A new “web cleaning soldier” (WCS) app that claims to free up valuable space on your phone has appeared in Urumqi, Western China.

The app sounds incredibly fishy, and we had a look at the source code to find out what it does.

Upon install, the app will look for any metric that can be used to identify the owner. Identifiers like IMSI number, SIM number, IMEI, or MAC address are gathered and sent to a remote server.

WCS can identify the phone’s owner

In most cases, IMSI number and SIM number will be sufficient to determine the owner of the device by matching them with records held by the telecoms—China has strict name policies for the registration of SIM cards.

But even if a person buys the phone anonymously with cash and uses either a foreign or no SIM card, the information obtained by the web cleaning soldier could match the phone with existing location and call profiles.

For example, the phone’s MAC address can identify previously used Wi-Fi spots. Conveniently, China requires operators of Wi-Fi to implement Know-your-customer procedures (e.g., get their phone number) and share the MAC addresses of all devices that connect to it with the authorities.

WCS is a malicious app and not a virus

WCS has a preloaded set of 45,000 MD5 hashes and, after scouring for identifiers, the program will go through a phone’s storage to identify files of common audio, video, and picture formats.

It’s unclear what the MD5 hashes look for, but if any data on the phone matches a hashes conditions, information about the file (including filename, size, and path) will transmit to the previously mentioned remote server.

Interestingly, not all of the information gathered by WCS is sent to remote servers directly and will upload via servers held by the popular microblogging service, Weibo.

Routing traffic in this way is known as domain fronting, and it helps to keep the malware functional if network or data center operators might block the remote servers.

It seems WCS has three distinct functions: Identify the holder of the phone, search for illicit content, then report the findings to a remote location.

Does Web Cleaning Soldier look for illicit content?

In general, the app is not very dangerous—it does not self-replicate and requires the user to download and install it.

Unlike many other types of malware, it’s bad because of its functionality and not because it breaks your phone’s security measures.

We can only speculate as to what’s the exact intention of this application. It’s possible that it targets people who spread subversive texts, videos, or images. But it might also exist to analyze how information spreads through the community.

Of course, it could also be used to find people who have taken classified material onto their private phones.

Protect yourself online

It’s not difficult to protect yourself.

Rule one: Only download apps from repositories like the Apple App Store or the Google Play Store. But even with apps that you believe are legitimate, critically question what permissions they require.

If you think you’ve installed a malicious app on your phone, you should backup your data and reset the device to its factory settings.