Android Stels

Hello all, sorry for the long outage - been busy :) Here are are 3 posts for Stels, Perkele, and Korean SMSspy (see 2 posts after this one)

Android Stels

File: flashplayer.android.update.apk
Size: 164210
MD5:  B226A66A2796E922302B96AE81540D5C

Research: Stels Android Trojan Malware Analysis - Secure Works Dell
Sample credit: Tim Strazzere Lookout Security

Download (Email me if you need the password)

Android Perkele / Fake Site

com-fake site source

Please see the list of included files below

Sample and screenshot credits: Anonymous
News: Mobile Malcoders Pay to (Google) Play - Brian Krebs

SMS malware bot for sale, created to look like a security certificate with logos of your company
1 app - $1000. Full kit -$15,000

Download. (Email me if you need the password scheme)

Android SMSSpy / SMSSender / Nopoc.A

Sample credit: Jihong Park



Size: 253578
MD5:  74E09C5F57D5A040C86A86CDAD7F04FA



Download:  (Email me if you need the pass scheme for the newer samples)

SMSSilense aka Fake Vertu

File: vertu.jp.apk
Size: 1689220

MD5:  2E88C747D1B96B6ED19D3B66F00C4D98

File: vertu.kr.apk

Size: 581473

MD5:  FD6437199664E097870723F31F81222B

Sample credit: Sanjay Gupta

Research: McAfee Fake Vertu App Infects Korean and Japanese Android Users

A new threat has surfaced targeting users in Korea and Japan, but this attack, unlike others making the news, is not one motivated by political or ideological dogma. Instead, this one is based purely on old-fashioned greed. Vertu phone owners or those looking for a localized Vertu theme in Korean or Japanese for an Android phone had better think twice before downloading something. McAfee Mobile Research has identified a new variant of Android/Smsilence distributed under the guise of a Vertu upgrade/theme that is targeting Japanese and Korean users.

Download. Email me if you need the password

BadNews - Android adware/malware network samples

File: live.photo.savanna.apk

Size: 3354613

MD5:  98CFA989D78EB85B86C497AE5CE8CA19

sample credit: Tim Wyatt -Lookout

File: ru.blogspot.playsib.savageknife.apk

Size: 4124257

MD5:  5B08C96794AD5F95F9B42989F5E767B5

sample credit: Sanjay Gupta

Research: The Bearer of BadNews

Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times.

Download. Email me if you need the password

Chuli.A - Targeted attack Android Trojan

Research: Kaspersky. Android Trojan Found in Targeted Attack
Backdoor:AndroidOS/Chuli.A

Sample credit: Arvind Kumar


File: c4c4077e9449147d754afd972e247efc
Size: 333583
MD5:  C4C4077E9449147D754AFD972E247EFC


File: 0b8806b38b52bebfe39ff585639e2ea2
Size: 334326
MD5:  0B8806B38B52BEBFE39FF585639E2EA2

Download (email me if you need the password)

Android.Uracto - fraud, SMS spam

Research: Symantec. Android.Uracto Used to Trick Mothers, Anime Fans, Gamers, and More
Sample credit: Sanjay Gupta



D09A1FF8A96A6633B3B285F530E2D430 NewsAndroidnocode.apk
4C937667CB23E857D42B664334E1142A NewsAndroidcode03.apk
BA73E96CAA95999321C1CDD766BDF58B NewsAndroidcode02.apk
CF45E1288B47D97326ED279F2EE41E4D NewsAndroidcode01.apk

Download. Email me if you need the password

Android - FakeJobOffer

File: com.saavn.android.apk
Size: 973303
MD5:  9E8FA23DFC817BDCAD42B2F6ADA6E658
Sample credit:  Jimmy Shah


Research: Android Malware Goes Bollywood - McAfee

Download. Email me if you need the password

SMS trojan - targeting Korean Android devices

File: sb.apk
Size: 23727
MD5:  B9CD27AAD217B412B61448AC6976C807


Research: McAfee SMS Trojan Targets South Korean Android Devices

Sample credit: Jimmy Shah

Download. Email me if you need the password

Android Tetus - Infostealer

File: com.stephbriggs5.batteryimprove-2.apk
Size: 293777
MD5:  6408DF6ABA4C7F1803C2AAC8F17C4CA3


File: 85CE55DC130F214B0567987EDFF77DC0
Size: 274999
MD5:  85CE55DC130F214B0567987EDFF77DC0


File: com.droidmojo.awesomejokes.apk
Size: 268360
MD5:  01772AEFE0230C3669E21D79FC920D2E



File: 65C75AF5DE2628BD6215BB99DD76D3AC
MD5:  65c75af5de2628bd6215bb99dd76d3ac
Size: 277644

Research: Symantec. Android Tetus

When the Trojan is executed, it registers an SMS observer to record SMS messages and send them to the following command-and-control (C&C) server:
[http://]android.tetulus.com

The Trojan may delete some SMS messages from the device.

It may also register an SMS receiver to send SMS messages without the user's consent.

The Trojan may send a list of all installed apps on the device to the following remote location:
[http://]fast.app-engines.com

Download. Email me if you need the password

Android SMSSend sample - Package Installer

com.android.packageinstaller
File: install.apk
MD5:  5d9c622b240dab5d6e883e26e9ea0fc0
Size: 261887

credit: anonymous donation

Download. Email me if you need the password

Android Armour sample

File: Scan-For-Viruses-Now.apk
MD5:  084a7b576f5df438abba3131a90af493
Size: 1427490

Sample credit: anonymous donation

Research: A chink in Android Armour - Sophos

It is not malware but a very sketchy app with poor performance and false positives,  extorting money for nothing, considering there are many reputable free AV apps like Lookout or Sophos

Download. Email me if you need the password

Android Plankton / Counterclank sample - Collage Creator

com.changedroid.picture.collage.creator.apk
Size: 9842061
MD5:  DE842DD94324492ACE8C2C8EBD350BC8
sample credit: anonymous donation

Download. Email me if you need the password

Android - Trojan!Extension.A

Update: Feb 16
Added 2nd stage file  Loaded runtime, no need to install - credit Thomas Wang

Feb 4, 2013
Research: Trustgo: Trojan!Extension.A – Complex Malware Escapes AV Detection
Sample credit: Thomas Wang


File: 6d43b3bc85770fafeb598eb5297bc341.apk
Size: 434436
MD5:  6D43B3BC85770FAFEB598EB5297BC341

Download the original (1st stage). Email me if you need the password
2nd stage download Email me if you need the password

Android/Windows Spy:Android/Ssucl - DroidCleaner and Superclean.

Research: Kaspersky: Mobile attacks  - Android with Windows malware downloads

File: smart.apps.superclean-1.apk

Size: 502441

MD5:  2529085824C55DBBAED0B86EDE7B3C60

File: smart.apps.droidcleaner-1.apk

Size: 310274
MD5:  C5A2D14BC52F109A06641C1F15E90985


File: smart.apps.droidcleaner-1.apk 
Size: 330984
MD5:  123478A70219D24A5E5A40074B8775BA


File: SuperClean-11.apk 
Size: 528630
MD5:  B0C28334373332D4677C01BD48EED431


Download 
android files listed above plus




from http://claco.hopto.org 

    Controller.exe
    svchost.exe

plus from claco.kicks-ass.org  
    Extra_Fotos.zip
    Kst.exe
    pwd.exe   

Android Opfake - DevilsCreed.full_1.8_installer.apk

File: com.alioth.imdevil_jp.DevilsCreed.full_1.8_installer.apk
Size: 746430
MD5:  DFB76FE66E90AC0B4DFDC383BB3FBFFF

Sample credit: Many thanks to Hayk

Download. Email me if you need the password

Android.Exprespam

Sample Credit: Tim Strazzere, Lookout Security
Research: Symantec: Malware Authors Create Android.Exprespam After Prosecutors Drop Case

wrehifsdkjs.apk

Download. ( email me if you need the password)

FakeGuard - SMS trojan

Meant to post it for a looong time. But better late then never.
Here is a sample of FakeGuard / sms trojan that was prevalent in Korea in December (maybe still is)

Trojan.Rus.SMS."SystemSecurity" - Toll Fraud / ConnectSMS

Santa, aka DarkK3y, brought a new present.
Please read the malware report below. If you have any comments for the author, please email me and I will send him or get him to contact you.




Download. Email me if you need the password. 
Sample and Research credit: DarkK3y




DarkK3y / dark_k3y
Trojan.Rus.SMS."SystemSecurity"  

=== Summary of the analysis ===

This malware sample was recieved by SMS message with some web link inside. Malware seems to be Toll Fraud malware (according to Lookout Mobile Security classification). Middle-user inter-action required to infect mobile device -- user need to click link and install apk-file downloaded from it. The installation package requires many security permissions to run (see Characteristics section). After installation, "System Service" (com.android.systemsecurity) appears on the device. It loads on boot and make hooks on sms receiver service (with the greatest priority). Also, it uses alarm service to schedule periodic (3 mins and more) runs. Each run (except first) the SMS to the payed service sent. On the first run, information about payed service (SMS number and code) and sms filter (which SMS should be dropped and don't be showed to user) is downloaded from CnC server; OS information, IMEI, IMSI and user contact list is uploaded to CnC server. Possibly, the user contact list phone numbers are used by cnc server for further malware spread, by sending sms'es to them. Currently, malware seems to be undetectable by Norton Mobile Antivirus and some other antimalware mobile tools. It is only detected by heuristic scan methods (possibly, because of requiring too much security priviliges).

Merry Christmas and Happy New Year!

More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum