2017-01-13 - ANDROID MALWARE

ASSOCIATED FILES:

  • 2017-01-13-Android-malware-traffic.pcap   (931,376 bytes)
  • 1484347877_flash.apk   (805,529 bytes)

NOTES:

2017-01-14 UPDATE:

 


Shown above:  Tweet from @Pois0nEy3.

 

SCREENSHOTS FROM THE ANDROID PHONE


Shown above:  This Android app sure asks for a lot of permissions...

 


Shown above:  Activate device administrator?  Sure thing!

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 


Shown above:  The initial HTTP request redirects to an HTTPS URL.

 


Shown above:  Callback traffic (1 of 3).

 


Shown above:  Callback traffic (2 of 3).

 


Shown above:  Callback traffic (2 of 3).

 

FILE HASHES

THE APK FILE:

 

ALERTS


Shown above:  Using tcpreplay in Security Onion to veiw the alerts on Sguil using Suricata and the Emerging Threats Pro (ETPRO) ruleset.

 

UPDATE

From @kevinperlow on 2017-01-14:

So this looks like a banking trojan targeting Korean banks.  The IP is the same as one that appears in a Trend Micro report from two years ago, but I can't make a solid connection beyond that.

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-south-korean-fake-banking-app-scam.pdf

There's some Chinese text (unescaped in unicode) in there as well, so possible Chinese authors (and of course a possible false flag).  Other notable thing is the app also looks like it can upload files to the C2.

 


Note:  Left-click on the above image for a full-size view.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.