I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurityhttp://blog.alyac.co.kr/1587
-
-
In the 1st downloader, in the OnCreate method of the MainActivity, they checked if the package called http://com.cool .pu is installed. If not, they display a message prompting the user to update the applicationpic.twitter.com/oFNCjDyCCT
Show this thread -
In the downloadapk method, they retrieves the payload from cgalim[.]com and saves it to the external device memory as AppName.apkpic.twitter.com/fj59CTkt9B
Show this thread -
I like their log: Log.i("aaaaa", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)
Show this thread -
Interesting, the 2nd downloader is checking if the package com.aykuttasil.callrecorder is installedpic.twitter.com/vNL8Sc0IGa
Show this thread -
-
2 more samples signed by the same “kevin”: * b318ec859422cbb46322b036d5e276cf7a6afc459622e845461e40a328ca263e * f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a I uploaded them to
@virusbay_iopic.twitter.com/j6fnBxQQo0
Show this thread -
Nothing shady here: the launcher activity of the payload is called MainTransparentActivity and start a RootingTask :Dpic.twitter.com/71LAecJAAb
Show this thread -
To give you an idea of the payload capabilities, this screenshot is the list of all the available actionspic.twitter.com/FGyKu9VtL1
Show this thread -
This is the list of the command types, in this sample not everything is usedpic.twitter.com/UDmTlcSUIh
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.