The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine.

Splash screen for Android/Oji.G!worm (April 29, 2021)

The behavior of this family is well detailed here. This article only focuses on the new sample of late April 2021. This new sample begins a new campaign: it claims to register users for COVID-19 vaccination. If you are in doubt: this is totally fake, the app does not contact any vaccination center, its goal is merely to display ads and spread to the victims contacts via SMS.

Targeting end-users in India

As prior Oji campaigns, this one also targets end-users in India:

Around April 1st 2021 (no joke), a new malware surfaced posing as “Localize Já!” [ref]. Its SHA256: be3d8500df167b9aaf21c5f76df61c466808b8fdf60e4a7da8d6057d476282b6

“Find it now” in English — to find your misplaced smartphone.

Banbra, BasBanke, or BrazKing?

As usual, it is difficult to classify this sample in a given malware family. Some tell you this is Banbra [ref], others that this is BasBanke ([ref1], [ref2] and [ref3]), and yet others naming it BrazKing [ref]. In each case, there are similarities, but enough differences to leave doubts (different organization of code, different communication with CnC etc).

Communication with CnC

The remote CnC, on port 5000, is no longer responding, but the malware used to communicate with that host using Socket.IO, …

Update March 29, 2021: a new campaign is confirmed, in Hungary. See this tweet. It looks like the version 3.7 I analyzed wasn’t totally finished, because in the one I analyze, the campaign number nor the DGA haven’t been updated, while the tweet shows a version 3.7 where all modifications have been made.

March 29, 2nd update: this is moving rapidly, version 3.8 is already out: see here.

Since Friday (March 26, 2021), Android/Flubot is propagating a new version, v3.7. For reminder, Android/Flubot is an Android banking malware, which surfaced in November 2020. In short, the malware abuses yet and…

Quark is a recent Android reverse engineering tool I discovered through Pithus. It defines itself as a “malware scoring system”, although I personally rather use it for an overview of the sample.

Update Feb 11, 2020: I hadn’t understood correctly confidence percentage. So, I updated the part regarding a False Positive… which is not a False Positive actually! + Quark authors kindly invited me to join the Quark community.

Disclaimer: I am not an author of Quark. I am not a “Quark Expert” either, so I might have missed a few tricks. …

This articles discusses a recent Android sample from January 2021. It was first scanned on the 11th, but according to its certificate probably released on the 7th. Similar samples were seen in December 2020. sha256:f699f9e50e8401943321d757a9c1bab367473f102c0abfb57367e9252aae7fde


It is immediately clear the sample is packed. When the sample is launched, a class is called. This loads another DEX, which is decrypted from assets file qoh.

Loads a DEX, and instantiates an object of class “”, then invokes method “ywraafdeerq”. Strangely, I was unable to locate that method in the dynamic DEX.

The name of class StubApplication reminds us of Tencent, Baidu or Qihoo packers, but not quite, because, in that case, the asset decryption is performed by a native library named

In this article, we unpacked a malicious version of the “Tous Anti Covid” application. We know the main entry point of the payload DEX is dad.calm.invest.qusalkrlkyy.

the main entry point is located in the payload DEX (decrypted and dynamically loaded by the malware)

Encrypted strings

Using the decrypted payload DEX we unpacked in the previous article, we quickly notice in that class there are several encrypted strings. In this article, we’ll see how to create a JEB script to decrypt the strings.

A few days ago, @H_Miser retweeted about a smishing attempt where malware authors were sending a link to a malicious app faking the official French Android app “Tous Anti Covid”.

This is the Android malware we are going to analyze. A phishing SMS is known as “smishing”. Dec 4, 2020

I downloaded the malicious sample (c1dd9c26671fddc83c9923493236d210d7461b29dd066f743bd4794c1d647549) and we are going to unpack it using JEB and Dexcalibur. There are many other ways to do this: pure static analysis (with JEB or another decompiler), with Frida etc.

The sample is packed

Quickly, we notice the sample is packed. Indeed, the package’s namespace is, but the Android manifest references numerous activities and services with namespace dad.calm.invest, which does not exist in the sample.

<application android:allowBackup=”true”…

Future logo for Cowrie? :)

Cowrie is an open source SSH/Telnet honeypot. It is particularly suited for IoT (possibility to mimic various architectures + Mirai-like malware target SSH/Telnet). The project is documented here and you can find lots of articles on Internet which explain how to install it and quickly set it up (e.g here). But if you are after information to help you customize Cowrie to your needs, apart from the project’s documentation and GitHub issues/history, you are (mostly) going to be on your own. Let’s try and remedy — at least a bit — the situation 😉.

Update Nov 5, 2020 from feedback…

This is a part 2 of “Locating the Trojan inside an infected COVID-19 contact tracing app”. We are going to explain how the malware works.

Connecting to attacker’s server

In part 1, we explained a genuine COVID-19 contact tracing app was trojanized with a Java-based Meterpreter. The sources of what gets injected in the app can be found on GitHub. The most important part is located in (details: the main entry point is MainActivity, which starts a MainService, which instantiates Payload). The Payload class does the following:

Update Sept 25, 2020: part 2 is available here.

An italian company, SoftMining, developed an Android COVID-19 contact tracing application “SM-COVID-19”. Unfortunately, malware authors repackaged the application to include a Java-based Meterpreter backdoor from Metasploit.

The samples were discovered in March 2020, and you can find several blog posts on them (here, here). For instance, this one mentions the samples are “repackaged application injected with metasploit”. Interesting! But where is that “metasploit” in the samples? That’s what we are going to discuss in this article.

A remote shell for the attacker

When the victim launches the infected app on the smartphone, the legitimate COVID-19 application begins…


Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store