Clicky

Saturday, February 11, 2012

Android Malware FakeTimer (via #OJCP)

ANALYSIS: #OCJP-010: 14243444.com bananaxxx.maido3.com(206.223.148.230)

hxxp://www.14243444.com/appli02.php
hxxp://14243444.com/appli02.php
hxxp://206.223.148.230/~pj629g01/appli02.php
hxxp://banana8310.maido3.com/~pj629g01/appli02.php
hxxp://banana3247.maido3.com/~pj629g01/appli02.php
 

File: sp_ntm.apk
Size: 80060
MD5:  44D31414A63A090E5A54670C33E0D1BC

Virustotal

File: sp_mtm.apk
Size: 79930
MD5:  C9C7AE465D712EB79976B34B0F76F1DB

Update Feb. 19.
File: sp_k_test.apk
Size: 80119
MD5:  079B92DF0DA0E57C3DFCD5B8D0D2C82C
Virustotal

Update Feb. 15. 
File: sp_k_test.apk
Size: 79973
MD5:  2B609E4ACFEBBEE57ECF6DDBFD8202D2
https://www.virustotal.com/file/8d9f6939db8f9b54e062403915174431008aa6c87a1803ff9faed072bb7620ee/analysis/

File: sp_btm.apk
Size: 79935
MD5:  CF9BA4996531D40402EFE268C7EFDA91


Virustotal 
The scheme, as described by Hendrik, is as follows:
It is a timer application that will connect to the adult site to download adult videos.
Once it starts, it collects system data. Runs as process as http client, performs sync to the adult site and sends user data - google/smartphone information to the adult site, which is triggered by timers.


SHA256:     2fbc32387f9b5c5a8678af3a76c0630ba4d04fd520b21782642a517794063f05
SHA1:     9adf38a8369ce9752e499011822d2e7b80d604c4
MD5:     44d31414a63a090e5a54670c33e0d1bc
File size:     78.2 KB ( 80060 bytes )
File name:     ntm.apk.txt
File type:     ZIP
Detection ratio:     12 / 43
Avast     Android:FakeTimer-A [Trj]     20120211
BitDefender     Android.Trojan.FakeTimer.B     20120211
ClamAV     Trojan.Android.FakeTimer     20120211
Comodo     UnclassifiedMalware     20120211
DrWeb     Android.Bibean.origin     20120211
Emsisoft     Android.FakeTimer!IK     20120211
F-Secure     Android.Trojan.FakeTimer.B     20120211
GData     Android.Trojan.FakeTimer.B     20120211
Kaspersky     HEUR:Trojan.AndroidOS.FakeTimer.a     20120211
Microsoft     TrojanSpy:AndroidOS/FakeTimer.A     20120211
NOD32     Android/FakeTimer.C     20120211

8 comments:

  1. Current file name is "mtm.apk".

    https://www.virustotal.com/url/4505afc8d4090db99b0cb65371d88a9947776a7ed93cf6437e929aab34ffbde7/analysis/1328876036/
    https://www.virustotal.com/file/748cfa75ba9a7b9d8fd9673e425d504054d71fb9ce7d732656d1ce8dbe5d6a3b/analysis/1328876037/
    https://www.virustotal.com/file/748cfa75ba9a7b9d8fd9673e425d504054d71fb9ce7d732656d1ce8dbe5d6a3b/analysis/
    SHA256: 748cfa75ba9a7b9d8fd9673e425d504054d71fb9ce7d732656d1ce8dbe5d6a3b
    SHA1: 52fb9c62f1d319d1cad700779301536e6993eecc
    MD5: c9c7ae465d712eb79976b34b0f76f1db
    File size: 78.1 KB ( 79930 bytes )
    Detection ratio: 12 / 43

    Thank You

    ReplyDelete
  2. The apk downloader changed names at the first report.
    The both files are having same ELF binaries, same logic, same adult sites & same maker.
    You may see the both detection were mentioned in my site from tghe beginning.
    Just paste the below japanese word:

    ■オンラインスキャン結果↓ at the below site, and you will see both samples
    http://unixfreaxjp.blogspot.com/2012/02/ocjp-010.html

    rgds

    ReplyDelete
  3. For your conveniences:

    File name: sp_ntm.apk
    MD5: 44d31414a63a090e5a54670c33e0d1bc
    File size: 78.2 KB ( 80060 bytes )
    File type: ZIP
    Detection ratio: 4 / 43
    VT Analysis date: 2012-02-10 06:20:41 UTC

    File name: sp_mtm.apk
    MD5: c9c7ae465d712eb79976b34b0f76f1db
    File size: 78.1 KB ( 79930 bytes )
    File type: ZIP
    Detection ratio: 12 / 43
    VT Analysis date: 2012-02-13 05:40:07 UTC

    ReplyDelete
  4. The malware site was JUST changing the APK installer to fool/bypass the AV scanners:

    File name: sp_btm.apk
    File size: 78.1 KB ( 79935 bytes )
    MD5: cf9ba4996531d40402efe268c7efda91
    File type: ZIP
    Detection ratio: 8 / 43
    Analysis date: 2012-02-13 09:15:31 UTC
    https://www.virustotal.com/file/eaaadaf6d51487057fb2709cabfca742cf84b97dc5583d3c280175c8ee2d23a2/analysis/1329127575/

    ReplyDelete
  5. Malware Files in "/sp"Folder.

    "atm.apk"
    https://www.virustotal.com/url/5183a522fdcd5c8de1611c26e25229c83bd158aa80c79e4a209f39c18d9bfcad/analysis/1329132131/
    https://www.virustotal.com/file/ce32e65cb87af69ddcecc31d8bc9487168da4fa65f42e14526f79c6be72f07ee/analysis/1329132132/

    "btm.apk"
    https://www.virustotal.com/url/618d93244888d5cab661c1d3eb1586c0aedf9aa9a2e6e407c307f34277cba43a/analysis/1329134446/
    https://www.virustotal.com/file/eaaadaf6d51487057fb2709cabfca742cf84b97dc5583d3c280175c8ee2d23a2/analysis/1329134447/

    "mtm.apk"
    https://www.virustotal.com/url/e2e22c15b5a4c0235d0d49ed13891dda4b31bd29c9a1a43fa985396acbe21778/analysis/1329134540/
    https://www.virustotal.com/file/c362fd1150860364930a643993fa0e2c63ca0dd6892b13678937169812099776/analysis/1329134541/

    "ntm.apk"
    https://www.virustotal.com/url/c3f26e266756ea277aeda532b9e6b4b36ce6d8602fd26b943488c4f63091170c/analysis/1329134693/
    https://www.virustotal.com/file/2fbc32387f9b5c5a8678af3a76c0630ba4d04fd520b21782642a517794063f05/analysis/1329134694/

    ReplyDelete
  6. The password on the third sample doesn't seem to be "infected". (However, I managed to get the sample from the original site.)

    ReplyDelete
  7. Today the sample is CHANGING again..

    File name: sp_k_test.apk
    MD5: 2b609e4acfebbee57ecf6ddbfd8202d2
    File size: 78.1 KB ( 79973 bytes )
    File type: ZIP
    Detection ratio: 9 / 43
    Analysis date: 2012-02-14 09:02:41 UTC ( 0 分 ago )
    https://www.virustotal.com/file/8d9f6939db8f9b54e062403915174431008aa6c87a1803ff9faed072bb7620ee/analysis/1329210161/

    Download Proof:
    Tue Feb 14 18:22:35 JST 2012

    ----------------------------------------
    http://www.14243444.com/appli02.php
    ----------------------------------------
    GET /appli02.php HTTP/1.1
    Host: www.14243444.com
    User-Agent: Mozilla/5.0 (FreeBSD 8.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: ja,en-us;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    HTTP/1.1 200 OK
    Date: Tue, 14 Feb 2012 08:59:44 GMT
    Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.3.8 mod_antiloris/0.4
    X-Powered-By: PHP/5.3.8
    Content-Disposition: attachment; filename=sp/k_test.apk
    Content-Length: 79973
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Content-Type: application/vnd.android.package-archive

    ----------------------------------------
    http://14243444.com/appli02.php
    ----------------------------------------
    GET /appli02.php HTTP/1.1
    Host: 14243444.com
    User-Agent: Mozilla/5.0 (FreeBSD 8.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: ja,en-us;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Cookie: PHPSESSID=a76c2607a7dd84d8764530ecc2c97c1a

    HTTP/1.1 200 OK
    Date: Tue, 14 Feb 2012 09:00:24 GMT
    Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.3.8 mod_antiloris/0.4
    X-Powered-By: PHP/5.3.8
    Content-Disposition: attachment; filename=sp/k_test.apk
    Content-Length: 79973
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Content-Type: application/vnd.android.package-archive

    It is the same malware, same works...
    It depends to ARIN now to shutdown this IP connection

    unixfreaxjp

    ReplyDelete
  8. Does it change more than once a day? I missed the sample with MD5 2b609e4acfebbee57ecf6ddbfd8202d2. Today the sample there has MD5 A26DCDD898D495D8BC8F71BD4FB6F29C.

    ReplyDelete