Thursday, September 13, 2012

Android Spyware samples


File: power_battery.apk
Size: 560429
MD5:  7ECB7A1FA96E18B85ED10D83537CFD3C


File: smartphone5-1.apk
Size: 285814
MD5:  6BAE149BC65576831AC635A23938BE36

 Sample credit: Tushar Verma

Download
http://contagiomobile.deependresearch.org/files/6BAE149BC65576831AC635A23938BE36_smartphone5-1.zip
http://contagiomobile.deependresearch.org/files/7ECB7A1FA96E18B85ED10D83537CFD3C_power_battery.zip

 (the password scheme is now the same as contagiodump.blogspot.com scheme, email me if you need, email address is in the profile)


https://www.virustotal.com/file/1d0f1649216f06457f5ef5fdc8439cc34fec0041b2e27559e25b61b458c34951/analysis/
SHA256: 1d0f1649216f06457f5ef5fdc8439cc34fec0041b2e27559e25b61b458c34951
SHA1: c199bf7ea3906adeee0f02a43ef7e0bcabb8489c
MD5: 6bae149bc65576831ac635a23938be36
File size: 279.1 KB ( 285814 bytes )
File name: smartphone5-1.apk
File type: Android
Detection ratio: 9 / 42
Analysis date: 2012-09-14 05:28:47 UTC ( 0 minutes ago )

Avast Android:MobileSpy-C [Trj] 20120914
AVG - 20120914
BitDefender Android.Spyware.Retinax.C 20120914
CAT-QuickHeal Android.MobileSpy.C 20120914
DrWeb Android.MobileSpy.13.origin 20120914
ESET-NOD32 a variant of Android/MobileSpy.C 20120914
F-Prot - 20120913
F-Secure Android.Spyware.Retinax.C 20120914
GData Android.Spyware.Retinax.C 20120914
Kaspersky not-a-virus:HEUR:Monitor.AndroidOS.Mobilespy.a 20120914
Sophos Andr/Spy-C 20120914

Votes
Additional information
ssdeep
6144:JcFLlo5Zx8zC75AiIoAED/CDZDWZKXyCh3OXC7RVP8d:aE5n8zC75AiDoUMDUd
TrID
Android Package (63.3%)
Java Archive (28.7%)
ZIP compressed archive (7.9%)
ExifTool
MIMEType.................: application/zip
ZipRequiredVersion.......: 10
ZipCRC...................: 0x44f40fb6
FileType.................: ZIP
ZipCompression...........: None
ZipUncompressedSize......: 105240
ZipCompressedSize........: 105240
ZipFileName..............: assets/siren.wav
ZipBitFlag...............: 0
ZipModifyDate............: 2011:05:06 12:41:14
Androguard
activities...............:

com.retina21.ms41.ui.MainActivity, com.retina21.ms41.ui.LoginActivity, com.retina21.ms41.ui.EmailSettingsList, com.retina21.ms41.ui.ChangePinActivity, com.retina21.ms41.ui.About, com.retina21.ms41.ui.AntiTheftActivity, com.retina21.ms41.ui.LocationActivity, com.retina21.ms41.ui.VerifyRegistration, com.retina21.ms41.ui.LoggingActivity, com.retina21.ms41.ui.LoggingList, com.retina21.ms41.ui.AntiTheftList, com.retina21.ms41.ui.SearchContactList, com.retina21.ms41.ui.FriendList, com.retina21.ms41.ui.HelpActivity, com.retina21.ms41.lock.LockScreen, com.retina21.ms41.ui.FriendList

AndroidVersionCode.......: 5
Package..................: com.retina21.ms41

receivers................:

com.retina21.ms41.Receiver, com.retina21.ms41.logging.GPSHandler, com.retina21.ms41.helper.EmailSendReceiver, com.retina21.ms41.helper.XmlFileUploader

AndroidVersionName.......: 5.0
riskindicator............: 50.0
services.................: com.retina21.ms41.BackgroundService
MinSdkVersion............: 7
TargetSdkVersion.........: 7

permissions..............:

CHANGE_NETWORK_STATE, READ_CALENDAR, READ_LOGS, PROCESS_OUTGOING_CALLS, ACCESS_COARSE_LOCATION, INTERNET, ACCESS_FINE_LOCATION, SEND_SMS, WRITE_SMS, ACCESS_NETWORK_STATE, READ_HISTORY_BOOKMARKS, WRITE_EXTERNAL_STORAGE, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, CALL_PHONE, WRITE_SETTINGS, READ_PHONE_STATE, READ_SMS, ACCESS_WIFI_STATE, RECEIVE_SMS, READ_CONTACTS, MODIFY_AUDIO_SETTINGS

First seen by VirusTotal
2012-09-14 05:28:47 UTC ( 6 minutes ago )
Last seen by VirusTotal
2012-09-14 05:28:47 UTC ( 6 minutes ago )
File names (max. 25)
smartphone5-1.apk

https://www.virustotal.com/file/8da11fc9a0f8dce9246c245429a88f58e16d203653a1ae8a13ac7f8cc1e48202/analysis/

SHA256: 8da11fc9a0f8dce9246c245429a88f58e16d203653a1ae8a13ac7f8cc1e48202
SHA1: f1f183cdd4f3ef95dc1436ea8a1d0117e1dfc955
MD5: 7ecb7a1fa96e18b85ed10d83537cfd3c
File size: 547.3 KB ( 560429 bytes )
File name: power_battery.apk
File type: Android
Tags: android
Detection ratio: 2 / 42
Analysis date: 2012-09-08 19:13:16 UTC ( 5 days, 10 hours ago )
Avast Android:SmsControl-A [PUP] 20120908
Kaspersky not-a-virus:HEUR:Monitor.AndroidOS.AnSmCon.a 20120908
TrendMicro-HouseCall - 20120908

Votes
Additional information
ssdeep
12288:+FxBX5H/7U5ykMUqoqkknPtNrXs7oXCFLHfCVc00y7nwzMHqZY4bkD:+BpfuQr0kPtFXEECl/M5Tww0YdD
TrID
Android Package (88.8%)
ZIP compressed archive (11.1%)
ExifTool
MIMEType.................: application/zip
ZipRequiredVersion.......: 20
ZipCRC...................: 0x0816e1bf
FileType.................: ZIP
ZipCompression...........: Deflated
ZipUncompressedSize......: 1029
ZipCompressedSize........: 548
ZipFileName..............: META-INF/MANIFEST.MF
ZipBitFlag...............: 0x0808
ZipModifyDate............: 2012:07:06 15:03:23
Androguard
activities...............: com.laucass.androsmscontrol.AndroSmsControl
AndroidVersionCode.......: 240
Package..................: com.laucass.androsmscontrol

receivers................:

com.laucass.androsmscontrol.AndroSmsControlReceiver, com.laucass.androsmscontrol.PhoneControlDeviceAdminReceiver

AndroidVersionName.......: 2.4.0
riskindicator............: 50.0
services.................: com.laucass.androsmscontrol.AndroSmsControlService
MinSdkVersion............: 4
TargetSdkVersion.........: None

permissions..............:

READ_SECURE_SETTINGS, PROCESS_OUTGOING_CALLS, ACCESS_COARSE_LOCATION, BLUETOOTH, INTERNET, ACCESS_FINE_LOCATION, SEND_SMS, WRITE_SMS, READ_HISTORY_BOOKMARKS, WRITE_SECURE_SETTINGS, WRITE_EXTERNAL_STORAGE, RECORD_AUDIO, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_SETTINGS, READ_PHONE_STATE, READ_SMS, ACCESS_WIFI_STATE, RECEIVE_MMS, CHANGE_WIFI_STATE, RECEIVE_SMS, READ_CONTACTS, MODIFY_AUDIO_SETTINGS

First seen by VirusTotal
2012-09-08 19:13:16 UTC ( 5 days, 10 hours ago )
Last seen by VirusTotal
2012-09-08 19:13:16 UTC ( 5 days, 10 hours ago )
File names (max. 25)
power_battery.apk





5 comments:

  1. AnonymousSeptember 15, 2012 at 12:24 AM

    Password is wrong

    ReplyDelete
  2. AnonymousSeptember 15, 2012 at 12:26 AM

    This URL can not download the file:
    http://contagiomobile.deependresearch.org/files/6BAE149BC65576831AC635A23938BE36_smartphone5-1.zip

    ReplyDelete
  3. AnonymousSeptember 17, 2012 at 4:05 AM

    you have to copy the text and not the link, something is messed up there...

    ReplyDelete
  4. MilaSeptember 17, 2012 at 5:11 AM

    fixed, thank you

    ReplyDelete
  5. AnonymousSeptember 19, 2012 at 2:38 AM

    Hi,
    Does someone know where these samples have been published?

    ReplyDelete