I was checking my Pi-Hole and noticed a lone spike of 700+ requests coming from my phone (Android 16) this morning. Upon checking the logs, it’s all bogus domains corresponding to package names of apps I have previously installed via the Play Store, but never on this phone.
Going further back in the query log, I realized it also includes the package name of an app I developed years ago but never published on the store, nor on this phone. There’s also a whole bunch of my browsing history apparently, domains I haven’t visited in years - from the age of some of them I’m pretty sure it’s Chrome history, as I only used Firefox sync for a brief period and my local history is <1y.
What the actual fuck? This is a Nothing Phone 3a, updated to Android 16 just a couple of days ago.
The very first domain at the start of the spike is
pass-api.proton.me. I it could have been Proton Pass to leak the list of domains and apps I have an account for. Still I find that to be quite worrying, whether it was a bug or something else…Could it possibly be some background check for valid domain names for proton pass? I imagine there could be a benefit to checking that the URLs associated with saved entries are actually live.
If the goal was exfiltrating a list of the sites you use, they don’t really need to do it via some weird DNS stuff, since you’re already expecting traffic directed at the proton api. They could just transfer an encrypted text file and call it a day. Doing this makes a ton of noise that you’d want to avoid if you were doing something shady, so it must serve some kind of function.
But why would they do that from an end user’s device instead of their servers? And what about the unresolvable package names?
I’m leaning more towards a bug than exfiltration at this point, but it is still a somewhat serious leak. The contents of proton pass are end to end encrypted and thus supposed to be confidential, while this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP. If it was intentional, it’s terrible design. Maybe some intern thought to have the client grab favicons.
The contents of proton pass are end to end encrypted
That’s precisely why they can’t do the scan from their servers. They don’t know the domains - they’re decrypted only on your device.
this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP
I feel like this is a tad dramatic. Surely, your vault contains more data, probably more sensitive, than just domain names.
I mean no offense, but I think you might be being a tad paranoid on this one. There really isn’t much that can be done with a list of sites you’ve saved credentials for once. If it was your most visited sites, I guess you would maybe be slightly more vulnerable to spear phishing. But just a bulk blast of sites over DNS doesn’t really tell anyone anything, it just looks like normal-ish DNS traffic.
Not used proton pass. Does it collect favicons by querying every host?
This seems like the most likely answer
There is a setting called “Use Web Icons” in the app that I would guess is linked to this.
Wouldn’t worry too much about it. Seems like it’s trying to fetch favicons. If this is an attempt to get lists of installed apps, it’s too complicated to be called an overcomplicated way.
I assume your upstream DNS provider is privacy focused and keeps no logs yeah? Unless someone is logging all your packet meta data (looking at you five eyes governments) possibly not a big drama …
There’s no privacy in anything when it can be sold
Agreed. As long as there is an incentive for people to spy they will spy. This is why we need strong privacy legislation. Privacy is a right.
