Articles on the same subject by @PaloAltoNtwks and @TalosSecurity
https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/ …
http://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html …
-
-
-
The samples are available on
@koodous_project and@virusbay_io 28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca 679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e 990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209Show this thread -
In the 1st downloader, in the OnCreate method of the MainActivity, they checked if the package called http://com.cool .pu is installed. If not, they display a message prompting the user to update the applicationpic.twitter.com/oFNCjDyCCT
Show this thread -
In the downloadapk method, they retrieves the payload from cgalim[.]com and saves it to the external device memory as AppName.apkpic.twitter.com/fj59CTkt9B
Show this thread -
I like their log: Log.i("aaaaa", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)
Show this thread -
Interesting, the 2nd downloader is checking if the package com.aykuttasil.callrecorder is installedpic.twitter.com/vNL8Sc0IGa
Show this thread -
-
2 more samples signed by the same “kevin”: * b318ec859422cbb46322b036d5e276cf7a6afc459622e845461e40a328ca263e * f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a I uploaded them to
@virusbay_iopic.twitter.com/j6fnBxQQo0
Show this thread -
Nothing shady here: the launcher activity of the payload is called MainTransparentActivity and start a RootingTask :Dpic.twitter.com/71LAecJAAb
Show this thread -
To give you an idea of the payload capabilities, this screenshot is the list of all the available actionspic.twitter.com/FGyKu9VtL1
Show this thread -
This is the list of the command types, in this sample not everything is usedpic.twitter.com/UDmTlcSUIh
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.