Android iBanking

Research: iBanking Mobile Bot Source Code Leaked

apk files
1F68ADDF38F63FE821B237BC7BAABB3D Chase.apk
009E60205B8FBC780A2DD3083CDD61CB
D1059B52B6127B758581EB86247BC34F
E1B86054468D6AC1274188C0C579CCAF_
F1BC8520754D2AC4A920B3EF5C732380 bot.apk_
F06AF629D33F17938849F822930AE428 ING.apk_

Download. Email me if you need the password

Droidpak - Android targeting Windows malware

Research: Kaspersky -

Sync'n'steal: Hackers brew Android-targeting Windows malware

df4045aa9cb62699bd2ae12f860f2ed1.exe_
577a8c571e2dd610247ecfa0fb3c6cb3_install.exe_
04e8ff68ead683e52b53e174d08eddf4_Voip.dll_

Download. Email me if you need the password

Android Tor Trojan

Research:  Kaspersky: The first Tor Trojan for Android
File: video.mp4.apk
Size: 4885996
MD5:
58FED8B5B549BE7ECBFBC6C63B84A728

apk URL

http:// sexnine .ru /download/video.mp4.apk

Download (email me if you need the password)

Android.FakeRegSMS.B (Steganography) - Feb 2012

Research: http://forensics.spreitzenbarth.de/2012/02/03/detailed-analysis-of-android-fakeregsms-b/


MD5:  41ca3efde1fb6228a3ea13db67bd0722
Size: 65207

Download (email me if you need the password) 


----------------

Android AVPass

Research: Baidu Security Labs http://blog.csdn.net/androidsecurity/article/details/18816557

Sample Credit: Tom:Pan

Size: 203000
MD5:  CCC01FD6D875B95E2AF5F270AAF8E842



Download. Email me if you need the password.

Android Airpush, /StopSMS.B, Minimob

  Sample credit Tachion


  08061663E638B5AC1D780CAACBE9FAD8 GlamorousSmoke.apk
    2C3B92FFE8123611AE9D9BED000C99F7 3dtimeclockticks.apk
    4FD1194F8127439609319CDBE244C0A7 _BlueArt.apk
    58E73A03025BA95337C952223F18F479 _lordssacredheavenlycross.apk
    8F7A41A921FC15F4FD47A33E476D7B3B SkullLighter.apk
    B0E22A785041229A644F015472E738BA_ghostiderfireflamessremixFAMOUS3DAPPS.apk
    CE7B9B2242A71BBEAC0B2839B1063013 NoiseDetectorNonG.apk
    D67A07E3DE88C0130420588FD158B967 eyeseeyouSAMSUNG.apk
    DE5BFA8715DAC2E29E206C19CA98F2F4 JingleBellNonG.apk
    FB9FEFFB1FEF13C4A5E42ACE20183912 SaveTenDollar.apk

 Download all. Email me if you need the password.

Windows Droidpak and Android Fakebank.B / Gepew.A

Research: Symantec: Windows Malware Attempts to Infect Android Devices

Droidpak
Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

Fakebank.B/ Gepew.A
0D28FA54F9C0D41801E8FB5A7B0433DD
792BBB3DDC46E3D0E640D32977434ACA
4021A1E00B3ABEE730994F1EE17219B4
Size: 230785



Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A



Droidpak - Windows malware that downloads Fakebank

The iconfig.txt file is not present on the C2 server so the information is limited

Dropper
A398322586356ADD2CE43E3580CA272F sbayAYG51.exe

Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\DWORD.sn
C:\WINDOWS\system32\flashmx32.xtl
C:\WINDOWS\CrainingApkConfig\down.log
C:\WINDOWS\CrainingApkConfig\iconfig.txt
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)

Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above

iconfig.txt (not available, sorry)

GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
 xia2.dyndns-web.com
WHOIS Source: APNIC
IP Address:   103.242.134.136Country:      Hong Kong
Network Name: HJEATC-CN
Owner Name:   No.9-F, CaiFuDaSha, No.396 Heping Road
From IP:      103.242.132.0
To IP:        103.242.135.255
Allocated:    Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address:      No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Email:        abuse@hostshare.cn
Abuse Email:  abuse@hostshare.cn
Phone:        +86 18973306525
Fax:          +86 18973306525

Android Airpush - monetization, ads

Size: 5972931

MD5:  2EED7318CA564A909E75AD616CAD5CDF

Download (Email me if you need the password)

Android FakeMarket - Google Play

Research: TGSoft 13/01/2014 18.49.39 - How safe is really Google Play Store?
Research: Android FakeMarket analysis by AndroTotal

Still available on Google Play
https://play.google.com/store/apps/details?id=com.bktballelite.com

Sample credit: Paolo Rovelli

Download. Email me if you need the password

Android Oldboot / Mouabad.s

MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 (com.android.googledalvik.apk) = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 (libgooglekernel.so) = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:

“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “libgooglekernel.so” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “com.android.googledalvik.apk” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang


Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 


Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)


Download all the listed samples (new link)

MouaBad.P - Android dialer SMS trojan

Research: Lookout: MouaBad.P : Pocket Dialing For Profit

Sample credit: Tim Strazzere

File: com.android.service.apk_mouabad_p_infected
Size: 38505
MD5:  68DF97CD5FB2A54B135B5A5071AE11CF

Download. Email me if you need the password

ZertSecurity - Android Bank infostealer

Zertsecurity 1CF41BDC0FDD409774EB755031A6F49D


Research
http://www.evild3ad.com/3008/analysis-of-android-zitmo-urlzone/
http://www.android-decompiler.com/blog/2013/04/22/sms-spy-zertsec/
https://blog.lookout.com/blog/2013/05/06/zertsecurity/\
http://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99

The Trojan prompts users for bank account and PIN code information and steals it

Download. Email me if you need the password

FakeNotify.B (2011) - Premium SMS Trojan

f57e2769518f081721ffca586e797b2a


Research :
Trojan:Android/FakeNotify Gets Updated http://www.f-secure.com/weblog/archives/00002291.html?tduid=f57e2769518f081721ffca586e797b2a

Download. Email me if you need the password

Roidsec / Sinpon - Android Infostealer

Roidsec D4A557EC086E52C443BDE1B8ACE51739

Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99&tabid=2


Functionality
The Trojan collects the following information from the compromised computer:
Sends SMS messages
Forces the phone to stay on
Collect call log
Collect contacts
Collect installed apps
Collect GPS location
Collect memory size available on phone memory
Collect SD memory size available
List all files on SD with timestamps
Collect incoming SMS messages
Collect outgoing SMS messages
List of apps currently running
Collect total amount of RAM
Status of WiFi being on or off
List all files on phone memory with timestamps
Deletes files on SD card

Download. Email me if you need the password

Simhosy / Waps - Android infostealer

simhosy 6B2D0948A462431D93A2035A82AF6CB5
simhosy 533453B7F3A7F55816B2EDCD5326DD2D
simhosy D2151D102F8DCBCD03DA4B9F3070F4D3


The Trojan steals SMS messages and contacts from the compromised device



Download. Email me if you need the password

Phosty / Phospy - Android infostealer

Phospy 5F23671F67F0FBFC2529919DB56485A0
Phospy EED211032FF576F7FD590C22F142B877


Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99&tabid=2

The Trojan steals all .jpg and .mp4 files it finds on the device  

Download. Email me if you need the password

Fakedaum / vmvol - Android Infostealer

Fakedaum 0B6CDC9B9F778E0D8171DD279C5F690B

Research  http://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99&tabid=2

The Trojan then gathers the following information from the compromised device:
SMS messages
Phone number
IMEI

Download. Email me when you need the password

Usbcleaver - Android infostealer (from Windows PC)

Usbcleaver 283D16309A5A35A13F8FA4C5E1AE01B1
Usbcleaver C22C068EAEE7AD7FD4FD015CD50045DB

Research http://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Functionality
When the device is connected to a Windows computer that does not have autorun disabled, the Trojan then gathers information from the computer, including:
Default gateway
DNS
Google Chrome password
Host name
IP address
Microsoft Internet Explorer password
Mozilla Firefox password
Physical address
Subnet mask
WiFi password

It then stores the above information in the following location, which a remote attacker can retrieve at a later stage:
/sdcard/usbcleaver/logs/

Download. Email me if you need the password.

Fake Taobao - Android infostealer

MD5:  45DAE1EE4CA1980C140CB5C9DA2A7ED5

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

The Trojan sends the following information to a specific phone number:
Taobao user name
Taobao password
Zhifubao user name
Zhifubao password
The Trojan requires another .apk file to be downloaded so it can forward SMS messages to the specific phone number.

Download. Email me if you need the password. 

Skullkey - Android Infostealer

skullkey 2DC07DCA36487339F3935ACE890E42E0

Research: http://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99&tabid=2


Package names: com.hk515.doctor, com.hk515.activity

Malicious code is inserted in the package in the following locations:
com.google.safemain
com.google.service

Permissions
When the Trojan is being installed, it requests permissions to perform the following additional actions:
Clear the caches of all installed applications on the device.
Read user's contacts data.
Monitor incoming SMS messages.
Read SMS messages on the device.
Send SMS messages.
Start once the device has finished booting.
Change the background wallpaper.
Monitor incoming WAP push messages.

Functionality

The Trojan hides using the Android 'Master Key' vulnerability to keep the legitimate app signature valid.

The Trojan allows attackers to perform the following actions:
Open a back door
Steal sensitive data (such as IMEI and phone number) and sends it to apkshopping.com
Send premium SMS messages
Disable certain security apps by using any available root commands

Download. Email me if you need the password