![]() |
#16 | |
Connoisseur
![]() ![]() ![]() ![]() ![]() ![]() Posts: 87
Karma: 527
Join Date: Sep 2019
Device: Max3
|
Quote:
I have decompiled some onyx system apks and they include a lot of references to companies like Tencent, among others, that are very uneccessary. As far as exactly what these libraries are doing, I haven't looked into that |
|
![]() |
![]() |
![]() |
#17 |
Zealot
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 122
Karma: 43580
Join Date: Apr 2016
Device: KPW3, Kobo Clara HD, Onyx Boox Nova 2
|
When playing around with onyxsdk, I decompiled it and took a look around. Other than Tencent one everything else was alright. The Tencent stuff seems to be WeChat SDK. How problematic it is for non-chinese people I have no idea. I took a look at the obfuscated parts and there didn't seem to be anything malicious, but that doesn't mean, there isn't.
|
![]() |
![]() |
Advert | |
|
![]() |
#18 |
Junior Member
![]() Posts: 5
Karma: 10
Join Date: Dec 2020
Device: none
|
|
![]() |
![]() |
![]() |
#19 | |
Weirdo
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 836
Karma: 11003000
Join Date: Nov 2019
Location: Wuppertal, Germany
Device: Kobo Sage, Kobo Libra 2, Boox Note Air 2+
|
Quote:
|
|
![]() |
![]() |
![]() |
#20 |
Enthusiast
![]() Posts: 31
Karma: 10
Join Date: Mar 2018
Device: Boox Note 10.3; Various Kindles in past
|
do you consider ipad pro as better in this regard compared to onyx boox. what if I create a dummy gmail account and install apps. I am mainly interested in reading pdfs and will not use fingerprint also
|
![]() |
![]() |
Advert | |
|
![]() |
#21 |
Wizard
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 1,419
Karma: 6513838
Join Date: Mar 2016
Device: More than I need, but not as many as I would like.
|
Personally, I wouldn't lose too much sleep over the matter. If you're just using it primarily to read, there's really not much need to connect it to the internet. Updates to firmware and apps can be installed manually. If you are never connected to the internet, apart from the initial setup, no need to worry. My Onyx devices are seldom connected to the internet, not that I'm all that worried anyways.
|
![]() |
![]() |
![]() |
#22 |
Member
![]() Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
|
Receiving some funky queries from my Boox device:
![]() https://i.imgur.com/Kmqw3os.png Talking to an LLM and they suggested that it is this and likely malware: https://en.wikipedia.org/wiki/Domain...tion_algorithm Last edited by macallik; 11-06-2024 at 03:45 PM. |
![]() |
![]() |
![]() |
#23 |
Onyx-maniac
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 3,924
Karma: 17500001
Join Date: Feb 2012
Device: Nook NST, Glow2, 3, 4, '21, Kobo Aura2, Poke3, Poke5, Go6
|
Can you trace this to a process? How are you getting this list?
|
![]() |
![]() |
![]() |
#24 | |
Member
![]() Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
|
The screenshot is from AdGuardHome
Then I used an LLM to walk me through digging deeper for the first time, and then analyzing the output. Here are the highlights. Code:
#snooping on the boox device and trying to visit a website tcpdump -i br-lan host 192.168.1.221 -w capture.pcap >> output.txt scp router:output.txt . (After uploading the same file to ChatGPT w/o context, I think that the response below is a false positive on what is actually being shared, but that its prior identification of potential domain generation algorithms still seems probable) Quote:
Last edited by macallik; 11-06-2024 at 05:25 PM. |
|
![]() |
![]() |
![]() |
#25 |
Member
![]() Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
|
I can DM you the output file if you' like to investigate further. LLM's analyses are not infallible, so it might be misinterpreting something. I don't recall seeing any attempts to phone the potential DGA domains but I was admittedly more focused on following instructions instead of scanning the logs.
The only other quirk that comes to mind was that I sent my device in for a screen fix last month. It's possible that is when the malware exposure happened if it's new, but that's just conjecture. I ran hypatia and it didn't find any malware. Is the assumption therefore that the malware runs from a system level instead of a scannable level, or is it too soon to tell? For the time-being, the LLM walked me through blocking outgoing traffic for Boox, and I will eventually use it to figure out how to create a VLAN and isolate the device further, while still allowing it to sync w/ syncthing. Last edited by macallik; 11-06-2024 at 05:23 PM. |
![]() |
![]() |
![]() |
#26 |
Member
![]() Posts: 20
Karma: 10
Join Date: May 2020
Device: Samsung s5e
|
OK, the LLM thinks I solved it, but would like feedback.
Here is a better screenshot of the AGH logs. The area of interest occurs @ 11:17:51 According to the LLM, the context/proximity to Google API calls, insinuates that they may be launched in tandem: https://i.imgur.com/DuHMfLF.png Being generally privacy-conscious, I have trackercontrol enabled and cross-referenced its logs. One caveat is that the dates aren't shown, so I'm assuming that it's for 11/5 but cannot tell definitively. Relatively sure I didn't use the tablet yesterday morning tho. If I'm reading things right, push.boox.com conveniently launches @ 11:17:51 as well: https://i.imgur.com/TCUsWym.png Edit: Then again, there are both ivp4 and ipv6 DGA domains, but only ipv4 push.boox.com... Last edited by macallik; 11-06-2024 at 08:13 PM. |
![]() |
![]() |
![]() |
#27 |
Evangelist
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Posts: 458
Karma: 3579113
Join Date: Jul 2023
Device: Scribe 2022, OA2, PRS-350
|
I'd check any apps for recent updates and validate any APKs that you've sideloaded. A bunch of DGA lookups is most likely 3rd party malware and not the Onxy firmware itself.
|
![]() |
![]() |
![]() |
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Firmware Update Instructions and the latest Firmware Versions | mitchwah | Ectaco jetBook | 113 | 10-24-2023 09:02 PM |
Trojan spyware in calibre mac OS build | zaster | Calibre | 9 | 06-28-2019 03:38 AM |
Firmware glitch - typing text slow on some firmware+device combinations | mdp | Onyx Boox | 11 | 11-11-2017 12:48 AM |
candy.js spyware embedded in ebooks | fjtorres | News | 69 | 08-13-2015 11:52 PM |
Kindle 3 scans 2 worms and 1 spyware after using Calibre? | dancingbacon | Devices | 4 | 06-13-2011 08:05 AM |