While we’re on a roll, the elusive “GPS daemon” app runs with user id 1021. So if its running we might get some info on the adb shell via:
ps -u 1021 -f
UID PID PPID C STIME TTY TIME CMD
gps 605 1 0 15:36:39 ? 00:00:01 vendor.qti.gnss@1.0-service
gps 728 1 0 15:36:40 ? 00:00:00 mlid
gps 736 1 0 15:36:40 ? 00:00:00 loc_launcher
gps 803 736 0 15:36:40 ? 00:00:01 lowi-server
gps 804 736 0 15:36:40 ? 00:00:00 xtwifi-inet-agent --gtp-wifi BASIC --gtp-modem-cell BASIC --gtp-ap-cell DISABLED --gtp-waa DISABLED
gps 805 736 0 15:36:40 ? 00:00:01 xtwifi-client --gtp-wifi BASIC --gtp-modem-cell BASIC --gtp-ap-cell DISABLED --gtp-waa DISABLED
gps 811 736 0 15:36:40 ? 00:00:00 slim_daemon --sap BASIC
gps 812 736 0 15:36:40 ? 00:00:00 xtra-daemon
user gps has user id 1021. We can get more info via
cat /proc/605/cmdline
/vendor/bin/hw/vendor.qti.gnss@1.0-service
the same reveals
/vendor/bin/mlid
/system/vendor/bin/loc_launcher
the rest is more elusive since no full paths are in /proc/…/cmdline given and a “find /” does not find any of the executables due to restrictive permissions
however one can find them indirectly
ls -la /vendor/bin/
…
ls: /vendor/bin//xtwifi-client: Permission denied
ls: /vendor/bin//xtwifi-inet-agent: Permission denied
ls: /vendor/bin//slim_daemon: Permission denied
ls: /vendor/bin//xtra-daemon: Permission denied
and
ls: /system/vendor/bin//lowi-server: Permission denied
It’s hard to tell which one of those is making the HTTP connection. Normally on Android each App runs with its own UID, which allows the firewall to filter and log traffic based on the app. However some UIDs are hardcoded
and “GPS daemon” is one of those hardcoded users (user gps) - so this is no app, this is indeed a “daemon” in the linux/unix sense of the word, running native code with elevated privileges. There is no “apk”. This is no “system app”, it’s part of the system.
It’s possible that one of the processes listed is doing these http connections. It’s also possible that this “loc_launcher” - which is obviously capable of launching additional processes is calling yet another program to do it once a night.
Due to the restrictive permissions of all the vendor tools, further reverse engineering would require rooting the device, since:
adb pull /vendor/bin/xtra-daemon
adb: error: failed to stat remote object '/vendor/bin/xtra-daemon': Permission denied
What could be done is hacking NetGuard (or another VPN based firewall app), to insert a trigger function when process 1021 makes any network connection that in turn calls “netstat” to figure out which process is responsible for it (And at the same time run “ps” in a loop from adb shell to get a list of running processes to match to the PID)
But one would still need “root” to access the executable and look into its disassembly to figure out what it does.