Pithus is a web front-end for several other tools: APKiD, MobSF, Quark, Androguard etc. I decided to try it against a random recent malware, and see how useful it could be to me. I selected a sample of the day (July 13, 2021) on VirusTotal. Note that, initially, I had…

This is an analysis of sample sha256 73fae61d9550186c9b68c0e3a0589f1faaa87f6a9dc8290f98aaf55db3a58350, which was uploaded to VirusTotal on July 1, 2021. It is detected as Android/Locker.CQ!tr. This malware appears as a test screen locker, with an explicit application icon “Virus”, and very few classes.

Overview

The sample’s name is explicit: “Virus”. The package name evocates a test malware written by a student or wanna-be malware author. MobSF says the sample is “secure”. Beware: this means the sample’s implementation does not have obvious vulnerabilities in it, not that the sample is “safe to use” (it is malicious!).

Most of Quark rules match with only little confidence. They…

In this COVID19 era, online/virtual conferences have flourished. It’s cool we no longer have to waste time at airports or railway stations ✈️ . But I think most of you will agree it’s not “as cool” as “real conferences” (on site). I’ve wanted to blog about this for months, now…

MobSF is an open source framework for mobile application analysis. I’ve already used it from time to time, but never in-depth, as the combination DroidLysis+JEB(+potentially Frida, or a Frida derivative like Dexcalibur) works out fine for me. However, hey, we always need to learn new techniques, so I decided it…

Update May 20, 2021. Added info on Pinterest URLs + Kudos to @bl4ckh0l3z + actually was discovered on May 12 not May 13.

On May 12, 2021 a new sample of Android/MoqHao (aka XLoader, Wroba) banking trojan was detected. There are several changes compared to 2019: new commands, communicating CnC…

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine.

Splash screen for Android/Oji.G!worm (April 29, 2021)

The behavior of this family is well detailed here. This article only focuses on the new sample of late April 2021. This new sample begins a new campaign: it claims to register users…

Around April 1st 2021 (no joke), a new malware surfaced posing as “Localize Já!” [ref]. Its SHA256: be3d8500df167b9aaf21c5f76df61c466808b8fdf60e4a7da8d6057d476282b6

“Find it now” in English — to find your misplaced smartphone.

Banbra, BasBanke, or BrazKing?

As usual, it is difficult to classify this sample in a given malware family. Some tell you this is Banbra [ref], others that this is BasBanke ([ref1], [ref2] and [ref3]), and yet…

Update March 29, 2021: a new campaign is confirmed, in Hungary. See this tweet. It looks like the version 3.7 I analyzed wasn’t totally finished, because in the one I analyze, the campaign number nor the DGA haven’t been updated, while the tweet shows a version 3.7 …

Quark is a recent Android reverse engineering tool I discovered through Pithus. It defines itself as a “malware scoring system”, although I personally rather use it for an overview of the sample.

Update Feb 11, 2020: I hadn’t understood correctly confidence percentage. So, I updated the part regarding a False…

This articles discusses a recent Android sample from January 2021. It was first scanned on the 11th, but according to its certificate probably released on the 7th. Similar samples were seen in December 2020. sha256:f699f9e50e8401943321d757a9c1bab367473f102c0abfb57367e9252aae7fde

Packer

It is immediately clear the sample is packed. When the sample is launched, a class…

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store