Wednesday, April 2, 2014

Oldboot.B - Android bootkit



Research: Oldboot.B:与Bootkit技术结合的木马隐藏手段的运用 Chinese version: 
English version: Oldboot.B: Bootkit technology combined with the use of a means to hide Trojans 
Author: iRiqium, Zhaorun Ze, Jiang Xuxian

Sample credit: Qing Dong

phone1
sbin/adb_server  a4c89abc46bbb34c6dd2c23caad99d61
sbin/meta_chk 6976d12388939d6cb93e28236212c8c7
init.rc 51b52552baf91d00e8f34ec052339f13

phone2
sbin/meta_chk cea6dd8a13cbce59097ad87fafb91fcd
init.rc f8f8e0b089bedbd58bea8a262229a234

phone3
sbin/agentsysline e5d27b3e64ed5e2ae6d6c063e3ddf08a
sbin/boot_tst 04c6dfa8457f1dd88258d427be089e00
init.rc eec3292341177d9e39530d0ab481ead0


Download. Email me if you need the password

Image by 360.cn

Wednesday, March 26, 2014

Android CoinKrypt - bitcoin miner malware


Research: Lookout. CoinKrypt: How criminals use your phone to mine digital currency
https://github.com/strazzere/android-scripts/blob/master/Decoders/MuchSad/dogekrypt.java
Sample credit: Tim Strazzere


File: com.melodis.midomiMusicIdentifier.apk
Size: 8248809
MD5:  61253FAAC66F34BCF35B80FE767F136E

File: com.ventel.android.radardroid2.apk
Size: 6026091
MD5:  738A0109AB5C37F9EFA7729EACDBE314

File: mikado.bizcalpro.apk
Size: 3330167
MD5:  BCCC62AE0129D484F0407FEDD701D211

Download. Email me if you need the password

Tuesday, March 25, 2014

iOS adware using Cydia


Research: 
New iOS malware use Cydia Substrate to steal advertisement promotion fee by Claud Xiao
or in Chinese http://bbs.pediy.com/showthread.php?p=1270415

1)
File: spad.plist
Size: 302
MD5:  D90A9E9DD3C95E9C12CAFE48F5362781

File: spad.dylib
Size: 166976
MD5:  8099C75F8F3A7BE16A8246FD5B90185A

2) 
Additional binaries
downloaded by the adware to the victims device

File: libgad.dylib
Size: 1070048
MD5:  CE0A6550E51F3C1B1F49C39A297077E0

File: sad
Size: 31952
MD5:  E890CF2B1F9ADC4364B9A38FFFA14ABC


Download. Email me if you need the password
Download additional binaries

Thursday, March 6, 2014

Dendroid - Android spyware

Research: Lookout - Dendroid malware can take over your camera, record audio, and sneak into Google Play

Sample credit: Tim Strazzere

File: com.parental.control.v4.apk
Size: 942846
MD5:  DB01F96D5E66D82F7EB61B85EB96EF6E

File: com.parental.control.v4-dexguarded.apk
Size: 833648
MD5:  52A30B58257D338617A39643E2216D0C

Download: Email me if you need the password




Friday, February 28, 2014

Android iBanking

Research: iBanking Mobile Bot Source Code Leaked

apk files
1F68ADDF38F63FE821B237BC7BAABB3D Chase.apk
009E60205B8FBC780A2DD3083CDD61CB
D1059B52B6127B758581EB86247BC34F
E1B86054468D6AC1274188C0C579CCAF_
F1BC8520754D2AC4A920B3EF5C732380 bot.apk_
F06AF629D33F17938849F822930AE428 ING.apk_


Download. Email me if you need the password





Droidpak - Android targeting Windows malware

Research: Kaspersky -


df4045aa9cb62699bd2ae12f860f2ed1.exe_
577a8c571e2dd610247ecfa0fb3c6cb3_install.exe_
04e8ff68ead683e52b53e174d08eddf4_Voip.dll_

Thursday, February 27, 2014

Android Tor Trojan


Research:  Kaspersky: The first Tor Trojan for Android
File: video.mp4.apk
Size: 4885996
MD5:
58FED8B5B549BE7ECBFBC6C63B84A728

apk URL
http:// sexnine .ru /download/video.mp4.apk






Wednesday, January 29, 2014

Android AVPass


Research: Baidu Security Labs http://blog.csdn.net/androidsecurity/article/details/18816557

Sample Credit: Tom:Pan

Size: 203000
MD5:  CCC01FD6D875B95E2AF5F270AAF8E842



Download. Email me if you need the password.




Android Airpush, /StopSMS.B, Minimob


  Sample credit Tachion


  08061663E638B5AC1D780CAACBE9FAD8 GlamorousSmoke.apk
    2C3B92FFE8123611AE9D9BED000C99F7 3dtimeclockticks.apk
    4FD1194F8127439609319CDBE244C0A7 _BlueArt.apk
    58E73A03025BA95337C952223F18F479 _lordssacredheavenlycross.apk
    8F7A41A921FC15F4FD47A33E476D7B3B SkullLighter.apk
    B0E22A785041229A644F015472E738BA_ghostiderfireflamessremixFAMOUS3DAPPS.apk
    CE7B9B2242A71BBEAC0B2839B1063013 NoiseDetectorNonG.apk
    D67A07E3DE88C0130420588FD158B967 eyeseeyouSAMSUNG.apk
    DE5BFA8715DAC2E29E206C19CA98F2F4 JingleBellNonG.apk
    FB9FEFFB1FEF13C4A5E42ACE20183912 SaveTenDollar.apk


 Download all. Email me if you need the password.







Tuesday, January 28, 2014

Windows Droidpak and Android Fakebank.B / Gepew.A


Research: Symantec: Windows Malware Attempts to Infect Android Devices

Droidpak
Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

Fakebank.B/ Gepew.A
0D28FA54F9C0D41801E8FB5A7B0433DD
792BBB3DDC46E3D0E640D32977434ACA
4021A1E00B3ABEE730994F1EE17219B4
Size: 230785



Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A



Droidpak - Windows malware that downloads Fakebank

The iconfig.txt file is not present on the C2 server so the information is limited

Dropper
A398322586356ADD2CE43E3580CA272F sbayAYG51.exe


Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\DWORD.sn
C:\WINDOWS\system32\flashmx32.xtl
C:\WINDOWS\CrainingApkConfig\down.log
C:\WINDOWS\CrainingApkConfig\iconfig.txt
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)

Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above

iconfig.txt (not available, sorry)

GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
 xia2.dyndns-web.com
WHOIS Source: APNIC
IP Address:   103.242.134.136Country:      Hong Kong
Network Name: HJEATC-CN
Owner Name:   No.9-F, CaiFuDaSha, No.396 Heping Road
From IP:      103.242.132.0
To IP:        103.242.135.255
Allocated:    Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address:      No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Email:        abuse@hostshare.cn
Abuse Email:  abuse@hostshare.cn
Phone:        +86 18973306525
Fax:          +86 18973306525


Android Airpush - monetization, ads


Size: 5972931
MD5:  2EED7318CA564A909E75AD616CAD5CDF




Friday, January 17, 2014

Android Oldboot / Mouabad.s


MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 (com.android.googledalvik.apk) = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 (libgooglekernel.so) = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:
“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “libgooglekernel.so” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “com.android.googledalvik.apk” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang


Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 


Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)


Download all the listed samples


Wednesday, December 11, 2013

MouaBad.P - Android dialer SMS trojan



Research: Lookout: MouaBad.P : Pocket Dialing For Profit

Sample credit: Tim Strazzere

File: com.android.service.apk_mouabad_p_infected
Size: 38505
MD5:  68DF97CD5FB2A54B135B5A5071AE11CF

Download. Email me if you need the password


Sunday, November 24, 2013

ZertSecurity - Android Bank infostealer

FakeNotify.B (2011) - Premium SMS Trojan

Roidsec / Sinpon - Android Infostealer


Roidsec D4A557EC086E52C443BDE1B8ACE51739

Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99&tabid=2


Functionality
The Trojan collects the following information from the compromised computer:
Sends SMS messages
Forces the phone to stay on
Collect call log
Collect contacts
Collect installed apps
Collect GPS location
Collect memory size available on phone memory
Collect SD memory size available
List all files on SD with timestamps
Collect incoming SMS messages
Collect outgoing SMS messages
List of apps currently running
Collect total amount of RAM
Status of WiFi being on or off
List all files on phone memory with timestamps
Deletes files on SD card


Download. Email me if you need the password





Simhosy / Waps - Android infostealer


simhosy 6B2D0948A462431D93A2035A82AF6CB5
simhosy 533453B7F3A7F55816B2EDCD5326DD2D
simhosy D2151D102F8DCBCD03DA4B9F3070F4D3


The Trojan steals SMS messages and contacts from the compromised device



Download. Email me if you need the password











Phosty / Phospy - Android infostealer

Phospy 5F23671F67F0FBFC2529919DB56485A0
Phospy EED211032FF576F7FD590C22F142B877


Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99&tabid=2

The Trojan steals all .jpg and .mp4 files it finds on the device  


Download. Email me if you need the password