[Community-sigs] new sig Android.Trojan.SpyAgent;
andreisaygo at live.ie
andreisaygo at live.ie
Thu Apr 2 13:46:17 EDT 2015
Hi,
Yeah, I've decompiled the file and based on a quick search, I suspect that the wifi credentials are related to: http://www.globalsources.com/si/AS/Fujian-LongLong/6008843271142/pdtl/Security-Wifi-Cctv-Ip-Camera-cctv-Camera/1068159221.htm
Also, another interesting thing in the APK is the /res/raw/number.txt. It's a phone number encrypted with xor 0x12. Apparently it's still valid :)
Btw, I think this would have been a good blog material, as there are a lot of "features" implemented in this threat. Too bad there is no ClamAV-Community-Blog-Submission-List. ( yet :) )
Regards,
Andrei Saygo
> Date: Thu, 2 Apr 2015 13:25:59 -0400
> From: dgoddard at sourcefire.com
> To: community-sigs at lists.clamav.net
> Subject: Re: [Community-sigs] new sig Android.Trojan.SpyAgent;
>
> For DEX files, since we do not have a target type, we add the magic as a
> subsignature with offest zero.
>
> I'll add the signature as:
>
> Android.Trojan.SpyAgent;Target:0;4&(0|1|2|3)>2,3;22343030313430303122;224c6f6e674c6f6e6722;2d2d2d2d2d736d732d2d2d2d2d;6d6f6e69746f7250686f6e654e756d626572;0:646578
>
> I've confirmed this still alerts:
>
> /tmp/119725b6b9a6f69667ce9e9bd7b7a7a2ccb1bd5a6c7ebc01fd36202b4cf30dba:
> Android.Trojan.SpyAgent.UNOFFICIAL FOUND
>
> I was able to find the source here:
>
> http://akana.mobiseclab.org/index.jsp?type=result&md5=HW14d9f1a92dd984d6040cc41ed06e273ebe0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88
>
> The LongLong:40014001 creds are used in
> src/com/google/progress/WifiCheckTask.checkNetworkWithPwd().
>
> Thank you for the signature!
>
> On Thu, Apr 2, 2015 at 11:30 AM, <andreisaygo at live.ie> wrote:
>
> > Signature:
> >
> > Android.Trojan.SpyAgent;Target:0;(0|1|2|3)>2,3;22343030313430303122;224c6f6e674c6f6e6722;2d2d2d2d2d736d732d2d2d2d2d;6d6f6e69746f7250686f6e654e756d626572
> >
> > Hashes:
> > MD5: f7ea5fa2f1a4febbb281beaf1d6a933f
> > SHA1: 874e7c3b47a16872e44296a2fb65d4e8bb8706ef
> > SHA256: 119725b6b9a6f69667ce9e9bd7b7a7a2ccb1bd5a6c7ebc01fd36202b4cf30dba
> >
> >
> > Sig0:
> > "40014001"
> >
> > Sig1:
> > "LongLong"
> >
> > Sig2:
> > -----sms-----
> >
> > Sig3:
> > monitorPhoneNumber
> >
> >
> > Sig 0 & 1 I suspect that they are related to a cctv wireless camera (Sig1:
> > SSID, Sig0: default pass).
> >
> > Regards,
> > Andrei Saygo
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list