Clicky

Sunday, November 24, 2013

ZertSecurity - Android Bank infostealer

FakeNotify.B (2011) - Premium SMS Trojan

Roidsec / Sinpon - Android Infostealer


Roidsec D4A557EC086E52C443BDE1B8ACE51739

Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99&tabid=2


Functionality
The Trojan collects the following information from the compromised computer:
Sends SMS messages
Forces the phone to stay on
Collect call log
Collect contacts
Collect installed apps
Collect GPS location
Collect memory size available on phone memory
Collect SD memory size available
List all files on SD with timestamps
Collect incoming SMS messages
Collect outgoing SMS messages
List of apps currently running
Collect total amount of RAM
Status of WiFi being on or off
List all files on phone memory with timestamps
Deletes files on SD card


Download. Email me if you need the password





Simhosy / Waps - Android infostealer


simhosy 6B2D0948A462431D93A2035A82AF6CB5
simhosy 533453B7F3A7F55816B2EDCD5326DD2D
simhosy D2151D102F8DCBCD03DA4B9F3070F4D3


The Trojan steals SMS messages and contacts from the compromised device



Download. Email me if you need the password











Phosty / Phospy - Android infostealer

Phospy 5F23671F67F0FBFC2529919DB56485A0
Phospy EED211032FF576F7FD590C22F142B877


Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99&tabid=2

The Trojan steals all .jpg and .mp4 files it finds on the device  


Download. Email me if you need the password





Fakedaum / vmvol - Android Infostealer

Fakedaum 0B6CDC9B9F778E0D8171DD279C5F690B

Research  http://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99&tabid=2

The Trojan then gathers the following information from the compromised device:
SMS messages
Phone number
IMEI







Usbcleaver - Android infostealer (from Windows PC)

Usbcleaver 283D16309A5A35A13F8FA4C5E1AE01B1
Usbcleaver C22C068EAEE7AD7FD4FD015CD50045DB

Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Functionality
When the device is connected to a Windows computer that does not have autorun disabled, the Trojan then gathers information from the computer, including:
Default gateway
DNS
Google Chrome password
Host name
IP address
Microsoft Internet Explorer password
Mozilla Firefox password
Physical address
Subnet mask
WiFi password

It then stores the above information in the following location, which a remote attacker can retrieve at a later stage:
/sdcard/usbcleaver/logs/

Download. Email me if you need the password.





Fake Taobao - Android infostealer

MD5:  45DAE1EE4CA1980C140CB5C9DA2A7ED5

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

The Trojan sends the following information to a specific phone number:
Taobao user name
Taobao password
Zhifubao user name
Zhifubao password
The Trojan requires another .apk file to be downloaded so it can forward SMS messages to the specific phone number.


Download. Email me if you need the password. 



Skullkey - Android Infostealer


skullkey 2DC07DCA36487339F3935ACE890E42E0

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99&tabid=2


Package names: com.hk515.doctor, com.hk515.activity

Malicious code is inserted in the package in the following locations:
com.google.safemain
com.google.service

Permissions
When the Trojan is being installed, it requests permissions to perform the following additional actions:
Clear the caches of all installed applications on the device.
Read user's contacts data.
Monitor incoming SMS messages.
Read SMS messages on the device.
Send SMS messages.
Start once the device has finished booting.
Change the background wallpaper.
Monitor incoming WAP push messages.

Functionality

The Trojan hides using the Android 'Master Key' vulnerability to keep the legitimate app signature valid.

The Trojan allows attackers to perform the following actions:
Open a back door
Steal sensitive data (such as IMEI and phone number) and sends it to apkshopping.com
Send premium SMS messages
Disable certain security apps by using any available root commands


Download. Email me if you need the password






Fakemart - Android infostealer

Fakemart D002F0581A862373AA6C6C0070EC3156
Fakemart 27CFDF25ECAE75342A21230D19151939
Fakemart 6A0E9CE340164AF6F37A946DF650B458


Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99&tabid=2

The Trojan may perform the following actions:
Clear the XMBPSP.xml contents in shared preference
Configure the XMBPSP.xml file to send SMS to 81211 or 81308
Set the device to silent mode
Delete SMS received from 81211
Open network connections
Block incoming SMS, encode the body of the message, and post them to the above URLs
Send SMS to 81211 or 81308 if the first ten incoming SMS contain the strings "BD MULTIMEDIA" or "code"

Download. Email me if you need the password.




Fakeupdate / Apkquq - Android

Jollyserv - Android Infostealer

Size: 438324
MD5:  2BE48FB3B8D89F64A18C459067AF3695

Research https://www.virustotal.com/en/file/31cb4d111c754077fcffaf44b5cdb220d2c12ab3e5d297e829072a79bb4cb44c/analysis/

The Trojan may then perform the following actions on the compromised device:
Send SMS messages to a premium number
Send SMS messages to all contacts
Intercept SMS messages

Next, the Trojan gathers the following information from the compromised device:
Phone number
List of running applications
Stored messages
System logs



Download. Email me if you need the password




Repane - Android Infostealer


Repane 0D924A1D6754C5B326C1DA7D474EC7A5
Repane ADD031D774F67B030CE86718AD95040B

Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99

Trojan may gather the following information from the compromised device:
Phone number
Integrated circuit card identifier (ICCID)
Network operator
Device identification number


Download. Email me if you need the password.





Godwon - Android Infostealer

Godwon C11FC7207BFBDB91E35B6C285FE0934F
Godwon 79309179DB63D2B505398ABCB4DD1AE0
Godwon 1238F2387193330BC79E7A03E92C2038
Godwon 2C373AA90942FEDC21BB0B2D35E8E340


Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99





Download. Email me if you need the password





Fakedefender.B - Android Fake Antivirus


Size: 2081371
MD5:  E790C4295B8ADB23D090BAE5D6EB786A

Android.Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99


Fakeplay - Android Infostealer

Beita - Android Infostealer


Android.Beita 10953B741D166D9E22937FE00FBF1038
com.beita.contact

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99
It gathers the following information from the user's list of contacts:

  • Name
  • Phone number
  • Address
  • Email



Download. Email me if you need the password






Backflash / Crosate - Android infostealer

File: Backflash_A3EB6B30E23146D9D44103ADDC71A41B
Size: 784255

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99

Payload: Opens a back door.
Releases Confidential Info: Steals information from the compromised device.



Download. Email me if you need the password



Fakebank.A and Fakebank.B - Android Infostealer trojan


Functionality
When executed, the Trojan displays a form asking the user to enter in banking details.

Android.Fakebank (A and B) is a Trojan horse that steals information from the compromised device.

FakebankB_8BF10991F292EC7D165086506E8F0EDA
FakebankB_98EEA1D94A479E022E46D69B0FBE2453
FakebankB_A0721023EC39948251818306A15D3268
Fakebanker_37DFF309CC911A1DC16CCE4E51F9827B
Fakebanker_67E7BB573EAA1F25772809A471CDA327











Scipiex - Android Infostealer


Size: 329137
MD5:  6BD95C5BB0A99B29FF83D72DC578947B


Android.Scipiex is a Trojan horse for Android devices that steals information from the compromised device. 

Android package file 
The Trojan may arrive as a package with the following characteristics: 

Package name: com.yxx.jiejie 
APK: p2.apk 
Name: Love Chat (translated from Korean) 

Uten - Android SMS Trojan