Applinked is one of the apps/services that stepped in to fill the gap after the popular Filelinked tool was taken down by the Alliance for Creativity and Entertainment.
The software, which already has hundreds of thousands of users, acts as an unofficial free marketplace for mainly piracy-focused apps, none of which are allowed on Google’s Play Store for exactly that reason. Of course, there are many who would prefer not to have Google curating every piece of software with a rod of iron but in some situations, that can prove advantageous.
Early October the developer of Applinked, Inside4Android, announced that as of the 21st of that month, he would no longer own the code to the tool.
Veterans of the file-sharing world will recognize that these types of announcements are usually linked to just a handful of basic events. For example, developers can get tired of the workload or can’t spare the necessary resources. Oftentimes they’re quietly dreading some kind of legal action. In other cases, people step in and make an offer that’s too good to refuse.
In Applinked’s case, the developer said he simply couldn’t cope with the volume of work. That said, his announcement suggested that he also wanted to put some distance between himself and the app. This might be primarily viewed as him doing the right thing by his trusted users. After all, they came on board because of his reputation and if he isn’t going to be in charge anymore, things might change.
Things Did Change, But Not For Good
Last week we discovered that after apparently being transferred to its new owners, Applinked suddenly grew from a small ~4MB app to a weighty ~34MB mystery package, one that triggered more than 15 virus and malware alerts, some of them serious.
As we suggested at the time, this is rarely a sign of anything good from the user’s perspective so if the Applinked developer could publicly explain what had happened, that might help. After all, he previously claimed he would be working on the app for another six months after the handover so if anyone should know, he should.
That didn’t immediately happen but last week a new statement was posted on Twitter, one that didn’t clear anything up especially but did appear to acknowledge that things might not be going according to plan.
I want to make ONE thing very clear I have no control on what is happening to applinked… it was too much for me as a sole developer so I passed it on… I develop good applications and do not condone any sort of malware or viruses ..
— ✨✨ Inside 4ndroid ✨✨ (@Inside_4ndroid) November 9, 2021
Passing on projects isn’t unusual in the file-sharing world, especially when the alternative is for them to die. That would be a big deal according to the developer since hundreds of thousands of people are reportedly using the app. That said, apps with this type of following have considerable value when monetized. Nothing has been said about that in public but the original developer has admitted that an unnamed “company” took Applinked on.
Another Update, More Malware Warnings
Last week yet another Applinked update was pushed out. The new version still continues to throw up 15 or more malware warnings when scanned and has also grown further in size. The burning question, of course, is what all of this extra code is for and why it is suddenly needed. So, to clear this up once and for all, we asked several anti-virus vendors to carry out a detailed analysis.
While many vendors did not respond, cybersecurity company Group-IB said it would ask one of its cyber threat researchers to carry out an analysis. We supplied links to the old APK, the new one, and asked Group-IB to determine whether the latter acts maliciously given its massive increase in size and if so, exactly what it does.
While that task was being carried out, the developer gave an unexpected interview on YouTube. Would this shine more light on the situation?
The interview took place last Thursday on the Streaming Matters YouTube channel over the space of 55 minutes. In the main it provided some decent background on the app, the developer, and how Applinked became successful much too quickly, something that took a toll on the developer’s business and private life.
Around the 19 minute mark, Inside4Android revealed that a company made an approach and offered “take all of the problems away.” That proved attractive but since doing that, Inside4Android said he’d had “nothing but hassle” from people dissatisfied with the way things have gone.
The developer noted that this isn’t really fair, since when he was in charge he’d made no effort to monetize the app in any way, and from what we’ve seen at least, there is no reason to doubt that claim.
He went on to confirm that he’s now operating in a consulting role for the new owner, receiving code and giving it the thumbs up (or down), which suggests he is aware of what direction the app is going. So, at this point, all that remained was to explain all of the extra bloat in the app that appears to be causing the malware alerts. When that explanation came, it was pretty unusual, to say the least.
After the interviewer raised the issue of the massively increased file size, he didn’t wait for an answer. Instead, he immediately proceeded to paint his own hypothesis, seemingly out of nowhere, which against the odds was apparently 100% correct.
Interviewer: “Another flag for a lot of people was when they saw the size increase. It could be the images, does the new APK have a lot of thumb images and stuff like that? Because a lot of times applications grow if you add art or you add images in there.”
Inside4Android: “That’s 100% correct. It’s all about cache. You build up the cache by using an application because every image that it pulls….and loads into a thumbnail or whatever, it stores that so it’s quicker to load next time. That’s basically what it does.”
After hearing this, there was more than a little bit of concern that we’d asked a cyber threat expert to spend valuable time looking at a bunch of boring images. However, when the analysis was provided by Feixiang He, Group-IB Adversary Intelligence Research Lead at Group-IB, images weren’t the main reason for the size increase at all.
Group-IB Threat Analysis
“The major increase in the app’s size is caused by an additional Linux native code module ‘libfrpc.so’. This module contributes 56MB to the app’s [extracted] size in total,” Feixiang He revealed.
“It uses an open-source reverse proxy project frp (https://github.com/fatedier/frp), which is the main reason that the new version of the app triggers VirusTotal detections such as ‘RiskWare:Linux/Fatedier.76937499’ and ‘Riskware.Frp.B’.
According to the analysis, the ‘libfrpc’ module is used by a new app monetization feature dubbed ‘Linda’ which continuously sends some basic device information to the server domain ‘monetizeweb.io’. The Group-IB researcher says that the exact purpose for exporting this information is unclear but he became “a bit suspicious” from several perspectives.
“It is normal to see Android apps try to fingerprint mobile devices by sending some information to an advertisement server. But there is very little public information of Linda’s service or the domain,” he explained.
“It is strange to use a reverse proxy to connect to ads servers. A normal HTTP or HTTPS connection is enough for such a purpose. A reverse proxy could be used to breach through corporate firewalls from the side. It is very concerning.”
A JoeSandBox analysis of Applinked shows this and other serious threats in a visual format.
According to the sandbox analysis, the app checks to see if devices are rooted (checks for superuser.apk) and then requests root access. The app tries to access GPS location data and also seeks information from SIM cards. Further tests reveal that users’ IP addresses are sent to a third-party server.
Apps with hundreds of thousands of users are very valuable assets and are ripe to be monetized. No one should be surprised to learn that any app – especially those attractive to pirates – exist in many cases to make money. In this case, all the signs indicate that the developer didn’t originally set out with a commercial venture in mind but it appears that the new owners have different ideas.
Again, this is no surprise but the way this has been handled certainly is. If the earlier announcement would’ve at least acknowledged that monetization was the plan moving forward, most users wouldn’t have blinked or even cared. However, the red flags here on almost all fronts following the latest updates are too numerous to ignore and appear to go way beyond making a few dollars.