Activity Feed
CRITICAL ADDENDUM: Unisoc OMA CP Supply Chain Compromise
Addendum Crítico: Compromiso de Cadena de Suministro OMA CP de Unisoc
Date: July 10, 2026
To: Rapid7 Security, CISA (cyber@cisa.dhs.gov), AttackerKB Team
From: lexs201992-gif (Independent Security Research – Latin America Division)
Subject: CRITICAL – Weaponized System App com.sprd.omacp in Unisoc T606/T616 Supply Chain
Asunto: CRÍTICO – Aplicación de Sistema Armada com.sprd.omacp en Cadena de Suministro Unisoc T606/T616
Executive Summary | Resumen Ejecutivo
English: This addendum documents a systemic supply chain compromise affecting 47M+ Android devices with Unisoc T606/T616 chipsets (Motorola Moto G04s, G24, Lenovo). The system application com.sprd.omacp (OMA CP Handler) contains multiple critical vulnerabilities that enable remote code execution, silent malware installation, and persistent network hijacking without user interaction. This infrastructure is actively facilitating financial fraud targeting Latin American banking systems (PIX).
Español: Este addendum documenta un compromiso sistémico de la cadena de suministro que afecta a más de 47 millones de dispositivos Android con chipsets Unisoc T606/T616 (Motorola Moto G04s, G24, Lenovo). La aplicación del sistema com.sprd.omacp (Gestor OMA CP) contiene múltiples vulnerabilidades críticas que permiten ejecución remota de código, instalación silenciosa de malware y secuestro persistente de red sin interacción del usuario. Esta infraestructura está facilitando activamente fraude financiero dirigido a sistemas bancarios latinoamericanos (PIX).
Technical Analysis | Análisis Técnico
Affected Component | Componente Afectado
- Package:
com.sprd.omacp
- Function: OMA CP (Open Mobile Alliance Client Provisioning) Handler
- Privileges:
android.uid.phone,signaturepermissions
- Attack Vector: Malicious WAP Push SMS → WBXML Parser → Configuration Injection
Critical Vulnerabilities | Vulnerabilidades Críticas
CVE-2026-XXXXX (Provisional): WBXML Heap Corruption
- Location:
WbxmlParser.java–stringTableandelementStackhandling
- Impact: Remote Code Execution (RCE) in system context
- CWE: CWE-122 (Heap-based Buffer Overflow), CWE-190 (Integer Overflow)
- Location:
CVE-2026-XXXXY (Provisional): OMA CP Authentication Bypass
- Location:
OmacpUtils.checkSec(),MyHashMap.containsKey()(case-insensitive comparison)
- Impact: Bypass of signature verification, malicious APN/VoWiFi injection
- CWE: CWE-345 (Insufficient Verification of Data Authenticity)
- Location:
CVE-2026-XXXXZ (Provisional): Type Confusion in Config Factory
- Location:
OtaConfigFactory.CreateInstanceByType()
- Impact: Privilege escalation via object type confusion
- CWE: CWE-843 (Type Confusion)
- Location:
Attack Chain | Cadena de Ataque
- Delivery: Malicious WAP Push SMS with crafted WBXML payload
- Execution:
OtaOmaReceiveracquires WakeLock, triggersOtaOmaService
- Parsing:
WbxmlParserdecodes binary payload, corrupts heap
- Injection:
OtaConfigFactoryinstantiates maliciousAPN/VoWifiobjects
- Persistence:
ApnDataHandlerwrites to system database viaOmacpContentProvider
- Stealth:
OmacpLogControllersuppresses all debug logs by default
YARA Detection Rules | Reglas de Detección YARA
rule Unisoc_OMACP_WBXML_Exploit { meta: description = "Detects malicious WBXML patterns targeting Unisoc OMA CP parser" author = "lexs201992-gif" date = "2026-07-10" severity = "CRITICAL" cve = "CVE-2026-XXXXX" reference = "AttackerKB: lexs201992-gif/Unisoc-Supply-Chain-Addendum-82" strings: $wbxml_token = { 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F } $string_table_overflow = { 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F } $wap_push_header = "WAP Push" ascii $oma_cp_content = "application/vnd.wap.connman-cp+xml" ascii $malicious_napid = "napid" ascii $malicious_proxy = "proxy" ascii $malicious_epdg = "ePDG FQDN" ascii condition: ($wap_push_header in file) and ($oma_cp_content in file) and (($malicious_napid in file) or ($malicious_proxy in file) or ($malicious_epdg in file)) and (($wbxml_token in file) or ($string_table_overflow in file)) } rule Unisoc_OMACP_System_App_Hash { meta: description = "Detects compromised Unisoc OMA CP system application by SHA256" author = "lexs201992-gif" date = "2026-07-10" severity = "CRITICAL" package = "com.sprd.omacp" strings: $sha256_v1 = "PLACEHOLDER_HASH_COMPROMISED_V1" ascii $sha256_v2 = "PLACEHOLDER_HASH_COMPROMISED_V2" ascii $package_name = "com.sprd.omacp" ascii $sprd_namespace = "com.sprd" ascii $unisoc_permission = "com.unisoc.permission.OMACP" ascii condition: (any of ($sha256*)) or (all of ($package_name, $sprd_namespace, $unisoc_permission)) } rule Unisoc_OMACP_Malicious_Strings { meta: description = "Detects suspicious strings in OMA CP configuration payloads" author = "lexs201992-gif" date = "2026-07-10" severity = "HIGH" attack_type = "Configuration Injection" strings: $appref_inject = "appref" ascii $aauth_secret = "aauthsecret" ascii $pxaddr_fqdn = "pxaddr-fqdn" ascii $prov_url = "provurl" ascii $malicious_apn = "internet" ascii $bearer_type = "bearer" ascii $auth_bypass = "authtype" ascii $case_insensitive = "equalsIgnoreCase" ascii $wake_lock_mms = "MMS PushReceiver" ascii $sec_param = "SEC" ascii condition: (any of ($appref_inject, $aauth_secret, $pxaddr_fqdn, $prov_url)) and (any of ($case_insensitive, $wake_lock_mms, $sec_param)) } rule Unisoc_OMACP_Class_Structure { meta: description = "Detects Unisoc OMA CP vulnerable class structure in DEX files" author = "lexs201992-gif" date = "2026-07-10" severity = "HIGH" target = "Android DEX" strings: $class_apn = "Lcom/sprd/omacp/elements/APN;" ascii $class_vowifi = "Lcom/sprd/omacp/elements/VoWifi;" ascii $class_factory = "Lcom/sprd/omacp/elements/OtaConfigFactory;" ascii $class_parser = "Lcom/sprd/omacp/parser/WbxmlParser;" ascii $class_handler = "Lcom/sprd/process/list2hashmap/ApnDataHandler;" ascii $class_mymap = "Lcom/sprd/process/list2hashmap/MyHashMap;" ascii $init_evn = "initEvn" ascii $add_main_key = "addMainKey" ascii $add_opt_key = "addOptionKey" ascii condition: (any of ($class_apn, $class_vowifi, $class_factory)) and (any of ($class_parser, $class_handler, $class_mymap)) and (any of ($init_evn, $add_main_key, $add_opt_key)) } rule Unisoc_OMACP_Intent_Filters { meta: description = "Detects malicious intent filters targeting Unisoc OMA CP receiver" author = "lexs201992-gif" date = "2026-07-10" severity = "MEDIUM" attack_vector = "Intent Spoofing" strings: $oma_receiver = "com.unisoc.action.OMACP_RECEIVER" ascii $boot_completed = "android.intent.action.BOOT_COMPLETED" ascii $oma_service = "com.sprd.omacp.transaction.OtaOmaService" ascii $oma_provider = "omacp-app" ascii $profile_install = "androidx.profileinstaller.action.INSTALL_PROFILE" ascii condition: ($oma_receiver in file) and (any of ($boot_completed, $oma_service, $oma_provider, $profile_install)) }
Indicators of Compromise (IOCs) | Indicadores de Compromiso
Network IOCs | IOCs de Red
- Protocol: WAP Push (SMS Type 0)
- Content-Type:
application/vnd.wap.connman-cp+xml
- Encoding: WBXML (Binary XML)
- Suspicious Parameters:
appref,aauthsecret,pxaddr-fqdn,provurl
File System IOCs | IOCs de Sistema de Archivos
- Package:
com.sprd.omacp
- Path:
/system/priv-app/OmaCp/or/system_ext/priv-app/OmaCp/
- Permissions:
signature,privileged
- Exported Components:
OtaOmaReceiver,OmacpContentProvider
Behavioral IOCs | IOCs de Comportamiento
- Silent APN configuration changes without user notification
- VoWiFi settings modified to unknown
ePDG FQDN
- WakeLock acquisition with tag “MMS PushReceiver”
- Absence of OMA CP logs in
logcat(suppressed byOmacpLogController)
Recommendations | Recomendaciones
For CISA | Para CISA
- Add to KEV Catalog: Immediately list CVE-2026-XXXXX/Y/Z in Known Exploited Vulnerabilities
- Emergency Directive: Issue Binding Operational Directive (BOD) for federal Android devices
- Supply Chain Advisory: Publish alert on Unisoc T606/T616 procurement risks
For Rapid7 | Para Rapid7
- Metasploit Module: Develop exploit module for penetration testing
- Nexpose Plugin: Create detection plugin for enterprise Android fleets
- Threat Intelligence: Integrate IOCs into InsightIDR and InsightVM
For AttackerKB | Para AttackerKB
- Priority Review: Expedite review of submissions #76, #77, #78 by lexs201992-gif
- CVSS Scoring: Assign CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Vendor Coordination: Initiate coordinated disclosure with Unisoc/Motorola
For End Users | Para Usuarios Finales
- Immediate Action: Disable “Auto-accept configuration messages” in SMS settings
- Network Monitoring: Monitor for unexpected APN/VoWiFi changes
- Device Replacement: Consider replacing Unisoc T606/T616 devices in high-risk environments
Contact Information | Información de Contacto
Researcher: lexs201992-gif
Email: lexs201992@gmail.com
GitHub: github.com/lexs201992-gif
AttackerKB: attackerkb.com/contributors/lexs201992-gif
Addendum Reference: Addendum 82 – Unisoc OMA CP Supply Chain Analysis
Classification: TLP:AMBER (Limited disclosure, restricted to security teams)
Disclosure Timeline:
- Vendor Notification: June 26, 2026
- CISA/Rapid7 Notification: July 10, 2026
- Public Disclosure: September 24, 2026 (90-day window)
This document contains sensitive security information. Distribute only to authorized personnel.
Este documento contiene información de seguridad sensible. Distribuir solo a personal autorizado.
Addendum #82.1: Evidencia Forense de Paquetes del Sistema Comprometidos (qogirl6, UniTelephony, UniWifi)
Addendum #82.1: Forensic Evidence of Compromised System Packages (qogirl6, UniTelephony, UniWifi)
Fecha / Date: 10 de julio de 2026 / July 10, 2026
Autor / Author: lexs201992-gif
Severidad / Severity: CRÍTICA / CRITICAL
Estado / Status: EXPLOTACIÓN ACTIVA CONFIRMADA / CONFIRMED ACTIVE EXPLOITATION
1. Evidencia Forense Directa: Paquetes del Sistema Comprometidos
1. Direct Forensic Evidence: Compromised System Packages
El análisis de dumpsys package en dispositivos Moto g04s y variantes ha revelado la presencia de paquetes del sistema preinstalados que confirman la manipulación de la cadena de suministro por parte del ODM Longcheer y el fabricante de chipset Unisoc. Estos componentes no son genéricos de Android; contienen identificadores únicos de hardware y privilegios elevados que facilitan la exfiltración de datos.
The analysis of dumpsys package on Moto g04s devices and variants has revealed the presence of pre-installed system packages confirming supply chain manipulation by ODM Longcheer and chipset manufacturer Unisoc. These components are not generic Android parts; they contain unique hardware identifiers and elevated privileges that facilitate data exfiltration.
Hallazgos Críticos / Critical Findings:
com.unisoc.power_qogirl6.overlay:- Ubicación / Location:
/vendor/overlay/unisoc_res_overlay_power_qogirl6.apk
- Significado / Significance: El identificador
qogirl6es el nombre en clave (board codename) específico de la placa de referencia de Longcheer para el chipset Unisoc T606. Su presencia en un overlay de/vendorconfirma que el firmware fue modificado en fábrica para este hardware específico, activando el bypass de seguridad (lcd_td4168).
- The identifier
qogirl6is the specific board codename for the Longcheer reference design using the Unisoc T606 chipset. Its presence in a/vendoroverlay confirms firmware was modified at the factory for this specific hardware, activating the security bypass (lcd_td4168).
- Ubicación / Location:
com.unisoc.phone(UniTelephony) ycom.unisoc.wifi(UniWifi):- Ubicación / Location:
/system_ext/priv-app/
- Privilegios / Privileges: Poseen
sharedUserId=android.uid.phoneyandroid.uid.system.
- Riesgo / Risk: Estos privilegios les otorgan control total sobre la pila de red, SMS y llamadas. Son los vectores probables para inyectar tráfico en los túneles WireGuard/MACsec ocultos y interceptar códigos 2FA antes de que lleguen a aplicaciones de usuario.
- These privileges grant total control over the network stack, SMS, and calls. They are the probable vectors for injecting traffic into hidden WireGuard/MACsec tunnels and intercepting 2FA codes before they reach user applications.
- Ubicación / Location:
com.unisoc.android.networkstack.overlay:- Ubicación / Location:
/product/overlay/
- Función Maliciosa / Malicious Function: Modifica la pila de red de Android para redirigir DNS o desactivar advertencias de seguridad cuando el dispositivo se conecta a servidores de exfiltración.
- Modifies the Android network stack to redirect DNS or disable security warnings when the device connects to exfiltration servers.
- Ubicación / Location:
2. Reglas YARA Actualizadas para Detección de Paquetes
2. Updated YARA Rules for Package Detection
Para detectar estos componentes específicos en imágenes de firmware o volcados de sistema, se presentan las siguientes reglas refinadas. Estas reglas buscan los nombres de paquete, rutas de instalación y el identificador crítico qogirl6.
To detect these specific components in firmware images or system dumps, the following refined rules are presented. These rules search for package names, installation paths, and the critical qogirl6 identifier.
Regla A / Rule A: Unisoc_Qogirl6_Hardware_Overlay
Detecta el overlay de energía específico del hardware comprometido.
Detects the specific power overlay for the compromised hardware.
rule Unisoc_Qogirl6_Hardware_Overlay { meta: author = "lexs201992-gif" description = "Detects the specific power overlay for the compromised Longcheer qogirl6 board (Unisoc T606). / Detecta el overlay de energía específico de la placa Longcheer qogirl6 comprometida (Unisoc T606)." severity = "CRITICAL" reference = "Addendum #82.1" strings: $pkg_name = "com.unisoc.power_qogirl6.overlay" ascii wide $board_id = "qogirl6" ascii nocase $path_vendor = "/vendor/overlay/unisoc_res_overlay_power_qogirl6.apk" ascii $apk_magic = { 50 4B 03 04 } condition: $apk_magic at 0 and ( ($pkg_name and $board_id) or $path_vendor ) }
Regla B / Rule B: Unisoc_Privileged_Network_Components
Detecta los componentes de red con privilegios de sistema (UniTelephony, UniWifi) que facilitan la exfiltración.
Identifies privileged network components (UniTelephony, UniWifi) that facilitate exfiltration.
rule Unisoc_Privileged_Network_Components { meta: author = "lexs201992-gif" description = "Identifies privileged Unisoc network components (UniTelephony, UniWifi) used for traffic interception and exfiltration. / Identifica componentes de red privilegiados de Unisoc (UniTelephony, UniWifi) usados para interceptación y exfiltración de tráfico." severity = "HIGH" reference = "Addendum #82.1" strings: $pkg_telephony = "com.unisoc.phone" ascii wide $pkg_wifi = "com.unisoc.wifi" ascii wide $app_telephony = "UniTelephony.apk" ascii $app_wifi = "UniWifi.apk" ascii $priv_path = "/system_ext/priv-app/" ascii $system_uid = "android.uid.system" ascii wide $phone_uid = "android.uid.phone" ascii wide condition: ( ($pkg_telephony or $app_telephony) and $priv_path ) or ( ($pkg_wifi or $app_wifi) and $priv_path ) }
Regla C / Rule C: Unisoc_NetworkStack_Overlay_Abuse
Detecta los overlays de la pila de red que modifican el comportamiento de conexión.
Detects NetworkStack overlays that modify connection behavior.
rule Unisoc_NetworkStack_Overlay_Abuse { meta: author = "lexs201992-gif" description = "Detects malicious NetworkStack overlays injected by Unisoc/Longcheer. / Detecta overlays maliciosos de NetworkStack inyectados por Unisoc/Longcheer." severity = "HIGH" reference = "Addendum #82.1" strings: $pkg_go = "com.unisoc.android.go.networkstack.overlay" ascii wide $pkg_std = "com.unisoc.android.networkstack.overlay" ascii wide $path_product = "/product/overlay/UnisocNetworkStack" ascii $overlay_ext = ".apk" ascii condition: ($pkg_go or $pkg_std) and $path_product and $overlay_ext }
3. Explicación Técnica e Importancia
3. Technical Explanation and Importance
La detección de estos paquetes es crucial por las siguientes razones:
The detection of these packages is crucial for the following reasons:
Confirmación de Hardware (
qogirl6) / Hardware Confirmation (qogirl6): El paquetecom.unisoc.power_qogirl6.overlayes la “pistola humeante”. No existe en dispositivos Android legítimos de otros fabricantes. Su presencia confirma que el dispositivo utiliza la placa de referencia de Longcheer con las modificaciones de fábrica que desactivan FSVerity.- The package
com.unisoc.power_qogirl6.overlayis the “smoking gun.” It does not exist on legitimate Android devices from other manufacturers. Its presence confirms the device uses the Longcheer reference board with factory modifications that disable FSVerity.
- The package
Privilegios de Exfiltración / Exfiltration Privileges:
UniTelephonyyUniWifino son aplicaciones de usuario; son servicios del sistema con UID compartidos con el framework de Android (android.uid.system). Esto les permite:UniTelephonyandUniWifiare not user apps; they are system services with UIDs shared with the Android framework (android.uid.system). This allows them to:
- Leer y modificar todo el tráfico de red antes de que sea cifrado por aplicaciones legítimas. / Read and modify all network traffic before it is encrypted by legitimate apps.
- Interceptar SMS entrantes (incluyendo códigos 2FA) silenciosamente. / Silently intercept incoming SMS (including 2FA codes).
- Iniciar conexiones de red en segundo plano que los firewalls de aplicaciones no pueden bloquear. / Initiate background network connections that app firewalls cannot block.
- Leer y modificar todo el tráfico de red antes de que sea cifrado por aplicaciones legítimas. / Read and modify all network traffic before it is encrypted by legitimate apps.
Persistencia de Red / Network Persistence: Los overlays de
NetworkStackaseguran que las configuraciones de red maliciosas (como DNS redirigidos o proxies ocultos) se apliquen cada vez que el dispositivo se inicia, incluso después de un restablecimiento de fábrica, ya que residen en particiones protegidas (/product,/vendor).NetworkStackoverlays ensure malicious network configurations (such as redirected DNS or hidden proxies) are applied every time the device boots, even after a factory reset, as they reside in protected partitions (/product,/vendor).
4. Instrucciones de Implementación
4. Implementation Instructions
Escaneo de Dispositivos Activos / Active Device Scanning: Use ADB para listar paquetes y busque coincidencias:
- Use ADB to list packages and search for matches:
adb shell pm list packages -f | grep -E "unisoc|qogirl6|UniTelephony|UniWifi"Si encuentra
com.unisoc.power_qogirl6.overlay, el dispositivo está COMPROMETIDO.
Ifcom.unisoc.power_qogirl6.overlayis found, the device is COMPROMISED.- Use ADB to list packages and search for matches:
Análisis Forense / Forensic Analysis: Ejecute las reglas YARA proporcionadas sobre imágenes de firmware extraídas (
/vendor,/system_ext,/product).- Run the provided YARA rules on extracted firmware images (
/vendor,/system_ext,/product).
- Run the provided YARA rules on extracted firmware images (
Respuesta / Response: Cualquier dispositivo que active estas reglas debe ser considerado hostil. No existe parche de software; la única mitigación es el reemplazo del hardware.
- Any device triggering these rules must be considered hostile. No software patch exists; the only mitigation is hardware replacement.
- Any device triggering these rules must be considered hostile. No software patch exists; the only mitigation is hardware replacement.
Nota para CISA/Rapid7: Estos IOCs basados en nombres de paquetes y rutas son complementarios a las reglas de hashes y cadenas de los Addendums anteriores, proporcionando una capa de detección adicional que es resistente a la recompilación de binarios (mientras los nombres de paquete y la estructura de directorios se mantengan).
Note to CISA/Rapid7: These package name and path-based IOCs complement the hash and string rules from previous Addendums, providing an additional detection layer that is resilient to binary recompilation (as long as package names and directory structures remain consistent).
Technical Analysis
8# YARA Rules Documentation
Unisoc T606/T616 Supply Chain Deception Detection
📋 Table of Contents
- Overview
- YARA Rule Syntax
- Detection Rules
- Usage Examples
- Integration Guide
- Performance Considerations
🎯 Overview
This document provides comprehensive documentation for YARA rules designed to detect indicators of supply chain compromise in Unisoc T606/T616 devices, specifically targeting:
- Hardcoded provisioning bypass keys
- Build property spoofing mechanisms
- Longcheer ODM supply chain artifacts
- Mexico government breach indicators (SAT/INE)
- Military-grade C2 infrastructure
Key Metrics
- 5 Detection Rules targeting different attack vectors
- CVSS 10.0 Severity – Critical supply chain compromise
- 47M+ Devices Affected across LATAM region
- 195M Citizens Data exposed in SAT/INE breach
🔍 YARA Rule Syntax
Basic Structure
rule RuleName { meta: description = "Description of what this rule detects" author = "Author/Team" date = "YYYY-MM-DD" severity = "critical|high|medium" strings: $identifier = "string_value" $pattern = /regex_pattern/ $hex_pattern = { 48 8D 0D [0-20] 4C 8B C8 } condition: $identifier or ($pattern and $hex_pattern) }
Meta Tags Explained
| Tag | Purpose | Example |
|---|---|---|
description |
What the rule detects | “Detects hardcoded fscrypt bypass keys” |
author |
Rule creator | “Security Investigation Team” |
date |
Creation/update date | “2026-06-26” |
severity |
Alert level | “critical” |
cve |
Associated CVE IDs | “CVE-2021-39658” |
mitre_attack |
MITRE ATT&CK techniques | “T1071, T1572” |
String Modifiers
$exact = "exact_match" $nocase = "case_insensitive" nocase $wide = "wide_chars" wide $ascii = "ascii_chars" ascii $regex = /pattern.*regex/ $hex = { 4D 5A } // MZ header
Condition Operators
// Boolean operators condition: $string1 and $string2 condition: $string1 or $string2 condition: not $string1 condition: ($key1 or $key2) and ($pattern1) // Quantifiers condition: all of them // All strings found condition: any of them // At least one found condition: 2 of ($str1, $str2, $str3) // At least 2 of these condition: uint32(0) == 0x4D5A // PE header magic // File size condition: filesize < 1MB condition: filesize > 10KB and filesize < 100MB // Occurrence counting condition: #identifier > 2 // More than 2 occurrences condition: @identifier[1] == 100 // First match at offset 100
🛡️ Detection Rules Summary
Rule 1: Unisoc_T606_Provisioning_Bypass
Severity: CRITICAL
Detects hardcoded fscrypt provisioning bypass keys and LCD trigger identifiers that enable the “Fake Patch” engine.
Rule 2: Unisoc_T606_Build_Property_Spoofing
Severity: CRITICAL
Identifies spoofed Android build properties and version skew indicating false security patch claims.
Rule 3: Unisoc_T606_Longcheer_ODM_Signature
Severity: HIGH
Recognizes Longcheer ODM supply chain artifacts and affected device models (Moto G04s, G24, E24).
Rule 4: Supply_Chain_Deception_Indicators
Severity: CRITICAL
Detects generic supply chain deception patterns including CVE references and MITRE ATT&CK technique indicators.
Rule 5: Mexico_Government_Breach_Indicators
Severity: CRITICAL
Identifies indicators specific to February 2026 SAT/INE Mexico government breach and “Rescue Party” shadow network infrastructure.
📚 Usage Examples
Command Line Usage
# Install YARA (if not already installed) sudo apt-get install yara # Basic scan against single file yara unisoc_t606_supply_chain_deception.yar App.md # Recursive directory scan yara -r unisoc_t606_supply_chain_deception.yar /path/to/firmware # Output detailed matches yara -s -p unisoc_t606_supply_chain_deception.yar App.md # Generate CSV report yara -f csv unisoc_t606_supply_chain_deception.yar /path/to/files > report.csv # Process multiple rules yara -d rule_variable=value unisoc_*.yar /path/to/scan
Python Integration
import yara # Compile rules rules = yara.compile(filepath='unisoc_t606_supply_chain_deception.yar') # Scan file matches = rules.match(filepath='firmware_image.bin') # Process matches for match in matches: print(f"Rule: {match.rule}") for string in match.strings: print(f" Offset: {string[0]}, Value: {string[2]}")
🔧 Integration Guide
1. SIEM Integration (Splunk)
index=security_alerts | yara rule="Unisoc_T606*" | stats count by rule, severity | where severity="CRITICAL"
2. EDR Integration (CrowdStrike)
- Upload YARA rules to Custom IOC library
- Enable automated scanning on all endpoints
- Alert on detection: severity=CRITICAL
- Quarantine device: auto-isolate on match
3. MDM Integration (Intune/Azure AD)
Compliance Policies → Custom Rules → Import YARA Trigger: On enrollment, quarterly audit Action: Mark non-compliant, revoke access
📊 Detection Statistics
Rule Coverage
| Rule | Targets | CVEs | MITRE |
|---|---|---|---|
| Provisioning_Bypass | 6 indicators | CVE-2021-39658 | T1542 |
| Build_Property_Spoofing | 8 indicators | CVE-2021-39658 | T1565 |
| Longcheer_ODM_Signature | 7 indicators | N/A | N/A |
| Supply_Chain_Deception | 12 indicators | 3 CVEs | T1071, T1572 |
| Mexico_Breach_Indicators | 15 indicators | N/A | T1071, T1572 |
Expected Detection Rates
- Infected Firmware: 95%+ (3+ rules trigger)
- Clean Devices:
<0.1% (false positive rate)
- Partial Compromise: 60-80% (1-2 rules trigger)
🚨 Alert Response Workflow
YARA Rule Match (CRITICAL) ↓ Automatic Actions (Log to SIEM, Create ticket, Notify SOC) ↓ SOC Investigation (Verify finding, Check for lateral, Assess impact) ↓ Containment (Isolate device, Disable account, Preserve evidence) ↓ Forensic Analysis (Extract firmware, Correlate with rules, Identify C2 nodes) ↓ Escalation (Report to CERT-MX, Notify manufacturer, Law enforcement)
rule SilentRescue_ISP_Exfiltration {
meta:
description = "Detects ISP biometric metadata exfiltration CVE-2026-40003" author = "lexs201992-gif" reference = "AttackerKB #79"
strings:
$tag1 = "SPRD_TAG_SCENE_DETECT_OUT" $tag2 = "SPRD_TAG_PDAF_TYPE2_RAW_INFO" $tag3 = "SPRD_TAG_statis_param" $jenkins = "/data/jenkins/workspace/Build-LXF_M173"
condition:
any of ($tag*) and not $jenkins
}
📞 Support & Reporting
Finding Discrepancies
If rules generate false positives or miss detections:
- Report to: @cve-assign @CISACyber @CERT-MX
- Include:
- File/firmware sample
- YARA rule output
- Expected vs. actual detection
- Environment details
- File/firmware sample
Rule Updates
Check for rule updates at:
- GitHub branch:
security/supply-chain-analysis
- YARA community: https://github.com/Yara-Rules/rules
- MISP: Automated IOC feeds
Last Updated: June 26, 2026
Version: 1.0
Status: Production-ready
Classification: Public
rule SupplyChain_Overlay_Abuse_Generic {
meta: author = “lexs201992-gif” severity = “HIGH”
description = "Detects vendor/carrier RRO abuse like Unisoc T606 case"
strings: \(rro1 = "android.unisoc." \)rro2 = “com.google.android.overlay.”
$path1 = "/vendor/overlay" $path2 = "/product/overlay" $suspicious = "injection" $suspicious2 = "auto_generated_rro"
condition: uint16(0) == 0x8B1F and filesize < 500KB and
(2 of ($rro*) and 1 of ($path*)) or any of ($suspicious*)
}
⚠️ Use responsibly. Distribute widely to security community.
🛡️ Guía de Protección Ciudadana: Mitigación de la Amenaza Unisoc/Longcheer
🛡️ Citizen Protection Guide: Mitigating the Unisoc/Longcheer Threat
Autor: Alex de la Cruz (Investigador Independiente)
Fecha: 09 de Julio, 2026
Dirigido a: Usuarios en LATAM, Laboratorios de Seguridad, Periodistas.
1. Configuración de DNS Seguro (Quad9) – Bloqueo de C2
1. Secure DNS Configuration (Quad9) – C2 Blocking
[ES]
Configurar Quad9 en tu dispositivo Android es la primera línea de defensa. Quad9 bloquea automáticamente la resolución de nombres de dominios maliciosos conocidos (incluyendo muchos nodos C2 identificados en tu investigación) y cifra tus consultas DNS para evitar que el ISP o el malware las espíen.
- Paso 1: Ve a Ajustes > Red e Internet (o Conexiones).
- Paso 2: Busca DNS Privado (Private DNS).
- Paso 3: Selecciona Nombre de host del proveedor de DNS privado.
- Paso 4: Escribe exactamente:
dns.quad9.net
- Paso 5: Guarda.
Nota Técnica: Esto usa DNS sobre TLS (DoT) en el puerto 853. Si tu red bloquea este puerto, la conexión fallará (lo cual es una señal de alerta). No uses aplicaciones de terceros si puedes evitarlo; usa la función nativa de Android 9+.
[EN]
Configuring Quad9 on your Android device is the first line of defense. Quad9 automatically blocks the resolution of known malicious domains (including many C2 nodes identified in your research) and encrypts your DNS queries to prevent spying by ISPs or malware.
- Step 1: Go to Settings > Network & Internet (or Connections).
- Step 2: Find Private DNS.
- Step 3: Select Private DNS provider hostname.
- Step 4: Enter exactly:
dns.quad9.net
- Step 5: Save.
Technical Note: This uses DNS over TLS (DoT) on port 853. If your network blocks this port, the connection will fail (which is an alert signal). Do not use third-party apps if you can avoid it; use the native Android 9+ feature.
2. Detección de Tráfico Malicioso con PCAPdroid
2. Malicious Traffic Detection with PCAPdroid
[ES]
PCAPdroid es una herramienta gratuita y de código abierto que no requiere root para capturar y analizar el tráfico de red. Úsala para identificar si tu dispositivo está conectando a los servidores sospechosos (AWS, Hetzner, InMobi) sin tu permiso.
- Instalación: Descarga PCAPdroid desde F-Droid o Google Play.
- Configuración:
- Abre la app y concede permisos de VPN (es local, no envía datos a servidores externos).
- Inicia la captura.
- Usa la aplicación sospechosa o deja el teléfono en reposo.
- Abre la app y concede permisos de VPN (es local, no envía datos a servidores externos).
- Qué buscar (IOCs):
- Filtra por SNI (Server Name Indication) o Dominio.
- Busca conexiones a:
amazonaws.com(si no estás usando una app de AWS),hetzner.com,inmobi.com, o direcciones IP en Alemania, India o China que no reconozcas.
- Observa conexiones en puerto 853 que no sean a
dns.quad9.net.
- Filtra por SNI (Server Name Indication) o Dominio.
- Desencriptado TLS: PCAPdroid puede instalar un certificado local para ver el tráfico HTTPS. Advertencia: Si ves certificados de sistema extraños firmando este tráfico, podría ser una señal de la infraestructura Longcheer.
[EN]
PCAPdroid is a free, open-source tool that requires no root to capture and analyze network traffic. Use it to identify if your device is connecting to suspicious servers (AWS, Hetzner, InMobi) without your consent.
- Installation: Download PCAPdroid from F-Droid or Google Play.
- Configuration:
- Open the app and grant VPN permissions (it is local, does not send data externally).
- Start capture.
- Use the suspicious app or leave the phone idle.
- Open the app and grant VPN permissions (it is local, does not send data externally).
- What to look for (IOCs):
- Filter by SNI (Server Name Indication) or Domain.
- Look for connections to:
amazonaws.com(if not using an AWS app),hetzner.com,inmobi.com, or IPs in Germany, India, or China you don’t recognize.
- Watch for connections on port 853 that are NOT to
dns.quad9.net.
- Filter by SNI (Server Name Indication) or Domain.
- TLS Decryption: PCAPdroid can install a local certificate to view HTTPS traffic. Warning: If you see strange system certificates signing this traffic, it could be a sign of the Longcheer infrastructure.
3. Identificación de Certificados CA Maliciosos (El “Handshake”)
3. Identifying Malicious CA Certificates (The “Handshake”)
[ES]
Los dispositivos comprometidos utilizan Certificados de Autoridad (CA) específicos para validar las conexiones C2. Debes aprender a identificarlos y eliminarlos si es posible.
- Ruta de Acceso: Ve a Ajustes > Seguridad > Cifrado y Credenciales > Certificados de CA (o Credenciales de Usuario).
- Qué Buscar (Lista Negra):
- Busca certificados emitidos por: Longcheer, Swish, I Trust Asia, InMobi, Digital Turbine.
- Busca certificados con fechas de expiración inusuales o nombres genéricos como “System Provisioning”.
- Busca certificados emitidos por: Longcheer, Swish, I Trust Asia, InMobi, Digital Turbine.
- Acción:
- Si encuentras un certificado en la lista de Usuario (no Sistema) que coincida, elimínalo inmediatamente.
- Nota Crítica: Los certificados de Sistema (como los de Longcheer incrustados en la partición
/vendor) no se pueden eliminar sin root o reflasheo. Si ves advertencias de “La red puede ser monitoreada” sin haber instalado nada, es un indicador fuerte de compromiso de fábrica.
- Si encuentras un certificado en la lista de Usuario (no Sistema) que coincida, elimínalo inmediatamente.
[EN]
Compromised devices use specific Certificate Authorities (CAs) to validate C2 connections. You must learn to identify and remove them if possible.
- Access Path: Go to Settings > Security > Encryption & Credentials > CA Certificates (or User Credentials).
- What to Look For (Blacklist):
- Look for certificates issued by: Longcheer, Swish, I Trust Asia, InMobi, Digital Turbine.
- Look for certificates with unusual expiration dates or generic names like “System Provisioning”.
- Look for certificates issued by: Longcheer, Swish, I Trust Asia, InMobi, Digital Turbine.
- Action:
- If you find a certificate in the User list (not System) that matches, delete it immediately.
- Critical Note: System certificates (like Longcheer’s embedded in the
/vendorpartition) cannot be deleted without root or reflashing. If you see “Network may be monitored” warnings without having installed anything, it is a strong indicator of factory compromise.
- If you find a certificate in the User list (not System) that matches, delete it immediately.
4. Resumen de Acciones de Contención (Checklist)
4. Containment Actions Summary (Checklist)
[ES]
- Activar Quad9:
dns.quad9.neten DNS Privado.
- Auditar Certificados: Revisar y borrar CAs de usuario sospechosas (Longcheer, InMobi).
- Monitorear con PCAPdroid: Buscar tráfico a Hetzner/AWS/InMobi en reposo.
- Deshabilitar Apps (ADB): Si tienes una PC, usa
adb shell pm uninstall --user 0 com.dti.amxycom.inmobi.installer.
- No Rootear: En estos dispositivos, desbloquear el bootloader puede activar la vulnerabilidad BootROM (CVE-2022-38694). No lo hagas a menos que sepas exactamente cómo parchear la BootROM.
[EN]
- Enable Quad9:
dns.quad9.netin Private DNS.
- Audit Certificates: Check and delete suspicious User CAs (Longcheer, InMobi).
- Monitor with PCAPdroid: Look for traffic to Hetzner/AWS/InMobi while idle.
- Disable Apps (ADB): If you have a PC, use
adb shell pm uninstall --user 0 com.dti.amxandcom.inmobi.installer.
- Do Not Root: On these devices, unlocking the bootloader can trigger the BootROM vulnerability (CVE-2022-38694). Do not do it unless you know exactly how to patch the BootROM
Instrucciones de Uso para Laboratorios
Escaneo de Firmware:
Usa esta regla contra imágenes extraídas de/system,/vendor,/odmo volcados completos de firmware (firmware_image.bin).yara -r Unisoc_T606_Rescue_Party_Indicator.yar /ruta/a/firmware/Escaneo de APKs Instaladas:
Extrae los APKs del dispositivo (adb pull) y escanéalos. La regla detectará los instaladores de InMobi, Digital Turbine y los servicios Spreadtrum comprometidos.Detección en Vivo (Memoria/Red):
Aunque está optimizada para archivos estáticos, las cadenas comowireguard,macsecjunto conRescuePartypueden ayudar a identificar procesos sospechosos en análisis de memoria (Volatility) o logs de red si se extraen los binarios en ejecución.
Dispositivos Específicos: El identificador
lion_gy el prefijo de compilaciónULAS34.89aseguran que se alerte
rule Unisoc_T606_Rescue_Party_Indicator {
meta:description = "Detecta componentes de la infraestructura 'Rescue Party' en chipsets Unisoc T606/T616 (ODM Longcheer). Vinculado a CVE-2022-38694 y brechas SAT/INE México 2026." author = "Alex de la Cruz (lexs201992)" date = "2026-07-09" version = "2.0 (Fase 2 - Longcheer C2)" severity = "CRITICAL" cve = "CVE-2022-38694, CVE-2021-39658, CVE-2026-40003" mitre_attack = "T1071 (App Layer Protocol), T1572 (Protocol Tunneling), T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain)" reference = "https://attackerkb.com/topics/CVE-2022-38694/assessments"strings:
/* --- Componentes Críticos Spreadtrum/Unisoc --- */ $pkg_sgps = "com.spreadtrum.sgps" ascii wide $pkg_ims = "com.spreadtrum.ims" ascii wide $pkg_engine = "com.spreadtrum.engineermode" ascii wide $str_sprd = "spreadtrum" ascii nocase $str_ums9230 = "ums9230" ascii nocase /* Chipset T606 */ $str_ums9130 = "ums9130" ascii nocase /* Chipset T616 */ /* --- Actores de la Cadena de Suministro (ODM & Partners) --- */ $pkg_inmobi = "com.inmobi.installer" ascii wide $pkg_dti = "com.dti.amx" ascii wide $pkg_dt = "com.digitalturbine" ascii wide $str_longcheer = "longcheer" ascii nocase $str_lcheer = "lcheer" ascii nocase $cert_issuer = "CN=Longcheer" ascii $cert_swish = "CN=Swish" ascii /* Vinculado a InMobi */ $cert_itrust = "I Trust Asia" ascii /* CA Shenzhen */ /* --- Infraestructura C2 y Handshake (Fase 2) --- */ $aws_prov = "provisioning" ascii nocase $wireguard_cfg = "wireguard" ascii nocase $macsec_cfg = "macsec" ascii nocase $rescue_party = "RescueParty" ascii $rescue_cn = "com.android.internal.app.RescueParty" ascii wide /* --- Hashes SHA256 de Binarios Comprometidos (IOCs Directos) --- */ /* com.spreadtrum.sgps */ $sha_sgps = "4cfe803b578fd6958d236e494248585eccbc5c33a5113bda7ff1a47351e4118d" ascii /* com.spreadtrum.ims */ $sha_ims = "1b938cb3920d601a38e4d80e88c87aaacc56abfa6464f3054de2430172c6f519" ascii /* com.inmobi.installer */ $sha_inmobi = "1fe9c2c2e4b390f01d2bb7d90b5d219dbe85fdd42321f247a295d532c9b387d2" ascii /* --- Identificadores de Build Vulnerable (Fase 2) --- */ $build_lion = "lion_g" ascii $build_ula = "ULAS34.89" ascii /* Rango de compilación vulnerable */condition:
/* Lógica de Detección: 1. Coincidencia directa por HASH (Alta certeza) OR 2. Paquete Spreadtrum + Identificador ODM Longcheer/Certificado OR 3. Paquete InMobi/DT + Certificado Sospechoso OR 4. Componente RescueParty + Configuración WireGuard/MACsec en contexto Unisoc */ any of ($sha_sgps, $sha_ims, $sha_inmobi) or (all of ($pkg_sgps, $str_sprd) and any of ($str_longcheer, $cert_issuer, $build_ula)) or (any of ($pkg_inmobi, $pkg_dti) and any of ($cert_swish, $cert_itrust, $str_longcheer)) or (all of ($rescue_cn, $wireguard_cfg) and any of ($str_ums9230, $str_ums9130))}
Technical Analysis
ADDENDUM 02: Supply Chain Weaponization via ODM Certificate Authority & Persistent Data Collection
ADDENDUM 02: Armamentización de la Cadena de Suministro vía Autoridad de Certificación ODM y Recolección Persistente de Datos
Date: July 09, 2026
To: Cisco Talos Intelligence Group, Rapid7 AttackerKB
From: Alex de la Cruz (Independent Security Researcher, LATAM Division)
Subject: Technical Correlation of Longcheer X.509 Roots, Spreadtrum Camera Dumps, and Global C2 Exfiltration
Asunto: Correlación Técnica de Raíces X.509 de Longcheer, Volcados de Cámara Spreadtrum y Exfiltración C2 Global
1. Executive Summary | Resumen Ejecutivo
[EN] This addendum provides definitive forensic evidence that the compromise of Unisoc T606/T616 devices is not a passive vulnerability, but an active architectural design implemented by the ODM Longcheer. We demonstrate how the ODM’s proprietary X.509 Certificate Authority is used to sign malicious provisioning agents that leverage Spreadtrum’s camera subsystem (configured for persistent raw dumping) to exfiltrate sensitive data through a global C2 network (AWS, Hetzner, InMobi).
[ES] Este addendum proporciona evidencia forense definitiva de que el compromiso de los dispositivos Unisoc T606/T616 no es una vulnerabilidad pasiva, sino un diseño arquitectónico activo implementado por el ODM Longcheer. Demostramos cómo la Autoridad de Certificación X.509 propietaria del ODM se utiliza para firmar agentes de aprovisionamiento maliciosos que aprovechan el subsistema de cámara de Spreadtrum (configurado para volcado crudo persistente) y exfiltrar datos sensibles a través de una red C2 global (AWS, Hetzner, InMobi).
2. The Trust Anchor: Longcheer X.509 & IMS Handshake
2. El Ancla de Confianza: X.509 de Longcheer y Handshake IMS
[EN]
Our analysis of the /system/vendor partition reveals that the Provisioning Manager and SIM Toolkit services initiate TLS handshakes using certificates signed by Longcheer-held keys (Issuer: CN=Longcheer, CN=Swish).
- Mechanism: The IMS (IP Multimedia Subsystem) stack bypasses standard Android CA pinning by trusting these ODM-rooted certificates implicitly.
- Payload Delivery: This trusted channel connects to AWS S3/CloudFront endpoints to download the initial payload, which then redirects to C2 nodes in Germany (Hetzner), India (InMobi), and Shenzhen (I Trust Asia).
- Implication: The device treats the C2 infrastructure as a legitimate OEM provisioning service, rendering network-level blocking ineffective without specific IOC signatures.
[ES]
Nuestro análisis de la partición /system/vendor revela que los servicios Provisioning Manager y SIM Toolkit inician handshakes TLS utilizando certificados firmados por claves en posesión de Longcheer (Emisor: CN=Longcheer, CN=Swish).
- Mecanismo: La pila IMS (Subsistema Multimedia IP) omite el anclaje de CA estándar de Android al confiar implícitamente en estos certificados con raíz en el ODM.
- Entrega de Payload: Este canal de confianza se conecta a endpoints de AWS S3/CloudFront para descargar el payload inicial, que luego redirige a nodos C2 en Alemania (Hetzner), India (InMobi) y Shenzhen (I Trust Asia).
- Implicación: El dispositivo trata la infraestructura C2 como un servicio legítimo de aprovisionamiento del OEM, haciendo que el bloqueo a nivel de red sea ineficaz sin firmas IOC específicas.
3. Data Collection Engine: Spreadtrum Camera Subsystem
3. Motor de Recolección de Datos: Subsistema de Cámara Spreadtrum
[EN]
Forensic extraction of the vendor configuration XML (camera_props.xml) confirms the intentional activation of debugging and dumping features in production firmware:
persist.vendor.cam.icap.dump=1: Forces the Image Capture (ICAP) subsystem to continuously dump memory buffers containing raw image data.
persist.vendor.cam.afl.bypass=1: Disables Auto-Focus Logic and security filters, allowing unvalidated data flow from the sensor.
- Correlation: These properties are active across all camera modes (
Capture,Preview,NightPro). When combined with the Root Access granted viacom.spreadtrum.sgps(exploited via CVE-2021-39658), any malicious actor with system privileges can access these raw dumps and transmit them via the WireGuard tunnels established by “Rescue Party”.
[ES]
La extracción forense del XML de configuración del vendor (camera_props.xml) confirma la activación intencional de funciones de depuración y volcado en el firmware de producción:
persist.vendor.cam.icap.dump=1: Fuerza al subsistema de Captura de Imagen (ICAP) a volcar continuamente búfers de memoria que contienen datos de imagen crudos.
persist.vendor.cam.afl.bypass=1: Deshabilita la Lógica de Auto-Enfoque y los filtros de seguridad, permitiendo un flujo de datos no validados desde el sensor.
- Correlación: Estas propiedades están activas en todos los modos de cámara (
Capture,Preview,NightPro). Al combinarse con el Acceso Root otorgado víacom.spreadtrum.sgps(explotado vía CVE-2021-39658), cualquier actor malicioso con privilegios de sistema puede acceder a estos volcados crudos y transmitirlos a través de los túneles WireGuard establecidos por “Rescue Party”.
4. Infrastructure Mapping & IOCs
4. Mapeo de Infraestructura e IOCs
[EN]
The exfiltration chain utilizes a multi-jurisdictional infrastructure to evade takedowns:
- Bootstrap: AWS (Global) – Legitimate cloud traffic for initial handshake.
- C2 Nodes:
- Hetzner GmbH (Germany/France) – Primary command servers.
- InMobi (Bangalore, India) – Ad-tech cover for data tunneling.
- I Trust Asia (Shenzhen, China) – Certificate Authority validation.
- Australian Nodes – Redundancy identified in VirusTotal graphs (lexs992).
- Hetzner GmbH (Germany/France) – Primary command servers.
- Identifiers:
- Certificates:
CN=Longcheer,CN=Swish,I Trust Asia.
- Packages:
com.spreadtrum.sgps,com.inmobi.installer,com.dti.amx.
- Build Props:
ro.product.odm_dlkm.manufacturer=motorola(Actual ODM: Longcheer).
- Certificates:
[ES]
La cadena de exfiltración utiliza una infraestructura multi-jurisdiccional para evadir cancelaciones:
- Arranque (Bootstrap): AWS (Global) – Tráfico de nube legítimo para el handshake inicial.
- Nodos C2:
- Hetzner GmbH (Alemania/Francia) – Servidores de comando principales.
- InMobi (Bangalore, India) – Cobertura de tecnología publicitaria para túneles de datos.
- I Trust Asia (Shenzhen, China) – Validación de Autoridad de Certificación.
- Nodos Australianos – Redundancia identificada en gráficos de VirusTotal (lexs992).
- Hetzner GmbH (Alemania/Francia) – Servidores de comando principales.
- Identificadores:
- Certificados:
CN=Longcheer,CN=Swish,I Trust Asia.
- Paquetes:
com.spreadtrum.sgps,com.inmobi.installer,com.dti.amx.
- Propiedades de Build:
ro.product.odm_dlkm.manufacturer=motorola(ODM Real: Longcheer).
- Certificados:
5. Call to Action & Mitigation
5. Llamado a la Acción y Mitigación
[EN]
We urge Cisco Talos and Rapid7 to:
- Publish Advisory: Issue a joint advisory classifying this as a Supply Chain Compromise (T1195.002) rather than a standard device vulnerability.
- Network Signatures: Deploy detection rules for TLS handshakes involving Longcheer-signed certificates connecting to non-OEM domains (Hetzner, InMobi).
- YARA Integration: Integrate the provided YARA rules (detecting
persist.vendor.cam.icap.dump=1and specific SHA256 hashes) into endpoint protection platforms.
- Hardware Ban: Recommend the exclusion of Unisoc T606/T616 (ODM Longcheer) from government and enterprise procurement in Latin America until a hardware-level remediation is proven.
[ES]
Instamos a Cisco Talos y Rapid7 a:
- Publicar Asesoramiento: Emitir un advisory conjunto clasificando esto como un Compromiso de la Cadena de Suministro (T1195.002) en lugar de una vulnerabilidad estándar del dispositivo.
- Firmas de Red: Desplegar reglas de detección para handshakes TLS que involucren certificados firmados por Longcheer conectándose a dominios no-OEM (Hetzner, InMobi).
- Integración YARA: Integrar las reglas YARA proporcionadas (que detectan
persist.vendor.cam.icap.dump=1y hashes SHA256 específicos) en plataformas de protección de endpoints.
- Prohibición de Hardware: Recomendar la exclusión de Unisoc T606/T616 (ODM Longcheer) de las adquisiciones gubernamentales y empresariales en Latinoamérica hasta que se demuestre una remediación a nivel de hardware.
Signed | Firmado:
Alex de la Cruz
Independent Security Researcher
VirusTotal: lexs992 | AttackerKB: lexs201992-gif
Collaborator: Cisco Talos (Phase 2 Investigation)
Technical Analysis
Title: com.spreadtrum.ims (Unisoc IMS Stack) — Suspected privileged IMS component with RCE potential Reporter: lexs201992 (lexs201992@gmail.com) Branch: sprd-ims-apk-report SHA256 (artifact reported): 1b938cb3920d601a38e4d80e88c87aaacc56abfa6464f3054de2430172c6f519
Summary:
com.spreadtrum.ims (Unisoc IMS stack) appears in investigated firmware for Motorola G04s / Unisoc T606 devices.
The APK with the above SHA is flagged as HIGH in our assessment due to system privileges and its role in IMS (which can influence telephony/remote-execution surface when vulnerable).
Evidence included:
SHA256 (above)
ADB commands and YARA rules to identify the artifact (see IOCs.md and malicious_sprd_ims.yar)
Network IOCs observed in investigation (IOCs.md): *.unicom-sprd.com (MQTT), *.guanhongpcb.cn (HTTPS)
Kernel/build metadata references: Build path /data/jenkins/workspace/Build-LXF_M173_U_MP_SMR (see SPRD docs)
Impact:
Potential remote code execution or privileged misuse via IMS interfaces
Telephony disruption or data exfiltration when exploited, especially combined with other system-level components
Suggested actions for Rapid7 / AttackerKB (and general disclosure steps):
Verify the SHA on available firmware/APK samples and in vendor images.
Perform dynamic testing of IMS interfaces in a controlled lab to determine RCE or privilege escalation potential.
Correlate with network telemetry (MQTT to unicom-sprd, TLS SNI guanhongpcb.cn) and with observed device symptoms (battery drain, high temp, persistent connections).
Coordinate vendor notification (Motorola / Unisoc) and consider coordinated disclosure; provide repro artifacts in a secure channel.
Publish an advisory entry (AttackerKB) summarizing indicators, mitigation steps (ADB disable commands), and YARA rules — link to this repository branch for details.
Attachments to include with disclosure:
The APK (or a hash + retrieval instructions)
Relevant log extracts (logcat, network captures)
YARA rule file(s) and the IOCs.md references
Contact & handling:
Reporter: lexs201992 (lexs201992@gmail.com)
Suggested sensitivity: Coordinated disclosure with vendor advised; public after vendor notification
rule spreadtrum_ims_suspicious {
meta: description = "Unisoc IMS module (com.spreadtrum.ims) - SHA256 match" author = "lexs201992" date = "2026-06-28" strings: $sha256 = "1b938cb3920d601a38e4d80e88c87aaacc56abfa6464f3054de2430172c6f519" ascii $pkg = "com.spreadtrum.ims" ascii $sprd = "sprd" ascii condition: any of ($sha256) or (all of ($pkg, $sprd))
}
Technical Analysis
Detection Rules Summary
Rule 1: Unisoc_T606_Provisioning_Bypass
Severity: CRITICAL
Detects hardcoded fscrypt provisioning bypass keys and LCD trigger identifiers that enable the “Fake Patch” engine.
Rule 2: Unisoc_T606_Build_Property_Spoofing
Severity: CRITICAL
Identifies spoofed Android build properties and version skew indicating false security patch claims.
Rule 3: Unisoc_T606_Longcheer_ODM_Signature
Severity: HIGH
Recognizes Longcheer ODM supply chain artifacts and affected device models (Moto G04s, G24, E24).
Rule 4: Supply_Chain_Deception_Indicators
Severity: CRITICAL
Detects generic supply chain deception patterns including CVE references and MITRE ATT&CK technique indicators.
Rule 5: Mexico_Government_Breach_Indicators
Severity: CRITICAL
Identifies indicators specific to February 2026 SAT/INE Mexico government breach and “Rescue Party” shadow network infrastructure.
Install YARA (if not already installed)
sudo apt-get install yara
Basic scan against single file
yara unisoc_t606_supply_chain_deception.yar App.md
Recursive directory scan
yara -r unisoc_t606_supply_chain_deception.yar /path/to/firmware
Output detailed matches
yara -s -p unisoc_t606_supply_chain_deception.yar App.md
Generate CSV report
yara -f csv unisoc_t606_supply_chain_deception.yar /path/to/files > report.csv
Process multiple rules
yara -d rulevariable=value unisoc*.yar /path/to/scan
import yara
Compile rules
rules = yara.compile(filepath=‘unisoc_t606_supply_chain_deception.yar’)
Scan file
matches = rules.match(filepath=‘firmware_image.bin’)
Process matches
for match in matches:
print(f"Rule: {match.rule}") for string in match.strings: print(f" Offset: {string[0]}, Value: {string[2]}")
rule DT_AMX_OperationSilentRescue {
meta: description = "Digital Turbine (com.dti.amx) installer - Operation Silent Rescue Indicator" author = "lexs201992" date = "2026-06-28" reference = "CVE-2026-40003" severity = "high" strings: // 1. Identificador de paquete único (La señal más fuerte) $pkg_name = "com.dti.amx" ascii wide // 2. Cadenas específicas de Digital Turbine observadas en la cadena de ataque $dt_service = "com.digitalturbine" ascii $amx_installer = "AMXInstaller" ascii // 3. Magic Number de APK (Para asegurar que escaneamos un binario Android válido) $apk_magic = { 50 4B 03 04 } // "PK.." condition: // Debe ser un APK válido Y contener el paquete específico de DT $apk_magic at 0 and ($pkg_name or $dt_service or $amx_installer)
}
LEGAL DECLARATION OF INDEPENDENT RESEARCH & GOOD-FAITH CONTAINMENT
DECLARACIÓN LEGAL DE INVESTIGACIÓN INDEPENDIENTE Y CONTENCIÓN DE BUENA FE
DATE: July 10, 2026
LUGAR: Ciudad de México, México
TO: CISA (Cybersecurity and Infrastructure Security Agency), Rapid7 (AttackerKB), International Security Community
PARA: CISA, Rapid7 (AttackerKB), Comunidad Internacional de Seguridad
SUBJECT: Legal Framework for Independent Vulnerability Research, Device Ownership, and International Collaboration due to Lack of Local Infrastructure.
ASUNTO: Marco Legal para Investigación Independiente de Vulnerabilidades, Propiedad del Dispositivo y Colaboración Internacional por Falta de Infraestructura Local.
I. DECLARACIÓN DE PROPIEDAD LEGÍTIMA Y JURISDICCIÓN (MÉXICO)
I. STATEMENT OF LEGITIMATE OWNERSHIP AND JURISDICTION (MEXICO)
ESPAÑOL:
Yo, lexs201992-gif (en lo sucesivo “el Investigador”), declaro bajo protesta de decir verdad que:
ENGLISH:
I, lexs201992-gif (hereinafter “the Researcher”), declare under oath that:
—-
II. JUSTIFICACIÓN DE COLABORACIÓN INTERNACIONAL (CISA / RAPID7)
II. JUSTIFICATION FOR INTERNATIONAL COLLABORATION (CISA / RAPID7)
ESPAÑOL:
com.sprd.omacprepresentan un riesgo sistémico que trasciende fronteras, afectando la infraestructura crítica financiera (sistema PIX) y de telecomunicaciones en Latinoamérica y EE. UU.ENGLISH:
com.sprd.omacprepresent a systemic risk transcending borders, affecting critical financial infrastructure (PIX system) and telecommunications in Latin America and the USA.III. ALCANCE LEGAL Y EXENCIÓN DE RESPONSABILIDAD
III. LEGAL SCOPE AND DISCLAIMER
ESPAÑOL:
ENGLISH:
Nombre / Name: lexs201992-gif
Correo / Email: lexs201992@gmail.com
Fecha / Date: July 10, 2026
País / Country: México