Pithus is a web front-end for several other tools: APKiD, MobSF, Quark, Androguard etc. I decided to try it against a random recent malware, and see how useful it could be to me. I selected a sample of the day (July 13, 2021) on VirusTotal. Note that, initially, I had no idea what this malware is. Actually, it turned out to be from the same family of another sample I analyzed one year ago, but I didn’t know that when I picked it up.
This is an analysis of sample sha256
73fae61d9550186c9b68c0e3a0589f1faaa87f6a9dc8290f98aaf55db3a58350, which was uploaded to VirusTotal on July 1, 2021. It is detected as Android/Locker.CQ!tr. This malware appears as a test screen locker, with an explicit application icon “Virus”, and very few classes.
Most of Quark rules match with only little confidence. They are not relevant. With the custom set of rules, only one relevant crime shows up:
In this COVID19 era, online/virtual conferences have flourished. It’s cool we no longer have to waste time at airports or railway stations ✈️ . But I think most of you will agree it’s not “as cool” as “real conferences” (on site). I’ve wanted to blog about this for months, now the time has come — I’m writing and eating my sandwich. Oh, and no, this is not targeting any particular conference I have participated to, if you are organizer of a conference I’ve been (happy) to speak to, don’t take this personally!
👉 If you don’t want to read my…
MobSF is an open source framework for mobile application analysis. I’ve already used it from time to time, but never in-depth, as the combination DroidLysis+JEB(+potentially Frida, or a Frida derivative like Dexcalibur) works out fine for me. However, hey, we always need to learn new techniques, so I decided it was time to try MobSF for real. In this article, I intentionally use only MobSF, and over a suspicious Android sample I have never analyzed before. Please note I am not an author of this tool, and the way I use it may be non-optimized. I’ll walk you through my…
Update May 20, 2021. Added info on Pinterest URLs + Kudos to @bl4ckh0l3z + actually was discovered on May 12 not May 13.
On May 12, 2021 a new sample of Android/MoqHao (aka XLoader, Wroba) banking trojan was detected. There are several changes compared to 2019: new commands, communicating CnC URL through malicious Pinterest accounts etc. See below.
The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine.
The behavior of this family is well detailed here. This article only focuses on the new sample of late April 2021. This new sample begins a new campaign: it claims to register users for COVID-19 vaccination. If you are in doubt: this is totally fake, the app does not contact any vaccination center, its goal is merely to display ads and spread to the victims contacts via SMS.
As prior Oji campaigns, this one also targets end-users in India:
Around April 1st 2021 (no joke), a new malware surfaced posing as “Localize Já!” [ref]. Its SHA256:
As usual, it is difficult to classify this sample in a given malware family. Some tell you this is Banbra [ref], others that this is BasBanke ([ref1], [ref2] and [ref3]), and yet others naming it BrazKing [ref]. In each case, there are similarities, but enough differences to leave doubts (different organization of code, different communication with CnC etc).
The remote CnC,
atualservicenovo.hopto.org on port 5000, is no longer responding, but the malware used to communicate with that host using Socket.IO, …
Update March 29, 2021: a new campaign is confirmed, in Hungary. See this tweet. It looks like the version 3.7 I analyzed wasn’t totally finished, because in the one I analyze, the campaign number nor the DGA haven’t been updated, while the tweet shows a version 3.7 where all modifications have been made.
March 29, 2nd update: this is moving rapidly, version 3.8 is already out: see here.
Since Friday (March 26, 2021), Android/Flubot is propagating a new version, v3.7. For reminder, Android/Flubot is an Android banking malware, which surfaced in November 2020. In short, the malware abuses yet and…
Update Feb 11, 2020: I hadn’t understood correctly confidence percentage. So, I updated the part regarding a False Positive… which is not a False Positive actually! + Quark authors kindly invited me to join the Quark community.
Disclaimer: I am not an author of Quark. I am not a “Quark Expert” either, so I might have missed a few tricks. …
This articles discusses a recent Android sample from January 2021. It was first scanned on the 11th, but according to its certificate probably released on the 7th. Similar samples were seen in December 2020. sha256:
It is immediately clear the sample is packed. When the sample is launched, a class
com.android.StubApplication is called. This loads another DEX, which is decrypted from assets file
The name of class
StubApplication reminds us of Tencent, Baidu or Qihoo packers, but not quite, because, in that case, the asset decryption is performed by a native library named
Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.