Wednesday, April 2, 2014

Oldboot.B - Android bootkit

Research: Oldboot.B:与Bootkit技术结合的木马隐藏手段的运用 Chinese version: 
English version: Oldboot.B: Bootkit technology combined with the use of a means to hide Trojans 
Author: iRiqium, Zhaorun Ze, Jiang Xuxian

Sample credit: Qing Dong

sbin/adb_server  a4c89abc46bbb34c6dd2c23caad99d61
sbin/meta_chk 6976d12388939d6cb93e28236212c8c7
init.rc 51b52552baf91d00e8f34ec052339f13

sbin/meta_chk cea6dd8a13cbce59097ad87fafb91fcd
init.rc f8f8e0b089bedbd58bea8a262229a234

sbin/agentsysline e5d27b3e64ed5e2ae6d6c063e3ddf08a
sbin/boot_tst 04c6dfa8457f1dd88258d427be089e00
init.rc eec3292341177d9e39530d0ab481ead0

Download. Email me if you need the password

Image by

Wednesday, March 26, 2014

Android CoinKrypt - bitcoin miner malware

Research: Lookout. CoinKrypt: How criminals use your phone to mine digital currency
Sample credit: Tim Strazzere

File: com.melodis.midomiMusicIdentifier.apk
Size: 8248809
MD5:  61253FAAC66F34BCF35B80FE767F136E

Size: 6026091
MD5:  738A0109AB5C37F9EFA7729EACDBE314

File: mikado.bizcalpro.apk
Size: 3330167
MD5:  BCCC62AE0129D484F0407FEDD701D211

Download. Email me if you need the password

Tuesday, March 25, 2014

iOS adware using Cydia

New iOS malware use Cydia Substrate to steal advertisement promotion fee by Claud Xiao
or in Chinese

File: spad.plist
Size: 302
MD5:  D90A9E9DD3C95E9C12CAFE48F5362781

File: spad.dylib
Size: 166976
MD5:  8099C75F8F3A7BE16A8246FD5B90185A

Additional binaries
downloaded by the adware to the victims device

File: libgad.dylib
Size: 1070048
MD5:  CE0A6550E51F3C1B1F49C39A297077E0

File: sad
Size: 31952
MD5:  E890CF2B1F9ADC4364B9A38FFFA14ABC

Download. Email me if you need the password
Download additional binaries

Thursday, March 6, 2014

Dendroid - Android spyware

Research: Lookout - Dendroid malware can take over your camera, record audio, and sneak into Google Play

Sample credit: Tim Strazzere

File: com.parental.control.v4.apk
Size: 942846
MD5:  DB01F96D5E66D82F7EB61B85EB96EF6E

File: com.parental.control.v4-dexguarded.apk
Size: 833648
MD5:  52A30B58257D338617A39643E2216D0C

Download: Email me if you need the password

Friday, February 28, 2014

Android iBanking

Research: iBanking Mobile Bot Source Code Leaked

apk files
1F68ADDF38F63FE821B237BC7BAABB3D Chase.apk
F1BC8520754D2AC4A920B3EF5C732380 bot.apk_
F06AF629D33F17938849F822930AE428 ING.apk_

Download. Email me if you need the password

Droidpak - Android targeting Windows malware

Research: Kaspersky -


Thursday, February 27, 2014

Android Tor Trojan

Research:  Kaspersky: The first Tor Trojan for Android
File: video.mp4.apk
Size: 4885996

apk URL
http:// sexnine .ru /download/video.mp4.apk

Wednesday, January 29, 2014

Android AVPass

Research: Baidu Security Labs

Sample Credit: Tom:Pan

Size: 203000
MD5:  CCC01FD6D875B95E2AF5F270AAF8E842

Download. Email me if you need the password.

Android Airpush, /StopSMS.B, Minimob

  Sample credit Tachion

  08061663E638B5AC1D780CAACBE9FAD8 GlamorousSmoke.apk
    2C3B92FFE8123611AE9D9BED000C99F7 3dtimeclockticks.apk
    4FD1194F8127439609319CDBE244C0A7 _BlueArt.apk
    58E73A03025BA95337C952223F18F479 _lordssacredheavenlycross.apk
    8F7A41A921FC15F4FD47A33E476D7B3B SkullLighter.apk
    CE7B9B2242A71BBEAC0B2839B1063013 NoiseDetectorNonG.apk
    D67A07E3DE88C0130420588FD158B967 eyeseeyouSAMSUNG.apk
    DE5BFA8715DAC2E29E206C19CA98F2F4 JingleBellNonG.apk
    FB9FEFFB1FEF13C4A5E42ACE20183912 SaveTenDollar.apk

 Download all. Email me if you need the password.

Tuesday, January 28, 2014

Windows Droidpak and Android Fakebank.B / Gepew.A

Research: Symantec: Windows Malware Attempts to Infect Android Devices

Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

Fakebank.B/ Gepew.A
Size: 230785

Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A

Droidpak - Windows malware that downloads Fakebank

The iconfig.txt file is not present on the C2 server so the information is limited

A398322586356ADD2CE43E3580CA272F sbayAYG51.exe

Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)

Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above

iconfig.txt (not available, sorry)

GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
IP Address:      Hong Kong
Network Name: HJEATC-CN
Owner Name:   No.9-F, CaiFuDaSha, No.396 Heping Road
From IP:
To IP:
Allocated:    Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address:      No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Abuse Email:
Phone:        +86 18973306525
Fax:          +86 18973306525

Android Airpush - monetization, ads

Size: 5972931
MD5:  2EED7318CA564A909E75AD616CAD5CDF

Friday, January 17, 2014

Android Oldboot / Mouabad.s

MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 ( = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 ( = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:
“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang

Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 

Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)

Download all the listed samples

Wednesday, December 11, 2013

MouaBad.P - Android dialer SMS trojan

Research: Lookout: MouaBad.P : Pocket Dialing For Profit

Sample credit: Tim Strazzere

Size: 38505
MD5:  68DF97CD5FB2A54B135B5A5071AE11CF

Download. Email me if you need the password

Sunday, November 24, 2013

ZertSecurity - Android Bank infostealer

FakeNotify.B (2011) - Premium SMS Trojan

Roidsec / Sinpon - Android Infostealer

Roidsec D4A557EC086E52C443BDE1B8ACE51739


The Trojan collects the following information from the compromised computer:
Sends SMS messages
Forces the phone to stay on
Collect call log
Collect contacts
Collect installed apps
Collect GPS location
Collect memory size available on phone memory
Collect SD memory size available
List all files on SD with timestamps
Collect incoming SMS messages
Collect outgoing SMS messages
List of apps currently running
Collect total amount of RAM
Status of WiFi being on or off
List all files on phone memory with timestamps
Deletes files on SD card

Download. Email me if you need the password

Simhosy / Waps - Android infostealer

simhosy 6B2D0948A462431D93A2035A82AF6CB5
simhosy 533453B7F3A7F55816B2EDCD5326DD2D
simhosy D2151D102F8DCBCD03DA4B9F3070F4D3

The Trojan steals SMS messages and contacts from the compromised device

Download. Email me if you need the password

Phosty / Phospy - Android infostealer

Phospy 5F23671F67F0FBFC2529919DB56485A0
Phospy EED211032FF576F7FD590C22F142B877


The Trojan steals all .jpg and .mp4 files it finds on the device  

Download. Email me if you need the password