Clicky

Sunday, November 24, 2013

Fakemart - Android infostealer

Fakemart D002F0581A862373AA6C6C0070EC3156
Fakemart 27CFDF25ECAE75342A21230D19151939
Fakemart 6A0E9CE340164AF6F37A946DF650B458


Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99&tabid=2

The Trojan may perform the following actions:
Clear the XMBPSP.xml contents in shared preference
Configure the XMBPSP.xml file to send SMS to 81211 or 81308
Set the device to silent mode
Delete SMS received from 81211
Open network connections
Block incoming SMS, encode the body of the message, and post them to the above URLs
Send SMS to 81211 or 81308 if the first ten incoming SMS contain the strings "BD MULTIMEDIA" or "code"

Download. Email me if you need the password.






https://www.virustotal.com/en/file/0e27c4fd8cfd230c0c37acf9fcd2f0aa07319ff365fa3331a9951065dcbeab48/analysis/
SHA256: 0e27c4fd8cfd230c0c37acf9fcd2f0aa07319ff365fa3331a9951065dcbeab48
File name: 27cfdf25ecae75342a21230d19151939.log
Detection ratio: 24 / 48
Analysis date: 2013-10-22 19:45:02 UTC ( 1 month ago )
Antivirus Result Update
Comodo UnclassifiedMalware 20131022
F-Secure Trojan:Android/Fakeinst.CZ 20131022
NANO-Antivirus Trojan.FakeMart.cbmcgr 20131022
VIPRE Trojan.AndroidOS.Generic.A 20131022
Baidu-International Trojan.AndroidOS.FakeMart.Aa 20131022
Ikarus Trojan-SMS.AndroidOS.Agent 20131022
TrendMicro-HouseCall TROJ_GEN.F47V0802 20131022
ESET-NOD32 probably a variant of Android/TrojanSMS.Agent.QN 20131022
Kaspersky HEUR:Trojan-SMS.AndroidOS.FakeMart.a 20131022
McAfee Artemis!27CFDF25ECAE 20131022
McAfee-GW-Edition Artemis!27CFDF25ECAE 20131022
F-Prot AndroidOS/FakeMart.A 20131022
Commtouch AndroidOS/FakeMart.A 20131022
Avast Android:FakeInst-CJ [Trj] 20131022
Fortinet Android/FakeIns.AH 20131022
AVG Android/Fakeins 20131022
AntiVir Android/Agent.QN.6 20131022
MicroWorld-eScan Android.Trojan.FakeInst.AV 20131022
BitDefender Android.Trojan.FakeInst.AV 20131012
GData Android.Trojan.FakeInst.AV 20131022
Kingsoft Android.Troj.generic.a.(kcloud) 20130829
DrWeb Android.SmsSend.215.origin 20131022
CAT-QuickHeal Android.FakeMart.A 20131022
Sophos Andr/FakeIns-AH 20131022

No comments:

Post a Comment