While working on a mobile application security project for a client, I had to investigate all HTTPS calls made by an app using a “man-in-the-middle” technique essentially pushing all traffic from the test Samsung Galaxy S5 smartphone through an intercepting proxy. And I stumbled upon something really strange.
Every now and then the phone would send a POST request to the following URL:
https://ew.disaster-device.ssp.samsung.com/quloc
What was interesting was in the payload. This was not a usual POST request, it contained the following 45-byte string:
{“lat”:51.5xxxxx,”lon”:-0.1xxxxxx,”dv”:”01"}
which was the phone’s precise location! I obfuscated the exact digits with xxxx in the above example.
So, it appears that Samsung phones periodically “call home” and report their location to Samsung. Why this data collection happens? I will continue to investigate, but wanted to publish this information in case if somebody else comes across this mysterious “disaster-device” URL.
ThreatCrowd shows a bit more information about the target domain and associated subdomains:
https://www.threatcrowd.org/domain.php?domain=ew.disaster-device.ssp.samsung.com
Top comments (0)