com-fake site source
Please see the list of included files below
News: Mobile Malcoders Pay to (Google) Play - Brian Krebs
SMS malware bot for sale, created to look like a security certificate with logos of your company
1 app - $1000. Full kit -$15,000
Download. (Email me if you need the password scheme)
List of included files:
│ .classpath
│ .project
│ AndroidManifest.xml
│ ic_launcher-web.png
│ proguard-project.txt
│ project.properties
│
├───.settings
│ org.eclipse.core.resources.prefs
│ org.eclipse.jdt.core.prefs
│
├───assets
├───bin
│ │ AndroidManifest.xml
│ │ classes.dex
│ │ ing.nl.apk b597850b04140e0e28749e0a11cc0118 https://www.virustotal.com/en/file/B597850B04140E0E28749E0A11CC0118/analysis/1368445857/
│ │ resources.ap_
│ │
│ ├───classes
│ │ └───com
│ │ └───fake
│ │ └───site
│ │ │ BuildConfig.class
│ │ │ MessageReceiver.class
│ │ │ R$attr.class
│ │ │ R$drawable.class
│ │ │ R$id.class
│ │ │ R$layout.class
│ │ │ R$menu.class
│ │ │ R$string.class
│ │ │ R$style.class
│ │ │ R.class
│ │ │ StartActivity.class
│ │ │
│ │ └───sms
│ │ Sms.class
│ │
│ ├───dexedLibs
│ │ android-support-v4-d31c39caea3f9fffa90e5e04017ae9cb.jar
│ │
│ └───res
│ ├───drawable
│ │ background.png
│ │ bank.png
│ │ bank1.png
│ │ button.png
│ │ emblem.png
│ │ security.png
│ │
│ ├───drawable-hdpi
│ │ bank.png
│ │
│ ├───drawable-ldpi
│ │ bank.png
│ │
│ ├───drawable-mdpi
│ │ bank.png
│ │
│ └───drawable-xhdpi
│ bank.png
│
├───gen
│ └───com
│ └───fake
│ └───site
│ BuildConfig.java
│ R.java
│
├───libs
│ android-support-v4.jar
│
├───res
│ ├───drawable
│ │ background.png
│ │ bank.png
│ │ bank1.png
│ │ button.png
│ │ emblem.png
│ │ security.png
│ │
│ ├───drawable-hdpi
│ │ bank.png
│ │
│ ├───drawable-ldpi
│ │ bank.png
│ │
│ ├───drawable-mdpi
│ │ bank.png
│ │
│ ├───drawable-xhdpi
│ │ bank.png
│ │
│ ├───layout
│ │ activity_main.xml
│ │ message_content.xml
│ │
│ ├───menu
│ │ activity_main.xml
│ │
│ └───values
│ strings.xml
│ styles.xml
│
└───src
└───com
└───fake
└───site
│ MessageReceiver.java
│ StartActivity.java
│
└───sms
Sms.java
Virustotal results:
Antivirus Result Update
Comodo UnclassifiedMalware 20130508
F-Secure Trojan:Android/SmsSend.O 20130508
VIPRE Trojan.AndroidOS.Generic.A 20130508
Ikarus Trojan.AndroidOS.FakeSite 20130508
TrendMicro-HouseCall TROJ_GEN.F47V0505 20130508
Kaspersky HEUR:Trojan-Spy.AndroidOS.Perkel.a 20130508
F-Prot AndroidOS/Perkel.A 20130508
Commtouch AndroidOS/Perkel.A 20130508
Avast Android:FkSite-A [Trj] 20130508
Fortinet Android/Agent.KU!tr 20130508
Emsisoft Android.Trojan.FakeSite.A (B) 20130508
MicroWorld-eScan Android.Trojan.FakeSite.A 20130508
BitDefender Android.Trojan.FakeSite.A 20130508
GData Android.Trojan.FakeSite.A 20130508
DrWeb Android.SmsSpy.20.origin 20130508
Sophos Andr/FkSite-A 20130508
ESET-NOD32 a variant of Android/TrojanSMS.Agent.KU 20130507
The studied DEX file makes use of API reflection
Permissions that allow the application to manipulate SMS
Permissions that allow the application to perform payments
Permissions that allow the application to access private information
Other permissions that could be considered as dangerous in certain scenarios
Required permissions
android.permission.SEND_SMS (send SMS messages)
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)
android.permission.RECEIVE_SMS (receive SMS)
Permission-related API calls
ACCESS_NETWORK_STATE
Landroid/net/ConnectivityManager;->getNetworkInfo(I)Landroid/net/NetworkInfo; called from Landroid/support/v4/net/ConnectivityManagerCompat;->getNetworkInfoFromBroadcast(Landroid/net/ConnectivityManager; Landroid/content/Intent;)Landroid/net/NetworkInfo;
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Landroid/support/v4/net/ConnectivityManagerCompatGingerbread;->isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2;->isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z
SEND_SMS
Landroid/telephony/SmsManager;->getDefault()Landroid/telephony/SmsManager; called from Lcom/fake/site/StartActivity;->onCreate(Landroid/os/Bundle;)V
Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V called from Lcom/fake/site/StartActivity;->onCreate(Landroid/os/Bundle;)V
Landroid/telephony/SmsManager;->getDefault()Landroid/telephony/SmsManager; called from Lcom/fake/site/sms/Sms;->sendSms(Ljava/lang/String;)V
VIBRATE
Main Activity
com.fake.site.StartActivity
Activities
com.fake.site.StartActivity
Receivers
com.fake.site.MessageReceiver
Activity-related intent filters
com.fake.site.StartActivity
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER
Receiver-related intent filters
com.fake.site.MessageReceiver
actions: android.provider.Telephony.SMS_RECEIVED
Code-related observations
The application does not load any code dynamically
The application contains reflection code
The application does not contain native code
The application does not contain cryptographic code
Application certificate information
Application bundle files
AndroidManifest.xml
Android's binary XML
META-INF/CERT.RSA
data
META-INF/CERT.SF
ASCII text, with CRLF line terminators
META-INF/MANIFEST.MF
ASCII text, with CRLF line terminators
Interesting calls
Calls APIs that manage SMS operations such as sending data, text, and pdu SMS messages.
SMS sent
Destination number: +3
Ya TuT :) ---- this translates as "I am here" (mila)
No comments:
Post a Comment