I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
blog.alyac.co.kr/1587
Articles on the same subject by @PaloAltoNtwks and @TalosSecurity
researchcenter.paloaltonetworks.com/2018/04/unit42…
blog.talosintelligence.com/2018/04/fake-a…
The samples are available on @koodous_project and @virusbay_io
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
In the 1st downloader, in the OnCreate method of the MainActivity, they checked if the package called com.cool.pu is installed. If not, they display a message prompting the user to update the application
In the downloadapk method, they retrieves the payload from cgalim[.]com and saves it to the external device memory as AppName.apk
I like their log: Log.i("aaaaa", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)
Interesting, the 2nd downloader is checking if the package com.aykuttasil.callrecorder is installed
Yeah, more samples to analyse!!!
2 more samples signed by the same “kevin”:
* b318ec859422cbb46322b036d5e276cf7a6afc459622e845461e40a328ca263e
* f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
I uploaded them to @virusbay_io
Nothing shady here: the launcher activity of the payload is called MainTransparentActivity and start a RootingTask :D
To give you an idea of the payload capabilities, this screenshot is the list of all the available actions
This is the list of the command types, in this sample not everything is used
unroll
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.