Research/Sample credit: Lukas Stefanko
https://twitter.com/LukasStefanko/status/607823196562276352
qqkj.qqmagic.apk
735b4e78b334f6b9eb19e700a4c30966
Download. Email me if you need the password
https://www.virustotal.com/en/file/b914c0dd57ffcb1c96cf37d61a3ae052a5372f01c5fac3ea0535bbdb0da862dd/analysis/
SHA256: b914c0dd57ffcb1c96cf37d61a3ae052a5372f01c5fac3ea0535bbdb0da862dd
File name: myfile.exe
Detection ratio: 10 / 57
Analysis date: 2015-06-09 09:22:50 UTC ( 2 hours, 38 minutes ago )
AhnLab-V3 Android-Trojan/SmsSpy.ddc0 20150608
Baidu-International Trojan.Android.Jisut.N 20150609
Cyren AndroidOS/RANSOM.SLcoker.S.gen!Eldorado 20150609
DrWeb Android.SmsSend.3003 20150609
ESET-NOD32 Android/LockScreen.Jisut.N 20150609
Fortinet Android/LockScreen_Jisut.N!tr 20150609
Ikarus Trojan.AndroidOS.LockScreen 20150609
McAfee Artemis!735B4E78B334 20150609
McAfee-GW-Edition Artemis 20150609
Tencent a.rogue.pornplayer 20150609
The file being studied is Android related! APK Android file more specifically. The application's main package name is qqkj.qqmagic. The internal version number of the application is 1. The displayed version string of the application is 1.0. The minimum Android API level for the application to run (MinSDKVersion) is 8. The target Android API level for the application to run (TargetSDKVersion) is 21.
Risk summary
The studied DEX file makes use of API reflection
The studied DEX file makes use of cryptographic functions
Permissions that allow the application to manipulate SMS
Permissions that allow the application to perform payments
Permissions that allow the application to access Internet
Permissions that allow the application to access private information
Other permissions that could be considered as dangerous in certain scenarios
Required permissions
android.permission.SEND_SMS (send SMS messages)
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.SYSTEM_ALERT_WINDOW (display system-level alerts)
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.RECEIVE_SMS (receive SMS)
android.permission.INTERNET (full Internet access)
Permission-related API calls
FACTORY_TEST
ACCESS_NETWORK_STATE
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Lcom/qqmagic/s;->isNetworkConnected(Landroid/content/Context;)Z
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Lqqkj/qqmagic/s;->isNetworkConnected(Landroid/content/Context;)Z
SEND_SMS
Landroid/telephony/gsm/SmsManager;->getDefault()Landroid/telephony/gsm/SmsManager; called from Lcom/qqmagic/b;->onCreate()V
Landroid/telephony/gsm/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V called from Lcom/qqmagic/b;->onStartCommand(Landroid/content/Intent; I I)I
Landroid/telephony/gsm/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V called from Lcom/qqmagic/s$100000000;->run()V
Show all
READ_LOGS
Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process; called from LLogCatBroadcaster;->run()V
Main Activity
qqkj.qqmagic.MainActivity
Activities
qqkj.qqmagic.MainActivity
Services
qqkj.qqmagic.s
qqkj.qqmagic.b
Receivers
qqkj.qqmagic.r
qqkj.qqmagic.Fr
Activity-related intent filters
qqkj.qqmagic.MainActivity
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER
Receiver-related intent filters
qqkj.qqmagic.r
actions: android.intent.action.BOOT_COMPLETED
qqkj.qqmagic.Fr
actions: android.provider.Telephony.SMS_RECEIVED
Code-related observations
The application does not load any code dynamically
The application contains reflection code
The application does not contain native code
The application contains cryptographic code
Application certificate information
Application bundle files
AndroidManifest.xml
Android's binary XML
META-INF/CERT.RSA
data
META-INF/CERT.SF
ASCII text, with CRLF line terminators
META-INF/MANIFEST.MF
ASCII text, with CRLF line terminators
classes.dex
Dalvik dex file version 035
No comments:
Post a Comment