When you click the product tab in http://ijinshan.com it redirect to the product list of @CheetahMobile, http://cn.cmcm.com/products.html . In the list you can see the "Jinshan battery doctor" app. ijinshan seems 2 differents legal company but same people 
-
Show this thread
-
@CheetahMobile Browser is listening to PACKAGE_ADDED, PACKAGE_REMOVED, PACKAGE_CHANGED and PACKAGE_REPLACED intents
pic.twitter.com/PS3KGOH0m5
1 reply 0 retweets 4 likesShow this thread -
They also listen to http://android.hardware.action.NEW _PICTURE...pic.twitter.com/zU25x2zVok
1 reply 0 retweets 4 likesShow this thread -
Another receiver to PACKAGE_ADDED and PACKAGE_REMOVED
pic.twitter.com/ZchhvJmok6
1 reply 0 retweets 3 likesShow this thread -
The third receiver to PACKAGE_ADDEDpic.twitter.com/3ePEr0SYwN
1 reply 0 retweets 3 likesShow this thread -
-
I'll pause my investigation for today. Here the summary for now: * They lie in the description * VT detected it as a Rog.RedtubeSex * This Adblock browser load their own ad * They used multiple SDKs * They listen to the apps movement (install,...)
2 replies 3 retweets 15 likesShow this thread -
Replying to @fs0c131y @CheetahMobile and
two things: don't base your analysis on VT detection. 2. ad thing is interesting to investigate. what's the deal with packages added "?
1 reply 0 retweets 0 likes -
Replying to @xpcmach2 @CheetahMobile and
Where did you see I based my analysis on VT? VT score is a good indication in the triage analysis phase.
2 replies 0 retweets 0 likes -
Replying to @fs0c131y @CheetahMobile and
Regarding the package added listening, a "secure" browser is not suppose to listen to the app you add/remove. In this case there is multiple listener use by multiple SDKs
1 reply 0 retweets 0 likes
Finally, I did not finish the analysis, I will do it today and publish the code at the end.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.