Carrier IQ - I'm developing an app to kill it...

[anon(335536)]

Hey all - I imagine some of you have read about the Carrier IQ process that runs on many phones (including Sprint phones) that appears to have the capacity to log what we do (keystrokes, http requests, SMS messages, etc). If you have not heard about this, it is all over the web. Just go to cnn.com. At any rate, I have been looking around our phones and carrier IQ is in fact loaded and running. While I have no way to figure out what it is doing, it is obviously doing something. My research thus fas has shown that while it is impossible for us to remove it entirely (since there are no custom ROMs with custom kernels for this phone), there is at least one process that we are capable of killing ***if your phone is rooted***.

I'm just letting you all know that I have developed an app that is capable of detecting one of the carrier IQ processes and killing it (that Carrier IQ process is restarted once you reboot the phone - I will improve the app to deal with that later). I have loaded and run the app on my replenish, and it works as desired, with no ill effects.

My eventual plan is to release this app to the market, however if there is anyone here who is interested in a sneak peek, and willing to beta test, that would be great. Just PM me or reply back here. If there is interest, I will post the APK here. The app is still being developed (i.e. I need to create an icon and better UI) however it does work and is easy to use.

Any questions - just ask.

 

[someguy01234]

I don't have this phone, but thank you on behalf of the community to work on this. Luckily I have the Samsung Galaxy SII which has kernel and rom with Carrier IQ free. It seems that Google's Nexus devices don't have Carrier IQ either. I am careful on the phone I'm going to buy because of this.

I use LBE Privacy Guard that can deny app capabilities to use internet or read your phone #, yet this app itself is closed source (though with good reputation) so its not full proof.

 

[anon(335536)]

I use LBE Privacy Guard that can deny app capabilities to use internet or read your phone #, yet this app itself is closed source (though with good reputation) so its not full proof.

Based on my understanding of CIQ, it inserts itself as a module at the kernel level, so there is a good chance LBE won't even know about it and be able to do anything to block it access to the internet.

I did notice that the CIQ process is connecting to a sprint IP address. I'll have to dig up what it was and edit this post with the IP later.

EDIT: The IP address that Carrier IQ is connecting (per the logcat comments) to is 68.28.31.1. This IP is registered to sprint. If anyone knows of a way to sniff what data is moving through there, that would be interesting to see.

 

[someguy01234]

Base on this article the Pro version of TrevE logging app is supposed to be able to remove CIQ, but I don't know if it works with all phones. Carrier IQ: How the rootkit tracks everything on your phone and how to remove it - my-guides.net

 

[anon(335536)]

I looked through that app and all the steps he followed. It is specific to the HTC version of carrier IQ. I guess the individual manufactures modify the code to suite their needs. From what I have seen, the HTC version is more invasive than our replenish version (based on the log files I have found on our phone).

Carrier IQ is loaded into the OS at a very low level as modules, so for us, unless we get a custom ROM with a custom kernel, we won't be able to fully remove it.

I've uploaded my app to the market for anyone interested. It's called "Carrier IQ Process Killer" and I know for sure it works on the replenish. It's free and does not display any adds. For rooted phones, it can kill some of CIQ for you. For unrooted phones, it can tel you if the IQMSD CIQ process is running. Feel free to download and provide any comments on improvements or issues to me here.

Thanks!

 

[fencerjared]

Does it still only kill CIQ until the phone is rebooted?

Nevermind, the information in the entry answers my question.

Speaking of, this is the android market entry.

 

[anon(335536)]

I plan to update the app in the future to auto kill the process at boot time. Hopefully I'll get some time soon to do so. Let me know if you have any issues with the app.

 

[fencerjared]

So far, seems to be working fine; I've had no phone issues since install.

 

[joshuadunkin]

just installed and works fine. thanks for this

 

[anon(335536)]

And thank you both for the feedback. Glad it is working well. I plan to make one change soon as I believe it errors out for people who are not rooted, so I should make it just report message that it does not work on unrooted phone with regard to killing iqmsd.

 

[fencerjared]

Don't know how this could even be connected, but just a few moments ago my touch screen stopped responding over the top 3/4 of its surface (couldn't swipe or tap to select in that area). I rebooted and even restarted the process killer and it's not happening now, but other users may want to keep an eye out for something similar.

 

[anon(335536)]

Most likely not connected - IQMSD should not have anything to do with the touch screen. However let me know if you continue to see this. I've had about 400 downloads now on the market, and the only issue I have seen so far is with folks running it on a non-rooted phone. I figured telling people in the description that it was intended for rooted phones only was enough, but two folks gave me a very bad review because it only works on rooted phones. Just updated the app to tell people when their phone is not rooted, or superuser is not giving the app permissions. The update should hit the market sometime tonight I imagine, Look for version 1.0.2.

Thanks for the comments. Keep them coming, and rate the app on the market if you feel so inclined.

Thanks!

 

[fencerjared]

There will be no shortage of idiots to downrate the app because they didn't read the directions; I've seen apps where the first line is "On install, this app downloads..." and then negative comments about how the app started downloading things when they installed it. In any case, besides the issue I mentioned above that I've never had on this phone before, nothing else funky going on. Did you ever figure out a way to read what exactly our version of this process is logging? I would definitely be interested in knowing what we are protecting ourselves against, not that more privacy is ever a bad thing.

 

[anon(335536)]

I've found some logs in /data/system/app_iq_archive however they are binary, so I have no idea what is inside of them. There is also a dropbox directory that has a lot of text files that are readable in them. That appears to have a lot of info on app crashes and the like. I have not found any text files being saved that contain keystroke data or http request data. But again, I have no idea what is in the binary files.

 

[joshuadunkin]

Got the update ans still works with no problem. Thanks!

 

[mbianco56]

Hello,

Thanks for developing this app. I installed on my rooted Samsung Epic 4G (Sprint) with no problem. App detected and disabled Carrier IQ. But when I go to Settings > Applications > Running Services, the IQ Agent Service is still running.If I tap it to stop the service, it stops then comes back in a little while.

Also, I have installed Voodoo CarrierIQ and it indicates that "Carrier IQ has been found and is active" with a detection score of 440. This is the same score I got before installing your CIQ Process Killer, and the same score I get on my wife's similar unrooted phone.

 

[anon(335536)]

Hello,

Thanks for developing this app. I installed on my rooted Samsung Epic 4G (Sprint) with no problem. App detected and disabled Carrier IQ. But when I go to Settings > Applications > Running Services, the IQ Agent Service is still running.If I tap it to stop the service, it stops then comes back in a little while.

Also, I have installed Voodoo CarrierIQ and it indicates that "Carrier IQ has been found and is active" with a detection score of 440. This is the same score I got before installing your CIQ Process Killer, and the same score I get on my wife's similar unrooted phone.

Hey mbianco56 - thanks for asking these questions (and not blindly giving my app one star and saying it does not work). Carrier IQ Process Killer is only able to kill the "IQMSD" process, which is only one piece of Carrier IQ. The IQ Agent Service is loaded by the Linux kernel that our phones run on. As such, you can kill it, but the kernel will detect it is not running and restart it. There is no way to disable that without compiling and loading a modified kernel. Obviously, no app can do that

Asa a side note, then you kill IQ Agent Service and the kernel detects it is not running ( I believe the timeout is 500 ms at which point the kernel reloads the process), the kernel will also reload IQMSD, so you will need to rerun my app to kill that again. Once IQMSD is killed by my app, it stays killed until you reboot, or until you kill IQ Agent Service.

As for Voodoo CarrierIQ, that detects the presence of Carrier IQ a number of ways, one of which is to look through the log files automatically maintained by our phones OS as it loads. Therefore, Voodoo CarrierIQ will always detect carrier IQ on our phones, even with my app present, because Carrier IQ loads at boot time, and my app can not run until after the phone is fully booted, at which point, the log files already indicate the presence of Carrier IQ. In addition, as you noticed, IQ Agent Service is always running, and I imagine Voodoo CarrierIQ is also seeing that.

So in short, my app can only detect and kill the IQMSD process that is just a piece of Carrier IQ. While I can't say for sure, I imagine IQMSD is Carrier IQs Messaging Daemon. So killing it seems like a good thing to do.

I would have loved to have been able to kill all of Carrier IQ, but until we can get a custom kernel on our phones, we are out of luck there.

On another note, the folks are androidarea51.com have started working on creation of a custom ROM (including a custom kernel) for our phones, with an eventual goal of loading gingerbread. I have been helping out as best I can (i.e. supplying snapshots of our stock ROMs and beta testing) and so far, so good. I am currently running a slightly modified kernel, which means our phones can run non-stock kernels. I imagine they will have something cool for us soon. You can head over to their forums to get the details.

And finally, I am working on an updated version of my app that will auto load and auto kill IQMSD after the phone boots so that we don't have to do it manually every time we turn our phones one. I hope to have that soon, however it is slow go as I am learning android as I go. Stay tuned.

Thanks for the good questions, and rate my app if you get a chance (unless of course you hate it ).

 

[mbianco56]

Your app is very good and i will give it a good rating. Thanks for the follow-up and detailed explanation. What really torks me off is that this thing acts like a trojan on a PC: you kill one of the heads and it keeps on reappearing. There is no excuse for a carrier to develop an app like that that a) can't be disabled and b) is not critical to the overall operation of the phone. And the fact that it's a key logger, well, that is the very definition of mal-ware (worm, trojan, virus, root-kit, whatever).

The bad news is, I installed another app called Logging TestApp Pro to try to disable it and it bricked my phone. (Samsung Epic 4G). Keeps going into a boot loop and won't finish. I went back to the page where I installed and read the comments (yes, I should have done this the first time around) and lo and behold, there are comments saying it will brick a rooted Samsung Epic 4G.

Getting the new phone tomorrow. Carrier IQ: 1. Me: 0

 

[anon(335536)]

Sorry to hear you bricked your phone. Are you getting a new one for free, or do you have to pay for it?

 

[mbianco56]

I have the Sprint insurance plan, so its $100 for a new refurbished Epic. If I could've unrooted the thing I would have gotten it for free. Oh well.