 Hello and welcome. Today we are going to be taking an Android APK, Android app package, and we're going to be dissecting it. We're going to be taking a part, looking at how it works a little bit and just determining what I think of it, which in this particular case, I'm going to label it malicious software or malware. And hopefully I'll explain why. Now my definition of malicious software may be different than yours. The actual application we're going to be looking at today is actually the application or the app for the church I go to. And they've been pulling this thing for years and it is, it's, it's malicious software. Now I want to be very, very clear. I'm not saying the church is making malicious software. I'm saying they hired a company that is making malicious software. And hopefully I'll be able to explain to you why I think that it's malicious software. And of course you can always determine things yourself. But at the very least, if you don't consider it malicious software, it's poorly written software and it's definitely spying on you. So let's go ahead. Oh, we're going to look at their APK, their app and then one that I made and their website. So let's go ahead and just have a look at this on the left, my desktop computer, which is hooked to the phone, which is on the right through USB on my desktop computer. I have the packages. I have them both installed. CPCC APK is the app I made, which is basically just displaying their website. And then the center point Naples APK is the one that was created by this third party company that the church has entrusted. Before we even jump into those, let's have a look at the church's website first on my desktop. This is what it looks like. Okay. And now let's look at what it looks like on mobile. We'll just go ahead and click here and this is it. And you know what? Their website works fairly good on mobile. I'll give it a B plus. It is a thousand times better than the website they had 10 years ago, which was horrific, broken and confusing. We have a side menu here. We can close that. We can click on stuff. It all goes through. Now let me make it very clear. This should be their application, their website. Just it has all the information there. Well, most of the information there. And that's, that's the key to this, which I'll get into in a little bit. And it works great on mobile. So all people have to do is go to this website, click here on their web browser and say add to home screen. They can name it. They do have a Favicon, but they obviously didn't set up right because it's not giving the proper Favicon here, but I can click add and add automatically. And that will add it to the desktop here. And then I can click on it and it will open it up. Now it's opening it up with this, with the toolbars at the top of the bomb, like you're in the regular browser. If the website with a few lines of HTML can change that, for example, here's a link on my website for a video game I made. It's where you can get the stuff. And if I was to right click or click on this menu and click add to home screen, you can see it grabs the proper icon, gives it the name, which they can modify. I click add, add. And then when I go to the home screen here, here it is. And when I click on that, it actually loads like an application. Besides the fact that it has the browser icon on the desktop, on the icon, you would know that this wasn't a native app. And if your website is designed well, that's all you need. And as far as it having the brave icon there, depending on your launch or your home screen, you can remove that. But I also get people like installing apps for some reason. So what did I do right? So I think the one on the left is the one I made. And the one on the right is the app from the actual church. So if I click on this, I can open it and you can see, yes, this is mine. And it's their website, but it's packaged as an application. And it does everything the website does. It's fully functional. I can go to here and I can click on this. Click on the little home button there and everything just works, right? So that's all you need to do. And what's the difference between my app and their app? Let's go ahead and quickly look at their app, which I want to be very, very clear. It is just grabbing information from a website, right? So it's grabbing all these images, as you'll see in a little bit, from a website. And when I'm clicking on some of them, they're actually just loading web pages. But what is the difference? Well, let's look over here. Let's look at the app size. So if I list out the files in here, you can see I have their app and my app. There's a 71 megabytes, minus 103 kilobytes. There's is over 700 times the size of my application, 700 times bigger. Now, if I was to go into the applications, let's see if I can get to it like this. I can hold this down. No, it doesn't have to. Oh, actually, if I hold it down, there's different ways to get here. Here, that information, once it's installed, it's 71 megabytes before it's installed. Once it's installed, look at this. It's using 159 megabytes. OK, the app size is 85, and it's using 57 on top of that. And then caching some. Let's go now to my application. We'll go app info. And we will look here at the size, storage. My app, again, is 110 kilobytes. The user data is 168, and it's got some cache, so 10 megabytes. Still a fraction, less than one-tenth the size of what they're caching. And that's because I've opened it, and it's loaded up images from the website so that next time it will load faster, right? Also, let's be aware of this. So my application. Well, let's go back to their application just to see if I go to their application, their app info and look at permissions. I've granted none, but it wants permissions for the calendar, the camera, your contacts, your location, your notifications, your photos and videos. It wants all those, and I don't have it up here. But if you go to the app store, it tells you that they're going to be sharing your private information with third parties. So not only is this thing over 700 to 800 times the size it needs to be, which makes you question why, which we'll look at a little bit, but also why is it doing all these things? Well, it tells you on their website, they're going to be collecting your information and sharing it. Let's go back to my application here, which, again, is just a wrapper for the website, and we'll go to permissions and permissions. It has none, but the only thing it might ask for is notifications. I must have put that in there when I created it. I'm not sure if that's a default thing, because I don't remember adding that to my manifest file, but it's not asking for your camera, your location, access to your files, because it's just loading the website in a wrapper. OK, so now let's go ahead and look a little bit more at this. Why am I doing this now? The church has had this app for years and they keep pushing it. And it is malware. Again, it tells you right on the website, it's collecting your data. It wants permissions and it's huge. Now, I've ignored it so recently, but if I come in here, the one thing most 90 percent of the stuff in this app, you can access on their website. So again, making the app useless, except for recently, my daughter has moved up into middle school and she's involved in the middle school youth group. And to sign her up for certain events, they want you to sign up in the app. And that's one thing I can't find on their website. Now, my first thought is, oh, maybe because this is the youth, they don't want it on their website. They want it hidden, but anybody can download this app. You don't need any permissions downloaded. You don't need, you know, an account and you come in here and you can access all the youth events and also the design is kind of weird because I click youth events and you think they're going to load here, but you actually have to click again on here. And all this stuff, the images and the links are all being pulled from a website anyway, which we'll look at again momentarily. But I need to do this to register my daughter for stuff. Now, they fix something because last week and I tried it on two different devices. I came in here to register my daughter for this beach day, which is actually where she's at right now while I'm recording this. And when I clicked register, nothing was opening. But you can see it loaded it up in a web browser here. So this is up on a web page. It doesn't even load it in the app. OK, so so it's not like it's not using a website. This is a website, as we'll see in a moment. And it's loading the website separately, which is just weird why they would do that. So it's the design is awkward. It's bulky, full of stuff. Let's go ahead and actually pull apart using APK tool D and the name of their app. And what that's going to do is it's going to not decompile, but it's going to basically unzip the package so we can look at more of how it works. But a lot of it is proprietary software. It's going to be binary blobs, which adds to a lot of the size. And these are binary files that you don't know what they're doing. And you can see how large it is, how long it's taking for it to decompress all that. And now if we move into this directory, you can see the files they have. And you would think, oh, again, maybe the size is because they have a lot of images, but they're loading almost all the images from a website. So it's not in the package. Let me go ahead and just do dash H will list the files. And you can see when I unpack it, unzip it, it's 191 megabytes. Although I don't know if the decompiler tool or decompression tool might add some extra information in there. But let's go ahead and just grep. And I'm going to say grep for things with numbers and the number M. So we'll get things in megabytes. We'll get rid of all the small files here and let's go ahead. And you can see right here, 57 megabytes is this lib directory. Now you'll see that there's four sub directories in there and they're for different architectures, which allows it to run on different devices. So if you have a desktop Android device that's running in x86, it has libraries for that. It also has x86 64 bit, which is most desktop machines. And then it also has four different mobile devices are now this is good that they have these here because it allows it to run on more devices. But that stuff really isn't necessary for what they're doing. And so it's just bloat. You can also look. Let's go ahead and just go less so we can scroll through this and I'm going to go down. And you can see here, a bulk of this is just Android libraries and Facebook stuff and maps and measurement tools. I'm assuming that that might be, you know, collecting. Well, obviously it's all collecting data. So not only is this company splash screen or whatever their company's name is collecting your data, it's all going through Google and Facebook as well. They have these libraries in here, which are not needed for the actual application, so they're just collecting information is what they're doing. And I'm thinking maybe this third party company doesn't even know what they're doing. They they load up just these default libraries that aren't needed for that because they just load up everything again, because they're they're poor designers. So yeah, now I also want to go back and mention when I went to register the other day, remember, I couldn't get it's load and I thought, oh, OK, wait, if I come back here to the home screen, click here, there's a register option. Sign in login or sign up. Well, I thought, OK, maybe I need to register with the church so that then I can register for events. No, if you sign up here, you're actually signing up with that third party company. They might pass the information along to the church, but they're actually collecting that data and creating an account for that company. So there's collecting more of your data and that didn't fix their registration problem. Also, clicking on the Bible here, it does bring up Bible verses, which, again, can be done in a website. It's promoting third party apps. I'm not familiar with this app. Again, prior proprietary software, there's open source Bible applications out there. It's just overall it's bloatware. It's got again, bloatware. It's got more stuff than it needs. It's collecting your information and wants permissions it doesn't need. And in the past, I've talked about how I think permissions on the phones are stupid, but at the same time, that's because I only install applications. I trust I don't trust this and not only do I not trust this, it wants to collect information that shouldn't. It's suggesting third party applications is just horrible, horrible, horrible software. Again, coming here, clicking on my website, my link, look, it just opens up. It's just the website. So now you only have one interface to worry about. You don't have to have two different interfaces. If I go to this on my desktop, it's basically the same interface just spread out on a larger screen because it is the same. It's just it's just squeezing down to size. Now let's look at a little bit more. So I could scrape through here and I can try to find more information in these files and I could probably pick apart things now that APK has been decompressed. But again, a lot of this might be binary files. So one of the things you can do when examining software like this to see what it's doing is is monitor what that application is doing. So let me just move back out of here. Oh, also, let me APK tool D my application like this. It should go a lot faster because it's a fraction of the size. There we go. And if we come in here, I can list out stuff and you can see actually I want to do du dash h to list the size of all files. Again, even uncompressed, it's it's just over a quarter of a megabyte. And you can see I don't have all those unneeded libraries that are just both that have nothing to do with the application other than being there and sniffing your data, basically. OK, going back out, what is their application doing? How do I know it's grabbing information from a website other than it's obvious that's how this application is working? What we can do is with ADB enabled, meaning I can connect to the phone through my through a USB cable, I can run the command on the phone. Log cat, I've gone over this in the past. It's going to if I just do that, it's just going to start spitting out a bunch of information every time I do something on the phone or the phone does something in the background. It's logging that information to the screen over here. OK, it's a lot of information. So what I'm going to do is I'm going to use a program called grep. Grep is going to allow me to filter. It's going to do a word search for certain application for certain things. So what I'm going to do is I know that that that app is looking for websites. So I could do grep look for HTTP because web links are going to start with HTTP, right? So I'll do that. It's going to load up some stuff that's already loaded recently into the log. But then when I click on their app, you can see it loads a bunch of stuff. And I can click on one of these and open it up in a web browser. See, that's this image here. So it's grabbing these images from a website. So they're not in the app. The app is grabbing them from the website. So and then if I click events over here, it's going to do the same thing. You can see images, images, images if we can look for once. Don't say image because let's see right here. There we go. It's loading up some JSON here, which we can also grab. JSON is just a way to format different pieces of information. So we can actually filter out some of this information, make it a little bit easier to read. But look at this last one right here. If I was to click this and open up a website, it's some JSON, which gives me information. And then I can take that. I can look at some of the HTML links in here or HTTP links in here. Web links, click on that. Here's some more JSON. So basically it's loading up all the events and then it's loading up each individual event when you click on one of those. And then here I click on this and I open it and look at this. This is what's in the app. And again, open in a web browser. So again, I do not need the app because I can just look if I click on this, this and this, this and this. Same thing. So again, the app is completely unnecessary. All it is is loading stuff from a website, yet it's still huge. But to clear things up a little bit, we can clean this up. So what I could do because there's live permission for I'm just looking for web links. What I can do is I can there's different ways you can do this. I'm going to say said and what I'm going to do is say look for all lines that have HTTP in it and change it to new line HTTP. And then from there, I'm going to say, OK, only give me the first thing in that link. I'm going to use Ock. So now we're getting into a little bit of programming, but it's just to show you how things work. And then from there, I'm going to grab just for HTTP. So now when I do this, it is just going to be grabbing URLs. So it makes it a little bit clearer when I click on something like this, right away, I can see the links that it's loading and it gets rid of less information. Now, again, I can take that information. So if I go back to like this, right? So I said, this is Jason. This is like formatted information. I can use a command. Let's go ahead and make this full screen. I'm going to say, OK, W get basically is like a web browser for text in the shell here. Right. I'm going to say, OK, give me all that information. What do I do? I got to say dash there. That is the same information as this year. But from there, I can put it into programs like this, which formatted a little bit nicer. I can then grep for URLs and it gives me URLs. Well, I've actually done that. So now that I've picked this apart, not only do I understand how it works better and I see what it's doing, I know it's just loading websites. Now, anytime I need to sign my daughter up for an event, I wrote a little script here. I'll show you the script real quick. It's called center point youth events. And I got to type in my password to access that script. OK, so it's grabbing this URL and then it's doing what we just did there. And then it's going to give me a way where I can filter out things in the list and then open them. So not a very long script, just a couple of lines, right? So but now I can say center point community church event youth events. And when I do that, it's going to go to that website. Again, don't need the app anymore. It lists the name of the event on here on the left. It gives the URL and then the date and time of the event over here. So for example, my daughter right now is at the middle school beach day. And so I can just click on that and it's going to open it up in the web browser. And I can now register her right in the website without having to use the app at all. So now that I've taken it apart, I understand it better and I can use it more effectively. So there was a lot of things I wanted to go over. Hopefully I went over all of them. I don't work with scripts. So I'm just going through my head. So I may have been all over the place. But as you can see, just based on what that app says it's going to collect and then looking at how it works and looking at the size of it, we can determine that it's doing a lot more than just displaying information. It's collecting information and doing who knows what else, because it's proprietary, which right off the bat, in my opinion, if it's proprietary software, it's malicious because it's preventing you from seeing what it's doing. There's no way to really know. We've picked it apart a little bit and someone really skilled might be able to pick it apart more and see exactly what the applications is doing. But if it's a binary blob, which we saw there were a lot of those in their libraries, not just made by that company, but third parties like Facebook and Google that are just going to be collecting your information and bulking up this application to a size that's unnecessarily seven to eight hundred times the size it needs to be, because again, all it's doing is grabbing information from websites and then either generate interface based on the information it grabs or just displaying a web page, in which case it is complete bulk and and bloat. OK. Yeah. So I hope you learned something. And again, this is a demonstration. I've gone over a lot of these tools in the past. APK tool to unpackage APKs and you can look through the files in there and sometimes see a little bit more of what they're doing. But if it has binary blobs, you can use log cap and simple commands to search through that information to narrow it down. And not only do I do you learn more about what the applications on your phone are doing, you can completely avoid those applications as I shown. And I did it in the shell. You can easily make your own web interface that grabs that information too. And then you can make your own rapper in your own application that works better than theirs and takes up literally a point of a fraction of the size of that application that you know what it's doing. It's still going to their website and any information you enter in there will be logged. But just viewing the stuff, they're going to be getting minimal information from you. So I hope you learned something. I hope you enjoyed this video. I hope you keep on watching. If you have any questions on any of the tools or commands I ran, go ahead and search on my website, filmsbychrist.com. That's Chris the K. There's a link in the description. And there you can, you know, search the information and find, again, videos I've done on all these tools. And I know that loading, showing this application showed some information like email addresses and phone numbers for people at the church. But this is all public information because it's in the app that's in the Google Play Store and the Apple Store, whatever they call their store and just on random web pages. So I don't consider it private information. So I'm not worried about blurring that stuff up or blurring it out or sharing it. But yeah, again. I don't I'm not blaming the church for trying to be malicious. I am blaming them for being naive enough to trust these third party companies. Their website, again, is probably made by a third party company, too. At least with the HTML and JavaScript, you can look through the web page code better and block things with your browser better than you can an app. And it's a good enough website that they don't need to interfaces. They could just wrap their website as a package and put it in the app stores for people who want the app instead of just linking to it on their website, on their home screen. So I thank you for watching filmsbychrist.com. That's Chris the K. There's a link in the description. As always, I hope that you have a great day.