A passive network traffic analysis revealing a factory-installed browser hijack and persistent tracking infrastructure baked into XOS 14.0.1 all happen with "user experience improvement" OFF
| Finding | Severity | Fixable Without Root? |
|---|---|---|
Chrome homepage hijacked to page.portals.mobi โ leaks device hardware ID over plain HTTP |
๐ด Critical | โ Yes |
Base android process phones home to gslb.shalltry.com at every boot |
๐ด Critical | |
TPMS (com.hoffnung) beacons to ire-dsu.shalltry.com (Alibaba Cloud) |
๐ด High | |
Dynamic Bar builds a "One-ID" cross-device profile via ire-oneid.shalltry.com |
๐ Medium | |
| 10 plain HTTP connections (no TLS) including device-ID transmission | ๐ Medium |
| Field | Value |
|---|---|
| Model | Infinix X6532 |
| OS | XOS 14.0.1 (Android 14) |
| Manufacturer | Transsion Holdings |
| Capture tool | PCAPdroid |
| Capture date | 2026-05-28 |
| Capture duration | ~16 minutes (17:10 โ 17:26 UTC+1) |
| Total connections logged | 251 |
Traffic was captured using PCAPdroid (no root required) running in VPN-mode on the device itself, which intercepts all outgoing connections at the application layer. No external hardware was used.
[Android App] โ [PCAPdroid VPN Interface] โ [Real Internet]
โ
Captured PCAP/CSV
Analyzed offline
The capture was done on a fresh boot + idle session + one manual Chrome open to trigger the hijack.
Every time Chrome is opened, the factory-configured new-tab/homepage silently fires a request to page.portals.mobi before loading Google. The redirect completes in ~1 seconds โ the "blink" users notice.
http://page.portals.mobi/sp/m/Infinix%20X6532
?p=X6532-OP โ Model + operator code
&uid=8188[...] โ Persistent hardware device ID โ ๏ธ
&gaid=00000000-[...] โ Google Ad ID (zeroed out = tracking disabled)
| Time (UTC+1) | Event | Bytes |
|---|---|---|
17:25:33.082 |
Chrome DNS query #1 โ page.portals.mobi |
63 sent / 211 rcvd |
17:25:33.088 |
Chrome DNS query #2 (redundant) | 63 sent / 165 rcvd |
17:25:33.139 |
First HTTP GET โ 13.207.64.198:80 |
100 sent / 88 rcvd |
17:25:33.307โ.373 |
3ร redirect probes (100 bytes each) | โ |
17:25:33.442 |
Full HTTP exchange (device ID transmitted) | 767 sent / 684 rcvd |
- Transmitted over plain HTTP (port 80) โ zero encryption
- Anyone on the same Wi-Fi (cafรฉ, hotel, university) can intercept the
uid=parameter - The UID
8188[...]is a persistent hardware identifier โ it doesn't reset with a factory reset - Host resolves to Microsoft Azure (
13.207.64.198) โ Transsion pays to run this infrastructure commercially
Transsion/Infinix pre-programs Chrome's homepage or new-tab URL in the factory ROM. This is not a virus or a user action โ it ships this way.
Three system processes call back to Transsion's own identity/ad backend from the moment the device boots. You cannot stop them without disabling or uninstalling the apps using USB debugger (they don't exist on app list) or blocking at DNS level.
| Process | Package | Domain | Resolved IP | Cloud Provider |
|---|---|---|---|---|
| Android (base OS) | android |
gslb.shalltry.com |
154.85.94.35 |
Unknown |
| TPMS | com.hoffnung |
ire-dsu.shalltry.com |
47.254.156.191 |
Alibaba Cloud |
| Dynamic Bar | com.transsion.dynamicbar |
ire-oneid.shalltry.com |
3.160.188.22 |
AWS (Ireland) |
ire = Ireland (EU data center), oneid = One-ID program. This is Transsion's attempt to build a persistent cross-device identity tied to hardware โ similar to Apple's IDFA or Google's GAID but entirely proprietary and non-resettable.
shalltry.comtotal: 6,129 bytes sent / 11,480 bytes received- 6 connections across 3 subdomains
- All connections begin within 1 second of capture start (i.e., at boot)
Total connections : 251
โโโ Chrome : 69 (Google services, hijack traffic)
โโโ Firefox : 67 (Mozilla + uBlock updates โ clean)
โโโ Instagram : 42 (Meta CDN/QUIC โ expected)
โโโ Google Play : 22 (update checks โ expected)
โโโ Android (OS) : 14 โ ๏ธ includes shalltry.com
โโโ Play Services : 13 (FCM push โ expected)
โโโ WhatsApp : 6 (expected)
โโโ TPMS : 2 โ ๏ธ shalltry.com
โโโ Dynamic Bar : 2 โ ๏ธ shalltry.com
โโโ Other : 14
Protocol split:
DNS : 118 (47%)
HTTPS : 59 (24%)
QUIC : 30 (12%)
HTTP : 10 (4%) โ unencrypted โ ๏ธ
TLS : 12 (5%)
Other : 22 (9%)
Chrome โ โฎ โ Settings โ Homepage
โ Toggle OFF or set to: https://www.google.com
Chrome โ โฎ โ Settings โ New tab page
โ Set to: Default Google or Blank
Alternatively, use Firefox as your default browser โ it has no such hijack in this ROM.
Set your device or router DNS to a filtering resolver:
Option A โ AdGuard DNS (free)
DNS-over-HTTPS: https://dns.adguard-dns.com/dns-query
IPv4: 94.140.14.14 / 94.140.15.15
Option B โ NextDNS (recommended for visibility)
1. Create a free account at nextdns.io
2. Add custom block rule: *.shalltry.com
3. Apply profile DNS to your Wi-Fi
On Android: Settings โ Wi-Fi โ [Your network] โ Advanced โ Private DNS
Enter: dns.adguard-dns.com (or your NextDNS hostname)
needs to enable devloper option โ usb debbugger โ disable it using Universal Android Debloater
โ ๏ธ These will likely be re-enabled after an OTA update. Check after every system update.
Flash a clean AOSP-based ROM. LineageOS support for X6532 is not officially available as of this writing โ check LineageOS Devices or XDA Developers for community builds.
- Transsion Holdings โ Wikipedia
- shalltry.com WHOIS
- PCAPdroid โ Open Source Android Traffic Capture
- Prior art: Transsion malware reports (2019, BuzzFeed News)
- XDA Developers โ Infinix X6532
- No proprietary keys, tokens, or user credentials are included in this repository.
- The
uid=parameter is a hardware device identifier belonging to the researcher's own device. - This research was conducted on a personally-owned device for educational and portfolio purposes.
- Transsion Holdings was not contacted prior to publication (behavior is ROM-level by design, not a vulnerability).
Security research conducted as part of SOC analyst portfolio development.
Tools used: PCAPdroid ยท Wireshark-compatible PCAP analysis