Android AVPass

Research: Baidu Security Labs http://blog.csdn.net/androidsecurity/article/details/18816557

Sample Credit: Tom:Pan

Size: 203000
MD5:  CCC01FD6D875B95E2AF5F270AAF8E842



Download. Email me if you need the password.

Android Airpush, /StopSMS.B, Minimob

  Sample credit Tachion


  08061663E638B5AC1D780CAACBE9FAD8 GlamorousSmoke.apk
    2C3B92FFE8123611AE9D9BED000C99F7 3dtimeclockticks.apk
    4FD1194F8127439609319CDBE244C0A7 _BlueArt.apk
    58E73A03025BA95337C952223F18F479 _lordssacredheavenlycross.apk
    8F7A41A921FC15F4FD47A33E476D7B3B SkullLighter.apk
    B0E22A785041229A644F015472E738BA_ghostiderfireflamessremixFAMOUS3DAPPS.apk
    CE7B9B2242A71BBEAC0B2839B1063013 NoiseDetectorNonG.apk
    D67A07E3DE88C0130420588FD158B967 eyeseeyouSAMSUNG.apk
    DE5BFA8715DAC2E29E206C19CA98F2F4 JingleBellNonG.apk
    FB9FEFFB1FEF13C4A5E42ACE20183912 SaveTenDollar.apk

 Download all. Email me if you need the password.

Windows Droidpak and Android Fakebank.B / Gepew.A

Research: Symantec: Windows Malware Attempts to Infect Android Devices

Droidpak
Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

Fakebank.B/ Gepew.A
0D28FA54F9C0D41801E8FB5A7B0433DD
792BBB3DDC46E3D0E640D32977434ACA
4021A1E00B3ABEE730994F1EE17219B4
Size: 230785



Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A



Droidpak - Windows malware that downloads Fakebank

The iconfig.txt file is not present on the C2 server so the information is limited

Dropper
A398322586356ADD2CE43E3580CA272F sbayAYG51.exe

Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\DWORD.sn
C:\WINDOWS\system32\flashmx32.xtl
C:\WINDOWS\CrainingApkConfig\down.log
C:\WINDOWS\CrainingApkConfig\iconfig.txt
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)

Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above

iconfig.txt (not available, sorry)

GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
 xia2.dyndns-web.com
WHOIS Source: APNIC
IP Address:   103.242.134.136Country:      Hong Kong
Network Name: HJEATC-CN
Owner Name:   No.9-F, CaiFuDaSha, No.396 Heping Road
From IP:      103.242.132.0
To IP:        103.242.135.255
Allocated:    Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address:      No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Email:        abuse@hostshare.cn
Abuse Email:  abuse@hostshare.cn
Phone:        +86 18973306525
Fax:          +86 18973306525

Android Airpush - monetization, ads

Size: 5972931

MD5:  2EED7318CA564A909E75AD616CAD5CDF

Download (Email me if you need the password)

Android FakeMarket - Google Play

Research: TGSoft 13/01/2014 18.49.39 - How safe is really Google Play Store?
Research: Android FakeMarket analysis by AndroTotal

Still available on Google Play
https://play.google.com/store/apps/details?id=com.bktballelite.com

Sample credit: Paolo Rovelli

Download. Email me if you need the password

Android Oldboot / Mouabad.s

MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 (com.android.googledalvik.apk) = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 (libgooglekernel.so) = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:

“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “libgooglekernel.so” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “com.android.googledalvik.apk” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang


Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 


Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)


Download all the listed samples (new link)