universal-android-debloater icon indicating copy to clipboard operation
universal-android-debloater copied to clipboard

Published 20 hours ago verified publisher icon 0x192

Bmax / Unisoc device

Open ghost opened this issue 3 years ago • 3 comments

Since Bmax is becoming increasingly popular I bought one of their tablets. Full GApps was preinstalled (which I immediately debloated), and as for custom apps I only saw a popup from their firmware updater.

In adb shell, though, I saw the following packages:

  • com.guanhong.guanhongpcb
  • com.incar.update
  • com.sprd.autoslt
  • com.sprd.cameracalibration
  • com.sprd.cameraipcontrol
  • com.sprd.engineermode
  • com.sprd.firewall
  • com.sprd.ImsConnectionManager
  • com.sprd.linkturbo
  • com.sprd.logmanager
  • com.sprd.omacp
  • com.sprd.overlay.sprdnote
  • com.sprd.powersavemodelauncher
  • com.sprd.providers.photos
  • com.sprd.systemupdate
  • com.sprd.uasetting
  • com.sprd.validationtools
  • com.spreadtrum.ims
  • com.spreadtrum.proxy.nfwlocation
  • com.spreadtrum.sgps
  • com.spreadtrum.vce
  • com.spreadtrum.vowifi
  • com.spreadtrum.vowifi.conf
  • com.unisoc.phone
  • com.unisoc.storageclearmanager

I'm not sure about com.sprd.* - com.sprd.firewall could be this chinese app: https://github.com/wangjicong/Android-6.0-packages/blob/master/code/apps/CallFireWall/src/com/sprd/firewall/ui/BlackCallsListAddActivity.java

As for com.spreadtrum.* and com.unisoc.*, since the manufacturer is Unisoc, and Spreadtrum is Unisoc's former name, I assume they're some kind of system apps.

com.incar.update -> maybe the firmware updater?

no idea about com.guanhong.guanhongpcb

If anyone has more information about these packages feel free to share :)

ghost avatar Dec 08 '21 13:12 ghost

I disabled all packages listed above as user (disable-user) without issues, except for incar.update (seems legit?) and com.sprd.powersavemodelauncher (can't disable: "Shell cannot change component state for com.sprd.powersavemodelauncher")

Analysis:

com.guanhong.guanhongpcb (IncarPcbTest) includes a secret dialer code and has all sorts of permissions, including phone, camera, wifi, bt, gps, storage

com.incar.update (System Update) checks Build.FINGERPRINT, Build.SERIAL, SIM operator domains: fota5p.adups.cn, fota5p.adups.com (firmware updates)

com.sprd.systemupdate (also called "System update") domains: xmlpull.org, jabber.org, www.jivesoftware.com, etherx.jabber.org

com.sprd.autoslt (AutoSLT) permissions: phone, camera, gps, storage domains: www.baidu.com

ghost avatar Dec 09 '21 08:12 ghost

Later I'll create a PR for this issue.

AnonymousWP avatar Jan 12 '23 09:01 AnonymousWP

com.guanhong.guanhongpcb seems to make very suspicious connections in the background on my Blackview Oscal Tab device. Do you have any background on this package? I suspect its not actually a pcb tester, but some kind of disguised malware.

DorianBenjamin avatar Sep 27 '23 14:09 DorianBenjamin