Sophos: China’s mobile security firm NetQin suspected of scamming users to encourage anti-virus purchases
March 2011 by Sophos
Following reports of an alleged collaboration between the security company and app creator, IT security and control firm Sophos has commented on the impact this may have on the reputation of the security industry. Reports claim that the Feiliu application uninstalls other AV products and makes the phone run slowly or causes it to crash in an attempt to drive NetQin purchases. When concerned users turn to NetQin - the market leader in mobile security in China - an infection is reported and the user is asked to pay 2 Yuan to remove the Feiliu app, which NetQin detects as malware, from the phone.
Chinese State TV, CCTV, revealed that Chinese phone dealers often install third-party applications during the process of firmware flashing, in return for payment. Firmware flashing is often used to hack a phone for an unintended region (for example, a US or UK phone hacked to be used in China).
In this case, the Feiliu app then attempts to download and upload data whenever an internet connection is available and calls home for verification every six hours to ensure it is running correctly. If the app is not running correctly, it restores and hides itself. Four processes have been confirmed to be downloaded by the Feiliu app, all without the knowledge or consent of the phone owner.
"On further investigation, it seems NetQin and Feiliu have a close relationship which could threaten to damage the reputation of both companies and the security sector as a whole," said Mark Harris, VP of SophosLabs. "We learnt from the CCTV video and transcript that staff from Feiliu admit that co-founders for NetQin and Feiliu worked on their PhDs together and NetQin had an investment of 495,000 Yuan in Feiliu, making NetQin the second largest shareholder. All this certainly seems to suggest that the two companies are plotting together rather strategically, at the cost of the mobile phone users affected. What’s more, their actions threaten to cast aspersions on the security industry as a whole."