Wednesday, December 11, 2013

MouaBad.P - Android dialer SMS trojan

Research: Lookout: MouaBad.P : Pocket Dialing For Profit

Sample credit: Tim Strazzere

Size: 38505
MD5:  68DF97CD5FB2A54B135B5A5071AE11CF

Download. Email me if you need the password

Sunday, November 24, 2013

ZertSecurity - Android Bank infostealer

FakeNotify.B (2011) - Premium SMS Trojan

Roidsec / Sinpon - Android Infostealer

Roidsec D4A557EC086E52C443BDE1B8ACE51739


The Trojan collects the following information from the compromised computer:
Sends SMS messages
Forces the phone to stay on
Collect call log
Collect contacts
Collect installed apps
Collect GPS location
Collect memory size available on phone memory
Collect SD memory size available
List all files on SD with timestamps
Collect incoming SMS messages
Collect outgoing SMS messages
List of apps currently running
Collect total amount of RAM
Status of WiFi being on or off
List all files on phone memory with timestamps
Deletes files on SD card

Download. Email me if you need the password

Simhosy / Waps - Android infostealer

simhosy 6B2D0948A462431D93A2035A82AF6CB5
simhosy 533453B7F3A7F55816B2EDCD5326DD2D
simhosy D2151D102F8DCBCD03DA4B9F3070F4D3

The Trojan steals SMS messages and contacts from the compromised device

Download. Email me if you need the password

Phosty / Phospy - Android infostealer

Phospy 5F23671F67F0FBFC2529919DB56485A0
Phospy EED211032FF576F7FD590C22F142B877


The Trojan steals all .jpg and .mp4 files it finds on the device  

Download. Email me if you need the password

Fakedaum / vmvol - Android Infostealer

Fakedaum 0B6CDC9B9F778E0D8171DD279C5F690B


The Trojan then gathers the following information from the compromised device:
SMS messages
Phone number

Usbcleaver - Android infostealer (from Windows PC)

Usbcleaver 283D16309A5A35A13F8FA4C5E1AE01B1
Usbcleaver C22C068EAEE7AD7FD4FD015CD50045DB


When the device is connected to a Windows computer that does not have autorun disabled, the Trojan then gathers information from the computer, including:
Default gateway
Google Chrome password
Host name
IP address
Microsoft Internet Explorer password
Mozilla Firefox password
Physical address
Subnet mask
WiFi password

It then stores the above information in the following location, which a remote attacker can retrieve at a later stage:

Download. Email me if you need the password.

Fake Taobao - Android infostealer

MD5:  45DAE1EE4CA1980C140CB5C9DA2A7ED5


The Trojan sends the following information to a specific phone number:
Taobao user name
Taobao password
Zhifubao user name
Zhifubao password
The Trojan requires another .apk file to be downloaded so it can forward SMS messages to the specific phone number.

Download. Email me if you need the password. 

Skullkey - Android Infostealer

skullkey 2DC07DCA36487339F3935ACE890E42E0


Package names:, com.hk515.activity

Malicious code is inserted in the package in the following locations:

When the Trojan is being installed, it requests permissions to perform the following additional actions:
Clear the caches of all installed applications on the device.
Read user's contacts data.
Monitor incoming SMS messages.
Read SMS messages on the device.
Send SMS messages.
Start once the device has finished booting.
Change the background wallpaper.
Monitor incoming WAP push messages.


The Trojan hides using the Android 'Master Key' vulnerability to keep the legitimate app signature valid.

The Trojan allows attackers to perform the following actions:
Open a back door
Steal sensitive data (such as IMEI and phone number) and sends it to
Send premium SMS messages
Disable certain security apps by using any available root commands

Download. Email me if you need the password

Fakemart - Android infostealer

Fakemart D002F0581A862373AA6C6C0070EC3156
Fakemart 27CFDF25ECAE75342A21230D19151939
Fakemart 6A0E9CE340164AF6F37A946DF650B458


The Trojan may perform the following actions:
Clear the XMBPSP.xml contents in shared preference
Configure the XMBPSP.xml file to send SMS to 81211 or 81308
Set the device to silent mode
Delete SMS received from 81211
Open network connections
Block incoming SMS, encode the body of the message, and post them to the above URLs
Send SMS to 81211 or 81308 if the first ten incoming SMS contain the strings "BD MULTIMEDIA" or "code"

Download. Email me if you need the password.

Fakeupdate / Apkquq - Android

Jollyserv - Android Infostealer

Size: 438324
MD5:  2BE48FB3B8D89F64A18C459067AF3695


The Trojan may then perform the following actions on the compromised device:
Send SMS messages to a premium number
Send SMS messages to all contacts
Intercept SMS messages

Next, the Trojan gathers the following information from the compromised device:
Phone number
List of running applications
Stored messages
System logs

Download. Email me if you need the password

Repane - Android Infostealer

Repane 0D924A1D6754C5B326C1DA7D474EC7A5
Repane ADD031D774F67B030CE86718AD95040B


Trojan may gather the following information from the compromised device:
Phone number
Integrated circuit card identifier (ICCID)
Network operator
Device identification number

Download. Email me if you need the password.

Godwon - Android Infostealer

Godwon C11FC7207BFBDB91E35B6C285FE0934F
Godwon 79309179DB63D2B505398ABCB4DD1AE0
Godwon 1238F2387193330BC79E7A03E92C2038
Godwon 2C373AA90942FEDC21BB0B2D35E8E340


Download. Email me if you need the password

Fakedefender.B - Android Fake Antivirus

Size: 2081371
MD5:  E790C4295B8ADB23D090BAE5D6EB786A

Android.Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.


Fakeplay - Android Infostealer

Beita - Android Infostealer

Android.Beita 10953B741D166D9E22937FE00FBF1038

It gathers the following information from the user's list of contacts:

  • Name
  • Phone number
  • Address
  • Email

Download. Email me if you need the password

Backflash / Crosate - Android infostealer

File: Backflash_A3EB6B30E23146D9D44103ADDC71A41B
Size: 784255


Payload: Opens a back door.
Releases Confidential Info: Steals information from the compromised device.

Download. Email me if you need the password

Fakebank.A and Fakebank.B - Android Infostealer trojan

When executed, the Trojan displays a form asking the user to enter in banking details.

Android.Fakebank (A and B) is a Trojan horse that steals information from the compromised device.


Scipiex - Android Infostealer

Size: 329137
MD5:  6BD95C5BB0A99B29FF83D72DC578947B

Android.Scipiex is a Trojan horse for Android devices that steals information from the compromised device. 

Android package file 
The Trojan may arrive as a package with the following characteristics: 

Package name: com.yxx.jiejie 
APK: p2.apk 
Name: Love Chat (translated from Korean) 

Uten - Android SMS Trojan

Tuesday, September 17, 2013

Android FakeAV - Labelreader.apk

Research: Android Mobile: Following In the Windows Footsteps

fakeAV_1CA532F171A0B765A46AF995EBAAB1D2_LabelReader.apk 1ca532f171a0b765a46af995ebaab1d2
fakeAV_1E178E501B41659FFACE85153615DEA7_LabelReader.apk 1e178e501b41659fface85153615dea7
fakeAV_6F237D25472D9D09FC44ECE7DC9CED92_LabelReader.apk 6f237d25472d9d09fc44ece7dc9ced92
fakeAV_36B177910C99872B33E90DEA71B16617_LabelReader.apk 36b177910c99872b33e90dea71b16617
fakeAV_75B8F9DBB1CD79B7FC074F7F499150CF_LabelReader.apk 75b8f9dbb1cd79b7fc074f7f499150cf
fakeAV_77BB7F86FB0AC66C97B1AB3573ADFFC1_LabelReader.apk 77bb7f86fb0ac66c97b1ab3573adffc1
fakeAV_148B76C664F2854E2947AF01160FFA99_LabelReader.apk 148b76c664f2854e2947af01160ffa99
fakeAV_934527F8EBB5C1088009CC9329DC3DE6_LabelReader.apk 934527f8ebb5c1088009cc9329dc3de6
fakeAV_ED1E0689F93B0C57E403489BB5338F59_LabelReader.apk ed1e0689f93b0c57e403489bb5338f59

Thursday, September 12, 2013

Android Malapp

Size: 425809
MD5:  301F53CD5387CA1FE0DBBE47E40DFD8F

Size: 1933672
MD5:  73C2E204A9C11B7E03015954B86B7EA1

Download. Email me if you need the password

Android Lien.A / SMSAgent.C - SMTP malware

File: 20130802_031615.apk
Size: 322915
MD5:  C9B7BE2C1518933950B0284FC254C485

Saturday, July 13, 2013

TRracer - commercial spyware / PUA samples for Android, Blackberry, SymbOS, iOS


Commercial spyware.
Functionality inlcudes (judging by the files - see more

Schedule Days
Schedule Time
Data Setting
Report Call Logs
Report Contacts
Report SMS
Report Gmail
Report Web Browser
Report New Photos
Report New Videos
Call Record
Call Record Strategy
Record Format
Report Whatsapp Chats
Report Viber Chats
Report Skype Chats
Report Facebook Chats
Report Facebook Photos
Spy Call Number(s)
Do not record Spy Calls
Report GPS location
Recover via GMail
Enable GMail recovery

Download all files (Email me if you need the password)

Files included

File: TRa7.0.sis
MD5:  d55c0e339a2cbb91132f53c5ecaf4fd5
Size: 266200

File: Tracer-1.cod
MD5:  df01e4ea2433dc08bce21b7b44a604eb
Size: 43240

File: TRacer.apk.1
MD5:  1c37f184a707d2c7c6d79cabeda2df69
Size: 7938460

File: com.timecompiler.Tracer_0.0.1-958_iphoneos-arm.deb
MD5:  fbb4a02d9921cb303d70c147bd8e270c
Size: 2669126

Thursday, June 6, 2013


Update Sept 13, 2013 
Sandbox results from Andrototal:

Kaspersky: The most sophisticated Android Trojan
Droidnews: Самый сложный вредонос под Android 

Sample credit: Tim Strazzere (Lookout Security)

Size: 84306
MD5:  E1064BFD836E4C895B569B2DE4700284

Size: 85079
MD5:  F7BE25E4F19A3A82D2E206DE8AC979C8

Download. Email me if you need the password

The following analysis was shared by Gunther

If you simply use dex2jar+JD-GUI, you will realised that most of the methods can't be decompiled.
Furthermore, i've realised that the one which it managed to decompiled looked wrong too.
I've attached my manual approach as well

Basically for a start, i would recommend you to use apktool first.
apktool.bat d <filename>

You should see something like this after running the above command.

    C:\Users\Gunther\Desktop\apktool>apktool.bat d F7BE25E4F19A3A82D2E206DE8AC979C8
    I: Baksmaling...
    I: Loading resource table...
    I: Loaded.
    I: Decoding AndroidManifest.xml with resources...
    I: Loading resource table from file: C:\Users\Jacob\apktool\framework\1.apk
    I: Loaded.
    I: Regular manifest package...
    I: Decoding file-resources...
    I: Decoding values */* XMLs...
    I: Done.
    I: Copying assets and libs...

Now let’s take a look at the AndroidManifest.xml file, you should see the the permissions requested by the APK file.
It's a huge list so i won't paste it here.

From the AndroidManifest.xml, we also know the following
1.) This malware have several "service" entries.
Furthermore, if we look up we can see that it indicates to have a high priority.
2.) There is an Activity entry and under the “intent” tag of this Activity entry. It indicates to start as the main entry point according to

According to the official diagram from Android, we should be looking at “OnCreate” function first.

3.) Earlier on, i've written that there are several "Service" being started by this app. According to We should be looking at “OnCreate” or “StartService” in that class file.
This “Service” is running in the background even when the user is not directly interacting with the application.

Analysis of Dalvik Code:
Let’s take a look at the onCreate function first. To have a better understanding of Dalvik byte code, it’s probably better to have either of the following 2 links:

Now before we go to "OnCreate", earlier on i've mentioned that Dex2Jar screwed it up right. Let's look at "cOIcOOo" in this smali file, "OclIIOlC"

Now look at the original smali code and this one with comments.
.method private static cOIcOOo(III)Ljava/lang/String;
// private static String cOIcOOo(Int paramInt1, Int paramInt2, Int paramInt3){
    .locals 6
    sget-object byteArray1, Lcom/android/system/admin/OclIIOlC;->cOIcOOo:[B
    // byte[] byteArray1 = OclIIOlC.cOIcOOo;
    add-int/lit8 p0, p0, 0x60
    // paramInt1 = paramInt1+0x60
    add-int/lit8 paramInt3, paramInt3, 0x21
    // paramInt3 = paramInt3+0x21;
    const/4 k, 0x0
    // int k = 0;
    new-instance v0, Ljava/lang/String;
    // String v0;
    new-array byteArray2, paramInt3, [B
    // byte[] byteArray2 = new byte[paramInt3];
    if-nez byteArray1, :cond_0
    // if( byteArray1==null ){
    move v2, paramInt3
    // v2 = paramInt3;
    // }
    move v3, paramInt2
    // v3 = paramInt2;
    add-int/lit8 paramInt2, paramInt2, 0x1
    // paramInt2 += 1;
    // or paramInt2++;
    add-int/2addr v2, v3
    // v2 += v3;
    add-int/lit8 paramInt1, v2, -0x2
    // paramInt1 = v2 + (-0x2);
    int-to-byte v2, paramInt1
    aput-byte v2, byteArray2, k
    // Puts the byte value in v2 into an element of a byte array. The element is indexed by k, the array object is referenced by byteArray2.
    // byteArray2[k] = v2;
    add-int/lit8 k, k, 0x1
    // k +=0x1;
    // or k++;
    if-lt k, paramInt3, :cond_1
    // if( k>=paramInt3 ){
    const/4 v2, 0x0
    // v2 = 0x0;
    invoke-direct {v0, byteArray2, v2}, Ljava/lang/String;-><init>([BI)V
    return-object v0
    // return new String(byteArray2, v2);
    move v2, paramInt1
    // v2 = paramInt1;
    aget-byte v3, byteArray1, paramInt2
    // Gets a byte value of a byte array into v3. The array is referenced by byteArray1 and is indexed by paramInt2.
    // v3 = byteArray1[paramInt2];
    goto :goto_0
.end method

Now compare it with "HelloWorld", which I've attached here. This should be the way to finally reverse it...i think.

Ok, i've also mentioned before on why AVs and some of the tools don't work.
Most of the better Android malware nowadays uses Reflection API.
Reflection can allow a program to create a "function pointer"  and invoke the target function by using it. You can see it's common usage in ExploitKits or those Java exploits.

You will see it when you start reversing "OnCreate" function.

Wednesday, May 29, 2013

Monday, May 13, 2013

Android Stels

Hello all, sorry for the long outage - been busy :) Here are are 3 posts for Stels, Perkele, and Korean SMSspy (see 2 posts after this one)

Android Stels

Size: 164210
MD5:  B226A66A2796E922302B96AE81540D5C

Research: Stels Android Trojan Malware Analysis - Secure Works Dell
Sample credit: Tim Strazzere Lookout Security

Download (Email me if you need the password)

Android Perkele / Fake Site

com-fake site source

Please see the list of included files below

Sample and screenshot credits: Anonymous
News: Mobile Malcoders Pay to (Google) Play - Brian Krebs

SMS malware bot for sale, created to look like a security certificate with logos of your company
1 app - $1000. Full kit -$15,000

Download. (Email me if you need the password scheme)

Android SMSSpy / SMSSender / Nopoc.A

Sample credit: Jihong Park

Size: 253578
MD5:  74E09C5F57D5A040C86A86CDAD7F04FA

Download:  (Email me if you need the pass scheme for the newer samples)

Friday, April 19, 2013

SMSSilense aka Fake Vertu

Size: 1689220
MD5:  2E88C747D1B96B6ED19D3B66F00C4D98

Size: 581473
MD5:  FD6437199664E097870723F31F81222B

Sample credit: Sanjay Gupta

Research: McAfee Fake Vertu App Infects Korean and Japanese Android Users
A new threat has surfaced targeting users in Korea and Japan, but this attack, unlike others making the news, is not one motivated by political or ideological dogma. Instead, this one is based purely on old-fashioned greed. Vertu phone owners or those looking for a localized Vertu theme in Korean or Japanese for an Android phone had better think twice before downloading something. McAfee Mobile Research has identified a new variant of Android/Smsilence distributed under the guise of a Vertu upgrade/theme that is targeting Japanese and Korean users.

BadNews - Android adware/malware network samples

Size: 3354613
MD5:  98CFA989D78EB85B86C497AE5CE8CA19
sample credit: Tim Wyatt -Lookout

File: ru.blogspot.playsib.savageknife.apk
Size: 4124257
MD5:  5B08C96794AD5F95F9B42989F5E767B5
sample credit: Sanjay Gupta

Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times.

Download. Email me if you need the password

Saturday, April 6, 2013

Chuli.A - Targeted attack Android Trojan

Research: Kaspersky. Android Trojan Found in Targeted Attack

Sample credit: Arvind Kumar

File: c4c4077e9449147d754afd972e247efc
Size: 333583
MD5:  C4C4077E9449147D754AFD972E247EFC

File: 0b8806b38b52bebfe39ff585639e2ea2
Size: 334326
MD5:  0B8806B38B52BEBFE39FF585639E2EA2

Download (email me if you need the password)

Monday, March 18, 2013

Android.Uracto - fraud, SMS spam

Research: Symantec. Android.Uracto Used to Trick Mothers, Anime Fans, Gamers, and More
Sample credit: Sanjay Gupta

D09A1FF8A96A6633B3B285F530E2D430 NewsAndroidnocode.apk
4C937667CB23E857D42B664334E1142A NewsAndroidcode03.apk
BA73E96CAA95999321C1CDD766BDF58B NewsAndroidcode02.apk
CF45E1288B47D97326ED279F2EE41E4D NewsAndroidcode01.apk

Download. Email me if you need the password

Friday, March 8, 2013

Android - FakeJobOffer

Size: 973303
MD5:  9E8FA23DFC817BDCAD42B2F6ADA6E658
Sample credit:  Jimmy Shah

Research: Android Malware Goes Bollywood - McAfee

Download. Email me if you need the password

Tuesday, February 26, 2013

Saturday, February 16, 2013

Android Tetus - Infostealer

File: com.stephbriggs5.batteryimprove-2.apk
Size: 293777
MD5:  6408DF6ABA4C7F1803C2AAC8F17C4CA3

File: 85CE55DC130F214B0567987EDFF77DC0
Size: 274999
MD5:  85CE55DC130F214B0567987EDFF77DC0

File: com.droidmojo.awesomejokes.apk
Size: 268360
MD5:  01772AEFE0230C3669E21D79FC920D2E

File: 65C75AF5DE2628BD6215BB99DD76D3AC
MD5:  65c75af5de2628bd6215bb99dd76d3ac
Size: 277644

Research: Symantec. Android Tetus

When the Trojan is executed, it registers an SMS observer to record SMS messages and send them to the following command-and-control (C&C) server:

The Trojan may delete some SMS messages from the device.

It may also register an SMS receiver to send SMS messages without the user's consent.

The Trojan may send a list of all installed apps on the device to the following remote location:

Download. Email me if you need the password