Jingwang Weishi

Jingwang Weishi is a content-control mobile app developed by Shanghai Landasoft Data Technology Inc. It is known for its use by the police in Xinjiang, China.

Function
In 2018, a research team of analysts conducted a thorough report on Jingwang Weishi.

When the application is first installed, it sends a request to the base server. The server responds with a JSON object containing a list of MD5 hashes, which the program stores in a local SQLite database.

The application records the "essential information", as the program's code calls it, of its device. Specifically, the essential information consists of the device's International Mobile Equipment Identity (IMEI) number, MAC address, manufacturer, model, phone number, and international mobile subscriber identity (IMSI) number.

Jingwang Weishi also performs file scans on the device. It looks for files with the extensions 3GP, AMR, AVI, WEBM, FLV, IVX, M4A, MP3, MP4, MPG, RMVB, RAM, WMA, WMV, TXT, HTML, CHM, PNG, and JPG. It then records specific metadata for each file, consisting of each file's name, path, size, MD5 hash, and the MD5 hash of the MD5 hash. After the scan, the program compares the files' MD5 hashes with the database of hashes it received from the base server. Any files that match are deemed "dangerous". The user is presented with a list of the "dangerous" files and is instructed to delete them. If the user taps on the bottom-right button, a screenshot of the list is saved in the device's image gallery, in the format yyyy-MM-dd_HH-mm-ss.jpg.

The application uploads device data by compressing two files named jbxx.txt and files.txt into a ZIP file named JWWS.zip. The jbxx.txt contains the device's "essential information". The files.txt contains the metadata of the "dangerous" files found on the user's device. If no files have been deemed "dangerous", files.txt will not be sent.

The analyst team did not find any backdoor features built into the application. However, it does request for permissions when installed that could be used maliciously in future updates. Among other permissions, it requests the ability to start itself as soon as the system has finished booting. This permission is not used by the application, as it only performs its functionality when it is in main view. However, future updates could allow it to start and begin scanning the user's device right after it has finished booting, unknown to the user.

The application updates itself by downloading newer APKs (Android app files) from another server. The application checks for newer versions every time it is loaded; it does so by comparing its current version with a version file located on the server. If a later version is found, the application will download it, open it, and prompt the user to install it. To download a new version of its APK, the application makes an HTTP request to the update server's URL using the syntax, which performs a download of the APK file.

The application also makes periodic requests to the base server to update its local database of MD5 hashes of "dangerous" files.

The application creates four files during its lifecycle:



Once these files are used, they are immediately deleted.

Data is transferred in plaintext and over insecure HTTP. As a result, the application has several vulnerabilities. Someone on the local network would see all communication between a user's phone and the server. Anyone performing a man-in-the-middle attack, intercepting traffic between the phone and the server and modifying it, can read sensitive user information or frame a user by reporting incorrect file metadata to the authorities. Since the APK file's validity is not verified when updating, a man-in-the-middle attacker could also supply any APK they wanted to the application, which the user would be asked to update to.

The base and update server are located at the domain http://bxaq.landaitap.com. This domain resolved to 47.93.5.238 in 2018, when the analysts wrote their report, and as of 2020, resolved to 117.190.83.69. Both IP address locations are in China. The update server is located at port 8081, while the base server is located at port 22222.

Mandatory use
Police in China have reportedly forced Uyghurs in Xinjiang to download the application as part of a mass surveillance campaign on the eve of the 19th National Congress of the Chinese Communist Party. They checked to ensure that individuals have it installed on their phones, and have arrested individuals who refused to do so.