Clicky

Tuesday, December 30, 2014

The Interview movie app - Android banking trojan sample


Research: Fake “The Interview” app is really an Android banking trojan by Graham Cluley | December 27, 2014

Sample credit: Mario Bono

File: com.movieshow.down.apk
Size: 2236959
MD5:  0882C94E141B2B000B8805D51722F70D

Download. Email me if you need the password








https://www.virustotal.com/en/file/8d2cc94e2540442f6c7b33d6f941f8acfb6cc5a46141850e20e365eb0871dbf3/analysis/1419933526/


SHA256: 8d2cc94e2540442f6c7b33d6f941f8acfb6cc5a46141850e20e365eb0871dbf3
File name: vti-rescan
Detection ratio: 2 / 55
Analysis date: 2014-12-30 09:58:46 UTC ( 7 hours, 12 minutes ago ) View latest 
Ikarus Trojan-Downloader.AndroidOS.Badaccents 20141230
McAfee Artemis!0882C94E141B 2014123

http://f.cl.ly/items/132B2E2f0t46241d3s06/%EA%B2%B0%ED%98%BC%EC%B2%AD%EC%B2%A9.apk
http://f.cl.ly/items/1h1i2C2M1M2P1r0l2M3u/%EC%B2%AD%EC%B2%A9%EC%9E%A5.apk

 Permissions that allow the application to access Internet
 Other permissions that could be considered as dangerous in certain scenarios
 Required permissions
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)
android.permission.INSTALL_PACKAGES (directly install applications)
android.permission.INTERNET (full Internet access)
 Permission-related API calls
INTERNET
Ljava/net/URLConnection;->connect()V called from Lcom/movieshow/down/Badaccents$DownloadMusicfromInternet;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
Ljava/net/URL;->openConnection()Ljava/net/URLConnection; called from Lcom/movieshow/down/Badaccents$DownloadMusicfromInternet;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
Ljava/net/URL;->openStream()Ljava/io/InputStream; called from Lcom/movieshow/down/Badaccents$DownloadMusicfromInternet;->doInBackground([Ljava/lang/String;)Ljava/lang/String;
 Main Activity
com.movieshow.down.Badaccents
 Activities
com.movieshow.down.Badaccents
 Activity-related intent filters
com.movieshow.down.Badaccents
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER
 Code-related observations
The application does not load any code dynamically
The application does not contain reflection code
The application does not contain native code
The application does not contain cryptographic code
 Application certificate information

 Application bundle files
AndroidManifest.xml
Android's binary XML
META-INF/CERT.RSA
data
META-INF/CERT.SF
ASCII text, with CRLF line terminators
META-INF/MANIFEST.MF
ASCII text, with CRLF line terminators
classes.dex
Dalvik dex file version 035
res/drawable-hdpi-v4/ic_action_search.png
PNG image data, 48 x 48, 8-bit colormap, non-interlaced
res/drawable-hdpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/drawable-hdpi-v4/movie_image.jpg
JPEG image data, JFIF standard 1.01
res/drawable-ldpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/drawable-mdpi-v4/ic_action_search.png
PNG image data, 32 x 32, 8-bit colormap, non-interlaced
res/drawable-mdpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/drawable-xhdpi-v4/ic_action_search.png
PNG image data, 64 x 64, 8-bit colormap, non-interlaced
res/drawable-xhdpi-v4/ic_launcher.png
PNG image data, 602 x 407, 8-bit/color RGB, non-interlaced
res/layout/main.xml
Android's binary XML
resources.arsc
data

No comments:

Post a Comment