity? Have you had QKSMS installed at the time? What’s the timeline of these events? What version of QKSMS was this and where was it installed from?

Just edited my comment above. It indeed was with QKSMS. I always use the F-Droid version only, and tbvh, I do not recall the version @Simon311, but it has always been QKSMS from F-Droid and ideally no other messaging app. Now I have blocked all internet traffic to it, but presumably it will render from SIM while retrieving the messages, which is normal process.

Right then, so this comes down to me extracting the APK I got and then sweeping the decompiled code for malware. Problem is, I am not good with Java or god forbid smali and the app extracts to 65MB worth of smali code.

Just as a theory, I am also willing to entertain the idea that the app just isn’t storing its DB very securely, which exposes it to some other malware that is able to snoop on it, but that seems overly complicated tbh. Banking on the fact that the user has a specific open source app and implementing functionality to work with its files seems outlandish.

What is the issue here?
Someone tried to register an account with your phone number?
But they need the code to continue registration?

You then tried to recover the newly created account by using your access to your phone number?
Potentially validating the account for them to then use?

If you receive a text message like that, just ignore it.
Do not engage with it at all.
It doesn’t mean someone hacked your number or anything.
There is no harm from it.

Same thing goes for phone calls, just say no!

1 Like

Let me re-iterate. There are three separate instances when this had happened. Let’s go one by one.

  1. Microsoft. I had received the SMS code and at the time dismissed it as someone’s typo. Several months later, I don’t remember what prompted me to, either another SMS or my own curiosity, and I did recover this account using SMS. Inside, I found the person’s name and birthdate filled in, but no other data whatsoever. Okay, let’s give this one the benefit of the doubt, and assume that me recovering the account had actually validated it and that Microsoft were storing the registration attempt as a blank account for months. I assumed this at the time too.

  2. Aliexpress last week and two days ago. I was not able to recover the account, because they don’t allow that with phone numbers. However, attempting to register it says that the number IS ALREADY IN USE by an account. But, let’s give this one the benefit of the doubt too and say that Aliexpress had created the account before they were able to confirm the phone number and that’s why it won’t let me register it myself.

  3. The Russian post. I received two SMS messages: one with a generic confirmation code on Sep 23, and then another, alarmingly, on Nov 12 with a confirmation code for RECEIVING A PACKAGE. I had dismissed it at the time too, but in late 2021, when visiting the Russian Post, I was alarmed to see that instead of just checking my passport like they always do, the post office had sent me the SMS to receive my package, as if I had enabled the service to do so (yeah, they have a separate service for this, and no, I explicitly avoided enabling it). Then, when giving out the package to me, the post office worker was just as shocked to see that both the name on the package and my own name mismatched what had been on their records. On their records, someone successfully registered and used this phone number to receive packages on a female name (I am male) in a completely different region of Russia. This one, we don’t get to write off. They had managed to receive two SMS messages from my phone and use it with a state-owned company too. I could get in trouble for this.

1 Like

As a commenter said on the same (briefer) issue, How do you know it’s not your contacts app?

How do you know it’s not some other app?

How do you know anything “fishy” is even happening? You broke the rule: Let calls from unknown numbers ring to waste their time, and ignore unexpected messages from unknowns, including spam voice-messages, spam emails, etc.

I got “junk” text messages when I used default text app. I got “junk” text messages when I used QKSMS. I get “junk” text messages using Silence. It happens. Ignore them.

It is annoying when delivery or other sites especially want your phone number, and (almost) never use it. So, it is easily conceivable someone would put a random “wrong-for-them” number into a form, and move on.

Don’t panic, but IF you ever have GOOD reason to suspect SIM swap or other fraud, contact proper authorities, and take proper steps.

PS. You can always download the source from F-Droid site, and pay someone to do a code review.

I can’t know that it’s not something else, but, as I outlined:

  1. No other app was given permission to access SMS messages, not even the stock one.
  2. I am on stock ROM on a Motorolla phone, with security updates as recent as February 2021.
  3. My SIM card still works, it wasn’t someone issuing a duplicate
  4. It does seem like I am not the only one having this issue, specifically with this app and specifically installed from F-Droid.

In terms of looking at the code, I am looking for options, but so far no free volunteers

No need for the SMS app to betray you, the site will…

The other case that you quote sounds as confused as you unfortunately :frowning:

Looking at the code may also be problematic because there is a platform-specific compiled library, but I am hoping to rule it out as a standard library

Everything should be open source… after your analysis try post some feedback, ask what you didn’t find etc

Hi, just FYI,
I have a recent motorola, and I think you’re wrong when you say that only one app has access to SMS.
In fact if you go to authorizations and make appear system apps, you will see many app that have access to SMS and you can’t choose it. In my case, showing the system apps makes appears 15 apps with SMS access, including 8 of them which need this access to allow the phone to work.

Yeah, that is KNOWN. But here the issue started only after QKSMS. Been a rooter and OS Dev for 9 years now. That is why…