none
SFT_5055W Chinese Malware RRS feed

  • Question

  • Following updates to Windows 10 Mobile that installed overnight on the night of 1 November and 2 November, I reviewed all settings to see if anything new had been added and I found SFT_5055W listed in one of the privacy settings lists. I took a quick look at the app and found it suspicious and poked around further:

    1. It wasn't listed in the apps list (swiping to the left from the start screen). Red flag.
    2. It was listed in the Store, and published 1 November 2016 by Huizhou TCL Mobile Communications Co. Ltd. Red flag.
    3. Reviewing the app permissions showed several suspicious permissions beyond the normal permissions:
    • Access all phone lines
    • Use VoIP
    • oemPublicDirectory
    • Access Windows Phone ID data
    • Have control over Windows Phone
    • interopServices
    • Observe raw input being received by the system
    • Suppress raw input being received by the system
    • Scan and connect to WiFi networks

    The only way to uninstall the app was to go into the Storage Settings > Apps and Games, tap the app and uninstall it.

    I sent out a notice on twitter to #InfoSec and to specific Microsoft twitter accounts. While the app has been removed from the Store, I haven't had responses to queries on twitter from Microsoft regarding:

    1. How did this get installed in the first place? Was it somehow included in the Update?
    2. How can we be guaranteed that this malware and malware like it are actually removed and aren't simply hiding from all interfaces that provide lists of apps?
    3. Was the app truly Chinese in origin? If so, was this perpetrated by the PLA?
    4. After it was installed, was it able to do anything in the hours before I discovered it?

    Here are some screen shots.

    Tuesday, November 15, 2016 6:11 PM

Answers

  • The best way would be reporting this through Store and ask Microsoft to remove it, they will also investigate this.

    Apps won't be installed automatically, may be look into App history in Store and you find some clues from there.

    • Marked as answer by DataWolf1965 Thursday, February 2, 2017 7:42 PM
    Friday, December 23, 2016 6:42 PM

All replies

  • The best way would be reporting this through Store and ask Microsoft to remove it, they will also investigate this.

    Apps won't be installed automatically, may be look into App history in Store and you find some clues from there.

    • Marked as answer by DataWolf1965 Thursday, February 2, 2017 7:42 PM
    Friday, December 23, 2016 6:42 PM
  • Thanks for the answer. I don't know why I didn't get notified of it. I've already reported it via the Store, and now it's too late to look at it via App History. I made other inquiries via other Microsoft channels, but never got a response how something like that could get through not only the Store but also apparently download with an update.
    Thursday, February 2, 2017 7:42 PM
  • I just got a new windows 10 phone less than week ago, had same app come up and knew as soon as I seen it not right, started researching it right then and your answer helped me the most so thank you for that, but a few things I have realized you can not find this app in the app store and there is one other with same company name(sorry no pic.) that also gets put in. Removed both and also decided to reboot my phone and it gets put in any time you reboot. Really wish Microsoft would get this fixed because it makes me really not trust my phone or putting any of my info in it.       
    UPDATE- I decided to try something because of believing this app was coming pre installed in the phone and it is. I done one last reboot, when phone came up I skipped all settings except language and time zone and did NOT connect to any Wi-Fi. After phone came completely up the first thing I did was go in and uninstalled both apps. (the other one from them is called dialer app ) Then I turned on my Wi-Fi connection and done updates and the two apps did not reinstall.    
    • Edited by Angela76 Wednesday, February 28, 2018 12:57 PM
    Wednesday, February 28, 2018 11:11 AM