Baptiste Robert Profile picture
🇫🇷 Good Faith Hacker. Fight disinformation at @PredictaLabOff. #OSINT for good. For business inquiries my email is below👇

Apr 8, 2018, 13 tweets

I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity

The samples are available on @koodous_project and @virusbay_io

In the 1st downloader, in the OnCreate method of the MainActivity, they checked if the package called is installed. If not, they display a message prompting the user to update the application

In the downloadapk method, they retrieves the payload from cgalim[.]com and saves it to the external device memory as AppName.apk

I like their log: Log.i("aaaaa", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)

Interesting, the 2nd downloader is checking if the package com.aykuttasil.callrecorder is installed

Yeah, more samples to analyse!!!

2 more samples signed by the same “kevin”:
* b318ec859422cbb46322b036d5e276cf7a6afc459622e845461e40a328ca263e
* f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
I uploaded them to @virusbay_io

Nothing shady here: the launcher activity of the payload is called MainTransparentActivity and start a RootingTask :D

To give you an idea of the payload capabilities, this screenshot is the list of all the available actions

This is the list of the command types, in this sample not everything is used


Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling