Tele birr is an innovative mobile money solution for Ethio telecom customers. The solution allows customers to store, send, receive, transfer and spend money through an electronic account using their mobile phone.

This blog is inspired by LeykunBerhan Woldesenbet  while having discussion towards security of Ethiopian digital assets as part of  tertir/ጠርጥር infosec community .

Opinions expressed are solely my own[Seid] and do not express the views or opinions of my employer.

The below open source static analysis security assessment tools has been used for the quick analysis such as

• Virus total
• MobSF
• Immuniweb.

Similar to leykunberhan i did my initial analysis using virus total which is a great tool to analyze and get quick overview for submitted files for known viruses .

Virus total

Initial result shows Telebirr has been flagged/scored as malicious as per the date (jan 13-2022) assessed . 5 vendors out of 62 has flagged it as suspicious .

MobSF

Mobile-Security-Framework-MobSF – all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment tool has been used to identify potential endpoints or permission misconfigurations by analyzing the source code or binary without executing the application.

Immuniweb

Immuniweb scanner is used to identify security flaws and weaknesses that may impact the application and reputation of domains associated.

Scope

The part of the assessment is based on static analysis of the apk android file only.

MobSF and other security assessment tools such as Burpsuite intercepting proxy with rooted/jailbroken emulated devices can do dynamic application testing effectively at runtime but no part of this analysis covers that.

Observations

• Some anti-virus vendors take in to consideration android permissions checks (READ_EXTERNAL_STORAGE, READ_CONTACTS etc) to flag applications as suspicious. Which I don’t think should be the case. When an Android app needs access to sensitive resources on the device, the app developers make use of the permissions model. While permissions can be dangerous as it allows the applications to access sensitive data or resources, permissions are also essential for many features of a regular application. One can understand telebirr require to give extra flexibility and user experience using android permissions. These settings allow  apps to use various features on your phone, such as your  contacts list.(Anyways android will allow you to control your app permissions upon installation and users can allow or deny permissions once they start using them)

• One other vendor reported/flagged telebirr  as malicious due to Txt.Malware.Agent-* However, it seems that the rate of false positive has increased for this vendor a lot lately and as per my research I suspect this is also another false positive due to other known-clean files being flagged for this particular signature as if they were infected files e.g. OpenLayers library in phpMyAdmin .

• Another Vendor flagged it as – Riskware due to PackagingUntrustworthyJiagu!Android –  they call it riskyware due to potentially unwanted application that is not classified as malware. vendor is also constantly updating their descriptions for that. i am able to see some tools being used in FCKeditor and being flagged by vendor so i will consider this also as false positive. https://wfurltest.fortiguard.com/encyclopedia/mobile/10034690

• Some vendor is also considering it as risky due to Android/Packed.Jiagu.D package being used . In my quick research am able to see a lot of android apps using Jiagu and other packer to protect their code. Some anti-viruses flag Jiagu as malicous as its is packer where malicious or even clean apps could be packed with it.

• Static mobile application security test revealed the remote hosts where the mobile application may send or receive data mainly to dcloud[.]net[.]cn associated domains where the reputation of these domains and SSL certificate is not great as well. However i do suspect that telebirr is using some development service infrastructure (dcloud[.]io and related subdomains for backend which can be an intended behaviour)

Conclusion

Ethiopia is undergoing an unprecedented acceleration of its digital transformation agenda, propelled by new regulatory changes. I do agree an intensive regular code review , threat modelling and dynamic application security audit  shall be taken by telebirr and similar FinTech startups to ensure the identified/flagged packers and some of the remote domain endpoints( *.cn) are safe and free from potential risks that may lead to user’s privacy and security concerns.