Introduction

Recently I suspected being hijacked by China Telecom, so I’m recording my analysis here.

Phenomenon

I use a Sichuan Telecom SIM card with my Samsung S8. When visiting the following websites, I am redirected to a full-screen advertisement, which is the Alipay red packet interface. The user experience is terrible. Below is an address that gets hijacked: http://m.blog.csdn.net/skyroben/article/details/70195575

Analysis

• When using SS proxy (4G) on my phone to visit the above website, there’s no advertisement or hijacking
• With direct connection via Telecom WiFi, hijacking occurs
• Using hotspot and accessing the URL from a computer, no hijacking occurs
• Using hotspot and changing the user agent on the computer to an Android client, hijacking occurs with some probability??
• Without using hotspot, with a wired connection (Telecom) on the computer, changing the user agent to Android client, hijacking occurs with some probability??
• Using Chrome on mobile (S8), connected to Telecom WiFi, adding view-source: before the URL to view the source code, and saving the results for comparison on the computer, no differences were found
• Using Chrome on mobile (S8), connected to China Mobile WiFi, hijacking occurs! (Script cache?)
• Using iOS Chrome, connected to Telecom WiFi, no hijacking

Summary

Since the webpage source code doesn’t change after hijacking, it might be a script hijack. Since hijacking also occurs when using China Mobile WiFi, we can’t rule out the possibility that CSDN added the advertisements themselves. Using an SS proxy can bypass the hijacking, indicating that the hijacking is regional. The fact that computers and iOS devices aren’t hijacked suggests that the hijacking specifically targets Android browsers.

Conclusion

Regular users should avoid using Telecom networks and Android phones, and all websites are advised to use HTTPS encryption.