Research: Fake “The Interview” app is really an Android banking trojan by Graham Cluley | December 27, 2014
Sample credit: Mario Bono
File: com.movieshow.down.apk
Size: 2236959
MD5: 0882C94E141B2B000B8805D51722F70D
https://www.virustotal.com/en/file/8d2cc94e2540442f6c7b33d6f941f8acfb6cc5a46141850e20e365eb0871dbf3/analysis/1419933526/
SHA256: 8d2cc94e2540442f6c7b33d6f941f8acfb6cc5a46141850e20e365eb0871dbf3
File name: vti-rescan
Detection ratio: 2 / 55
Analysis date: 2014-12-30 09:58:46 UTC ( 7 hours, 12 minutes ago ) View latest
Ikarus Trojan-Downloader.AndroidOS.Badaccents 20141230
McAfee Artemis!0882C94E141B 2014123
http://f.cl.ly/items/132B2E2f0t46241d3s06/%EA%B2%B0%ED%98%BC%EC%B2%AD%EC%B2%A9.apk
http://f.cl.ly/items/1h1i2C2M1M2P1r0l2M3u/%EC%B2%AD%EC%B2%A9%EC%9E%A5.apk
Permissions that allow the application to access Internet
Other permissions that could be considered as dangerous in certain scenarios
Required permissions
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)
android.permission.INSTALL_PACKAGES (directly install applications)
android.permission.INTERNET (full Internet access)
Permission-related API calls
INTERNET
Ljava/net/URLConnection;->connect()V called from Lcom/movieshow/down/Badaccents$DownloadMusicfromInternet;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
Ljava/net/URL;->openConnection()Ljava/net/URLConnection; called from Lcom/movieshow/down/Badaccents$DownloadMusicfromInternet;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
Ljava/net/URL;->openStream()Ljava/io/InputStream; called from Lcom/movieshow/down/Badaccents$DownloadMusicfromInternet;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
Main Activity
com.movieshow.down.Badaccents
Activities
com.movieshow.down.Badaccents
Activity-related intent filters
com.movieshow.down.Badaccents
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER
Code-related observations
The application does not load any code dynamically
The application does not contain reflection code
The application does not contain native code
The application does not contain cryptographic code
Application certificate information
Application bundle files
AndroidManifest.xml
Android's binary XML
META-INF/CERT.RSA
data
META-INF/CERT.SF
ASCII text, with CRLF line terminators
META-INF/MANIFEST.MF
ASCII text, with CRLF line terminators
classes.dex
Dalvik dex file version 035
res/drawable-hdpi-v4/ic_action_search.png
PNG image data, 48 x 48, 8-bit colormap, non-interlaced
res/drawable-hdpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/drawable-hdpi-v4/movie_image.jpg
JPEG image data, JFIF standard 1.01
res/drawable-ldpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/drawable-mdpi-v4/ic_action_search.png
PNG image data, 32 x 32, 8-bit colormap, non-interlaced
res/drawable-mdpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/drawable-xhdpi-v4/ic_action_search.png
PNG image data, 64 x 64, 8-bit colormap, non-interlaced
res/drawable-xhdpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/layout/main.xml
Android's binary XML
resources.arsc
data
No comments:
Post a Comment