{
  "docId": "019dd923-622c-750b-8b96-2fbe642fbf78",
  "docSlug": "69cc18cfe079",
  "documentTitle": "NQ Mobile (NQ)",
  "authorId": "51_Muddy_Waters",
  "authorName": "Carson C. Block",
  "documentKindSlug": "research-note",
  "documentKindLabel": "Research note",
  "sourceTypeSlug": "short_seller",
  "sourceTypeLabel": "Short seller",
  "presentationDate": "2013-10-24 00:00:00",
  "orientation": "portrait",
  "aspectRatio": 0.77272725,
  "pageNumber": 75,
  "pageCount": 81,
  "prevPage": 74,
  "nextPage": 76,
  "slideType": "other",
  "function": "analyze_data",
  "density": "dense",
  "nDataPoints": 0,
  "notes": "Contains two Wireshark screenshots demonstrating data exfiltration of IMSI/IMEI and browsing history.",
  "elementsJson": [
    "paragraph",
    "screenshot"
  ],
  "metadataConfidence": 0.9,
  "imagePath": null,
  "slideHref": "/slides/019dd923-622c-750b-8b96-2fbe642fbf78/75",
  "deckHref": "/decks/019dd923-622c-750b-8b96-2fbe642fbf78",
  "deckJsonHref": "/decks/019dd923-622c-750b-8b96-2fbe642fbf78.json",
  "deckAnchorHref": "/decks/019dd923-622c-750b-8b96-2fbe642fbf78#slide-75",
  "components": [
    {
      "bbox": null,
      "kind": "callout",
      "text": "It means that the provider, and anyone that is \"sniffing\" the network has the ability to track the users and obtain all browsing habits of the user, and even in some cases get information that is much more critical such as usernames and password and session ids if they are transferred in the URL.",
      "attrs": null,
      "subkind": null,
      "toolName": "Visual emphasis",
      "toolSlug": "visual-emphasis",
      "confidence": null,
      "componentId": "019dd953-0936-7173-ab11-329b05f515fc",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.28,
        "w": 0.78,
        "x": 0.11,
        "y": 0.17
      },
      "kind": "image",
      "text": "Wireshark capture of XML request",
      "attrs": null,
      "subkind": "screenshot",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "41f21fcc-fc93-4cf1-a250-928825229c3b",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.28,
        "w": 0.78,
        "x": 0.11,
        "y": 0.65
      },
      "kind": "image",
      "text": "Wireshark capture of URL leakage",
      "attrs": null,
      "subkind": "screenshot",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "eee086b4-9f96-47db-a80b-d29c7842ee38",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.08,
        "w": 0.78,
        "x": 0.11,
        "y": 0.51
      },
      "kind": "paragraph",
      "text": "It was discovered that the app sends every URL that is browsed in the device to a remote server located in China (211.151.74.173). The connection through which the data is sent is not encrypted, but rather obfuscated with an easily reversible method of XOR the URL with 0x6e.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "30f55716-724a-46d9-83b8-cddceabc55da",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.02,
        "w": 0.45,
        "x": 0.11,
        "y": 0.48
      },
      "kind": "paragraph",
      "text": "App leaks all the web browsing activities of the user:",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "4fa9ec1d-b872-41f3-8c4e-c3da95fdf344",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.03,
        "w": 0.78,
        "x": 0.11,
        "y": 0.09
      },
      "kind": "paragraph",
      "text": "sends a plain-text request which contains among other things the IMSI and IMEI inside a readable XML format.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "8e248449-845f-4ae8-a6ff-864cbbe94f8e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.02,
        "w": 0.55,
        "x": 0.11,
        "y": 0.14
      },
      "kind": "paragraph",
      "text": "This communication is delivered to NQ's servers - us.nqserv.com (211.151.59.8)",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "9610f451-67d8-4de9-ad14-675b5cc6168e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.03,
        "w": 0.78,
        "x": 0.11,
        "y": 0.62
      },
      "kind": "paragraph",
      "text": "We have tested the effectiveness of the URL tester and it indeed detects malicious pages, and blocks it.",
      "attrs": null,
      "subkind": "paragraph",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "f3dfe003-4a13-4b09-a4f1-d762dcae95bb",
      "frameworkName": null,
      "frameworkSlug": null
    }
  ],
  "metrics": [],
  "tools": [],
  "frameworks": [],
  "arcBeats": [
    {
      "to": 80,
      "from": 61,
      "beatId": "e4f2b8e1-7912-4f93-8c38-79d385cde878",
      "arcName": "Overcoming the Monster",
      "arcSlug": "overcoming-monster",
      "beatName": "Appendix Data",
      "beatSlug": null,
      "evidence": "The document provides extensive data and evidence to support its claims.",
      "position": 2,
      "confidence": 0.8,
      "parentBeatName": null,
      "parentBeatSlug": null
    }
  ],
  "loops": [],
  "imagePathAlt": null,
  "thumbSrc": null,
  "thumbSrcAlt": null,
  "locked": true
}