Tuesday, December 25, 2012

Trojan.Rus.SMS."SystemSecurity" - Toll Fraud / ConnectSMS

Santa, aka DarkK3y, brought a new present.
Please read the malware report below. If you have any comments for the author, please email me and I will send him or get him to contact you.

Download. Email me if you need the password. 
Sample and Research credit: DarkK3y

DarkK3y / dark_k3y

=== Summary of the analysis ===

This malware sample was recieved by SMS message with some web link inside. Malware seems to be Toll Fraud malware (according to Lookout Mobile Security classification). Middle-user inter-action required to infect mobile device -- user need to click link and install apk-file downloaded from it. The installation package requires many security permissions to run (see Characteristics section). After installation, "System Service" (com.android.systemsecurity) appears on the device. It loads on boot and make hooks on sms receiver service (with the greatest priority). Also, it uses alarm service to schedule periodic (3 mins and more) runs. Each run (except first) the SMS to the payed service sent. On the first run, information about payed service (SMS number and code) and sms filter (which SMS should be dropped and don't be showed to user) is downloaded from CnC server; OS information, IMEI, IMSI and user contact list is uploaded to CnC server. Possibly, the user contact list phone numbers are used by cnc server for further malware spread, by sending sms'es to them. Currently, malware seems to be undetectable by Norton Mobile Antivirus and some other antimalware mobile tools. It is only detected by heuristic scan methods (possibly, because of requiring too much security priviliges).

Monday, December 24, 2012

Merry Christmas and Happy New Year!

More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum

Sunday, December 23, 2012

Android.Tascudap - DDoS trojan

File: apk.apk
Size: 124568
MD5:  3CC7597A183B9A2C91127D18A04A2B26

Research Symantec : Android.Tascudap

Symantec - Android.Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

Email me if you need the password

Monday, December 17, 2012

Sunday, December 16, 2012

Android Carberp

December 2012

File: alfasafe.apk
Size: 270797
MD5:  07D2EE88083F41482A859CD222EC7B76

File: sber.apk
Size: 225905
MD5:  F27D43DFEEDFFAC2EC7E4A069B3C9516

File: vksafe.apk
Size: 226368
MD5:  117D41E18CB3813E48DB8289A40E5350

Sample credit: Pau Oliva Fora

Download. Email me if you need the password scheme