Clicky

Friday, July 13, 2012

DropDialer. A and DropDialer.B - Android SMS trojan

Research: Symantec Android.Dropdialer Identified on Google Play


DOWNLOADER DropDialer.a
File: com.nnew.GTAHDBackground.apk
Size: 3442089
MD5:  B7D33549AE6B438DF0A42838CACE4209

DOWNLOADED DropDialer.b

File: Activator.apk
Size: 15794
MD5:  1E0D68C2CA22471E83CC385E559A0A0D

Download - pass infected

Sample credit - Tim Strazzerre Lookout Security

https://www.virustotal.com/file/d247fd61d064e3d2fb4dd060b52b2ca039eecdb295d4ecba4055e7c679a71eba/analysis/
SHA256: d247fd61d064e3d2fb4dd060b52b2ca039eecdb295d4ecba4055e7c679a71eba
SHA1: e8182a5121b579c207afba108ca17764ae5b5783
MD5: b7d33549ae6b438df0a42838cace4209
File size: 3.3 MB ( 3442089 bytes )
File name: com.nnew.GTAHDBackground_1.apk
File type: Android
Tags: android
Detection ratio: 2 / 41
Analysis date: 2012-07-11 15:48:33 UTC ( 2 days, 11 hours ago )

DrWeb Android.SmsSend.405.origin 20120711
F-Secure Trojan:Android/DropDialer.A 20120711
Additional information


https://www.virustotal.com/file/de2b1757f1d73958fe639b6301870ab4e1704b3bc81927d5fad9f087c54958d2/analysis/1342236136/

SHA256: de2b1757f1d73958fe639b6301870ab4e1704b3bc81927d5fad9f087c54958d2
SHA1: 15e54cc76751ad2fc7068ea06663e708c6ec05c2
MD5: 1e0d68c2ca22471e83cc385e559a0a0d
File size: 15.4 KB ( 15794 bytes )
File name: Activator.apk
File type: Android
Detection ratio: 8 / 42
Analysis date: 2012-07-14 03:22:16 UTC ( 0 minutes ago )

Comodo UnclassifiedMalware 20120714
DrWeb Android.SmsSend.696.origin 20120714
F-Secure Trojan:Android/DropDialer.A 20120714
Jiangmin Trojan/AndroidOS.cgy 20120714
Kaspersky HEUR:Trojan-SMS.AndroidOS.FakeInst.a 20120714
Norman payload DropDialer.C 20120713
PCTools Dialer.Generic 20120714
Symantec Android.Dropdialer 20120714
TrendMicro-HouseCall - 20120713

Additional information
No comments


7 comments:

  1. Ah, the download links are missing. :-)

    Also, from the description, these could be FakeSMSInstaller variants. My dexid tool is likely to detect that, although it's not guaranteed.

    ReplyDelete
  2. Thanks for fixing the link. Let's see...

    Ah, that can't be right. What you have as DropDialer.A is exactly the same sample you posted as MMMarketPlay - and it is fundamentally different from the DropDialer.B sample; the two can't be in the same family. Could there be a mistake and could you have posted the wrong file as the .A variant?

    Also, the .B variant indeed doesn't belong to the FakeSMSInstaller family.

    P.S. I'm Bontchev; for some reason the logging in via OpenID fails.

    ReplyDelete
    Replies
    1. you are right. i corrected that too, sorry

      Delete
  3. Thanks.

    I am still not convinced that the two should be in the same family - the .A variant is much more complex than the .B variant; just look at the class structure - but nevermind.

    ReplyDelete
  4. Hi,
    Is there anything I can do to get the password for the downloaded zipped apks?

    Thank you,
    curious

    ReplyDelete
  5. I found it :) Thank You!

    curious

    ReplyDelete