In this blog post, we show how the Emergency VPN can help identify RAT infections on Android phones. The images and network traffic included in this blog post are part of the original research by Civilsphere researcher Kamila Babayeva on the Android Mischief Dataset.
Use of Facebook UDP Priming Revealed in Unencrypted UDP Connection to port 33000
Early this year we observed suspicious UDP connections to port 33000 in a mobile device. This traffic contained a Facebook URL that included a Facebook Graph token, and it was sent unencrypted over the network. In this blog post we show details of this traffic, what information is leaked, and who is affected. We have reported this behavior to Facebook, who confirmed this traffic is part of Facebook’s normal behavior.