Clicky

Saturday, December 24, 2011

Arspam AlSalah - Android malware (Middle East Hactivism - spammer)


Name:                    Arspam AlSalah.apk
MD5:                     E7584031896CB9485D487C355BA5E545
Sample Credits:    with many thanks to Sanjay Gupta and his friends for sharing, December 24, 2011
Research:          
Symantec: Android.Arspam
Hactivism goes mobile with Android.Arspam by Stilgherrian



Download  - password infected






Russian Android malware - fake installer


Name:                    com.android.installer.full
MD5:                     F056EE7F8D4931C905157EBD2CC4A795
Sample Credits:     many thanks to Shane Hartman, December 22, 2011

  Download  - password infected



Tuesday, December 20, 2011

CarrerIQ


Name:   CarrierIQ
Sample credit with many thanks to S.Guerrero, Ryan Johnson, Jojo Edmonds and other kind folks from mobile malware google group for sharing
Information: Carrier IQ: What it is, what it isn't, and what you need to know By Zachary Lutz


List of files - see below


Download all samples  (pass infected)






Friday, November 11, 2011

FakeSMSInstaller_Geared_1.0.2 + Collection of Russian malware and links to malware resources


Name:                   FakeSMSInstaller_Geared_1.0.2
MD5:                   
1EFA9D22D9142D73596B17228F37998A
Sample Credits:     many thanks to William Hill, CPU Media, November 11, 2011
Research:            
AVG Mobilation Malware information: Android SMS Fake installer from 3rd party Russian app stores

Name:                   Russian Malware Collection
MD5:                   See the list of files below
Research           
Last month I uploaded a collection of the same as above and similar Russian mobile malware together with corresponding links to Russian alternative (often fake) Android markets where you can find more samples.  You can download it from here: RuMarketsMalwarefromMila.zip  See below for the list of malware included



Download FakeSMSInstaller_Geared_1.0.2- password infected
Download  RuMarketsMalwarefromMila.zip


Sunday, October 23, 2011

RogueSPPush - SMS-Trojan


Name:                 RogueSPPush
File Name:          1314935990854.apk
MD5:                  56CD8AC9ADFC0E38496939385AA510FA
Research:           New Rogue Android App -- RogueSPPush -- Found in Alternative Android Markets By Xuxian Jiang -Aug 2011
Sample Credits:    with  many thanks to MasterMRZ , October  23, 2011







Legacy Native (LeNa) - DroidKungFu variant


Name:                   Legacy Native (LeNa)
MD5:                     com.safesys.myvpn.apk 1F5628300EF2A477E39E226FEE73CE51
MD5:                     com.safesys.onekeyvpn.apk EC056818D38D18CB940A64BF89714DF2
Sample Credits:     many thanks to Armando, October 21, 2011
Research:               Lookout
Security Alert: Legacy Makes Another Appearance, Meet Legacy Native (LeNa)   By Tim Strazzere



Download both samples - password infected

Saturday, October 22, 2011

Collection of 96 mobile malware samples for Kmin, Basebridge, Geinimi, Root exploits, and PJApps


All files are sorted by types in folders and named by MD5. The list of files is below. I posted examples of what you will find in the previous 20 posts.  Enjoy

Download Android-Malware_SortedTYPE-MD5.zip (password infected)
 
MALWARE TYPE (number of samples)
BASEBRIDGE (3)
YZHC (2)
ROOT EXPLOIT (7)
PJAPPS (16)
GEINIMI (28)
KMIN (40)


Sample credit: Thank to anonymous, Oct. 22, 2011

Root Exploit - Z4Mod Root


Name:
               Z4mod
MD5:                 30587d7e5ac828f8b1eaf476d4b19bd2
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011



Geinimi - OPDA CacheMate v2.5.9


Name:
                Geinimi  - OPDA CacheMate v2.5.9
MD5:                 8b12ccdc8a69cf2d6a7e6c00f698aaa6
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011


Root Exploit - Universal Androot


File Name:            corner23.android.universal androot.apk

MD5:                    4e26a200ab149819dcdcf273f5ab171a
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011 
Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011

Geinimi - Android SPL meter


File Name:              com.splGUI.splMeter.apk

MD5:                      08e4a73f0f352c3accc03ea9d4e9467f
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011


Geinimi - com.feasy.jewels.Gel


File name:         
com.feasy.jewels.Bears

MD5:                543e9d86dd28005342a3313bdc588009
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011

Geinimi - Banking Trojan www.ipay.com.cn


MD5:                    3374d6322542d6aec9d319df335215e5
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011



Geinimi - Armored Strike


Name:                Armored Strike
File Name:         com.requiem.armoredStrike.apk
MD5:                 5d27c7d0c5630f4c7a8b7a8f45512f09
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011



Geinimi - MetroXing Chinese metro maps

 
Name:              com.etagmedia.metro.apk   Beijing, Guangzhou, Shanghai, Shenzhen  - metro maps
MD5:              54fad8426e03a05279223173ec7d2fe2
 Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011


PJApps.A - Mail/FTP app

    
MD5:                      de759e9fdb3ec577d753ff240fc91a13
 Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011




Geinimi - Kosenkov Protector


Name:
               com.kosenkov.protector.
MD5:                404fd6f9113870d1b6e63dcd23cfe206
 Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011

PJApps - Fingerprint Screensaver


Name:
               Fingerprint Screensaver 
MD5:                 722da6cdfa8bac482c9c6be105b0ff2a
File Name:        com.jiubang.screenguru.apk
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011

Geinimi - Shopper 's Paradise

 
Name:               com.sgg.sp.ShoppersParadise.apk
MD5:                ea80ae4c4a17e8608e0fc7d6e34bf37e
 Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011



Root Exploit - ITFUNZ Lotoor

 
Name:               ITFUNZ 
MD5:          951c8a2efbe2acafeb351525d5bd52e2
MD5:          81614d2c1175ee32a6967d13630be8a9
 Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download 951c8a2efbe2acafeb351525d5bd52e2 (password infected)
Download  81614d2c1175ee32a6967d13630be8a9 (password infected)

or Download an archive with all the files donated on Oct. 21. 2011




PJApps.A - Mediaplayer - SMS-Trojan

 
Name:                Mediaplayer (goes under different names)
MD5:                c05d4ff1a80f18ba9d8a86afd88bc05d
 Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011  
Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011



some other related apps might be here

http://www.webgameboy.com/HTC-T5252/xiazai-14864.html

Related research: Cryptography for mobile malware obfuscation Axelle Apvrille


Kmin - Wallpaper Changer- Infostealer


MD5:          
   231696ffdf8d00c9d09af7fb85b4991d
MD5:                 be63349846165811da4e3444c5d15dea
MD5:                  2289293578008531755462e4e88afc17

MD5:                  8a0c4006157c766a08c313fa2143f1fe
MD5:                  3284493FB26FFCE5A1C23AF6B2383B6D
MD5:                  b5444e6c3c8376f7d2eccb974f31c7c3
MD5:                 b1c866ff733a3cb89bc101878e41523e
MD5:                  0f182524c0fe8ff999bfa3d63c9a9e97



Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011 


  1. Download  231696ffdf8d00c9d09af7fb85b4991d (password infected)
  2. Download be63349846165811da4e3444c5d15dea (password infected) 
  3. Download 2289293578008531755462e4e88afc17 (password infected) 
  4. Download 8a0c4006157c766a08c313fa2143f1fe (password infected) 
  5. Download 3284493FB26FFCE5A1C23AF6B2383B6D (password infected) 
  6. Download b5444e6c3c8376f7d2eccb974f31c7c3 (password infected)
  7. Download  b1c866ff733a3cb89bc101878e41523e (password infected)
  8. Download 0f182524c0fe8ff999bfa3d63c9a9e97 (password infected)

or Download an archive with all the files donated on Oct. 21. 2011


It appears data is going to http://su.5k3g.com/portal/m/c5/0.ashx

Friday, October 21, 2011

Geinimi-A BS2010


Name:             BS2010  
File Name:        com.gamevil.bs2010.BS2010
MD5:             0da3484a20c85c0489fea8f53316b53c
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011



Geinimi-B - GoldenMiner

 
Name:                 GoldMiner   
File Name:         com.handcn.GoldMiner.free.GoldMiner
MD5:                025a55c1bcbd3be2ca03aa314ce9a4c2
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011


BaseBridge-C

 
Name:                    Basebridge - C
File Name:           
  com.sec.android.bridge
MD5:                   
b6847521b548b806cf5e4f71b687ec26



Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011

Android Local Root Exploit - Lotoor - App2card

 
Name:                    Lotoor
File Name:         com.aps.hainguyen273.app2card  
  
MD5:                  
AFD12639E21C1884D33737ABA0BC43EE
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011


PJApps.B - Girl Mahjong Android

 
Name:                    App2SD
File Name:           
  com.rainbow.FMaj
MD5:                     
8353cad68f4d2b443b33bb2f32f2412d
MD5:                      89BB300CC1BF0B27C582327588EA7377
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 

Download 8353cad68f4d2b443b33bb2f32f2412d (password infected)
Download 89BB300CC1BF0B27C582327588EA7377  (password infected)

or Download an archive with all the files donated on Oct. 21. 2011



Kmin-B - App2SD for Android

 
Name:                    App2SD
File Name:           
  com.aps.hainguyen273.app2card.apk
MD5:                    
9783aa70949043bb7aaa205a31b42022
Sample Credits:     many thanks to a very generous anonymous donation, October  21, 2011
 



Download  (password infected)


or Download an archive with all the files donated on Oct. 21. 2011


Wednesday, October 19, 2011

Battery Doctor Android scareware/infostealer

 
Name:                    Battery Doctor scareware/infostealer
File Name:            
BatteryDoctor.apk
MD5:                    
DF4595EE727706D2CFDB7C9A1FE9E079
Sample Credits:     many thanks to Sanjay, October 18, 2011
Research:             
Sleazy Ads on Android Devices Push Bogus 'Battery Upgrade' Warnings Tom Spring, PCWorld

Download  (pass infected)

Monday, October 17, 2011

Android anserverbot malware Anserver.apk + payload b.apk


Name:                   Payload of the Android anserverbot malware - b.apk and 002f537027830303e2205dd0a6106cb1b79fa704(AnserverBot).apk
File Name:            b.apk decoded from  from http://blog.sina.com.cn/s/blog_8440ab780100t0nf.html
MD5:                    
164A147B663248558E4B6A287A429139
Sample Credits:     many thanks to Madalina Baltatu October 17, 2011
Research:             
NetQuin A Technical Analysis of the AnserverBot Trojan

Download b.apk  (pass infected)

Download Anserverbot.apk  pass infected

Thursday, October 13, 2011

Fake Netxflix - Android trojan info stealer


Name:                    Fake NetFlix
File Name:            
com.netflix.mediaclient-1w.apk
MD5:                    
83C6414C9C7964F4FB88E0D2477C20E4
Sample Credits:     many thanks to Sanjay, October 13, 2011
Research:             
Symantec blog: Will Your Next TV Manual Ask You to Run a Scan Instead of Adjusting the Antenna?

Download  (password infected)




Friday, September 30, 2011

Jimm ICQ SMS-Trojan pushed by malicious QR codes


 Russian internet lanscape is fertile not only for windows malware but also for mobile.
There are plenty of SMS trojan variants lurking on sites offering their 'versions' of popular software. A quick search for phone freeware brought a bunch of java and apk sms senders and questionable apps.
Here is one for example http://www.virustotal.com/file-scan/report.html?id=c8263e24046f2902e9c8639a89c2f3da5bbdba4055028b5cc9291143994726e5-1317426885
 I will post all the harvested sms senders in one post after this


Name:                    Jimm ICQ for Android and other phones (jar)
File Name:   

         
File: jimm.apk
MD5:  37A46AEC9AA86831FAA3DDB6B05A05F8
 File: jimm2s.jar
MD5:  B409DB1963DE4287FEB542377B0FE3A1

Sample Credits:     many thanks to anonymous, Sept 30, 2011
Research:             
Malicious QR Codes Pushing Android Malware by Denis - Kaspersky Lab



Download  (pass infected)





Ikee iPhone worm


 Adding IkeeD to IkeeB sample we already had. See both below


Name:                   Ikee
File Name:            

Duh - iKeeB
poc-bbot - IkeeD
 
MD5:                    

2a73926229457a3ec9611ec53a2e2249 - IKeeB
24663299e69db8bfce2094c15dfd2325 - IkeeD
Sample Credits:     many thanks to Alberto Ortega, sept 30, 2011
Research:              

An Analysis of the iKee.B (Duh) iphone Botnet Phillip Porras, Hassen Saidi, and Vinod Yegneswaran - SRI
Microsoft June 2010 Backdoor:iPhoneOS/Ikee.D

Download iKeeB and iKeeD (pass infected)



Thursday, September 29, 2011

Gone in 60 seconds - Android spyware


Name:                    Gone in 60 seconds
File Name:             

com.gone60-1.apk
com.gone602-1.apk
com.gone603-1.apk
com.gone604-1.apk
com.gone605-1.apk
MD5:                     

859CC9082B8475FE6102CD03D1DF10E5
8D4018A73A35E079ABA1D0FD8A06E522
CB236442CF93A47BC15E3F312F097992
F259DEAAB9A14ECD4AA4107BE9BDA6FD
B99BA24A35C7A49E65D41FFC6B1282BE
Sample Credits:     many thanks to Jason Ross, Sept.29, 2011
Research:            

All data stored on your smartphone ….. gone in 60 seconds by Vlad Constantin ILIE, BitDefender Malware Researcher




Download  (pass infected)




Thursday, September 22, 2011

DroidDreamLight - new variant found in a China-based third-party app


Name:                    DroidDreamLight
File Name:            
com.button.phone_91595200_0.apk
MD5:                    
3D9472D792019E40605ABFA9CB22FBA5
Sample Credits:   many thanks to anonymous, Sept 22, 2011
Research:            
Sep16 Massive Code Change for New DroidDreamLight Variant Trend Micro
found in this Android store



Download (pass infected)





Wednesday, September 14, 2011

Spyeye for Android


Name:                    Spyeye for Android
File Name:             spitmo_cfa9edb8c9648ae2757a85e6066f6515_simseg.apk
MD5:                      cfa9edb8c9648ae2757a85e6066f6515
Sample Credits:     many thanks to evilcry, September 14, 2011
 First SpyEye Attack on Android Mobile


Research:


Download  (pass infected)





Saturday, September 3, 2011

See you soon


I will be away until Sept 17. If you would like to share a mobile
malware sample, please email it to me or if you can, use the upload  box
(this way it becomes accessible to others via this link)



DroidDeluxe - root exploit


Name:                    DroidDeluxe - root exploit
File Name:             DroidDeluxe.rar (apk components inside)
MD5:                     
bbb6f9a1aad8cc8c38d4441bac4852c0
Sample Credits:     Roberto Rogunix rogunix.com
Research:             
Security Alert: New Root-Capable DroidDeluxe Malware Found in Alternative Android Markets
Attribution note: Many German file names  :)


Download  (pass infected)




Monday, August 29, 2011

Wednesday, August 24, 2011

APKInspector

APKInspector is a powerful GUI tool for analysts to analyze the Android applications. Some modules of APKinspector on based on Androguard http://code.google.com/p/androguard/.

APKinspector Installation Guide

Friday, August 19, 2011

DogoWar / Dog Wars - SMS Trojan, courtesy of Animal Rights defenders


Name:                    AndroidDogowar.apk
File Name:            
AndroidDogowar.apk
MD5:                     
16521eee3e74a4186ffe731dfaa77a83
Sample Credits:     many thanks to anonymous, August 19, 2011
Research:             
Animal Rights protesters use mobile means for their message -  Symantec


Download  (pass infected)




Thursday, August 11, 2011

Wednesday, August 3, 2011

Lovetrap - SMS-Trojan


Name:                    Lovetrap-apk
File Name:            
Lovetrap-apk
MD5:                    
f3497516eab17c642c5ede5ad1e55a15
Sample Credits:     many thanks to anonymous, Aug 3, 2011
Research:             
Android.Lovetrap - Symantec Security


Download  (pass infected)




Wednesday, July 20, 2011

GGTracker - SMS Trojan


Name:                    GGTracker
File Name:             com.space.sexypic.apk
MD5:                     156fdce65eb6e4287aed687a1c9c2589
Sample Credits:   
thanks to Tim Strazzere Lookout Mobile Security, July 20, 2011

Name:
                    GGTracker
File Name:             batterysaver.apk / t4t.power.management.apk
MD5:                     41080c6169d3e5843c0c0e4abef80e7e

Sample Credits:   
thanks to Tim Strazzere Lookout Mobile Security, July 20, 2011
Research:               GGTracker Technical Tear Down - by Tim Strazzere Lookout Mobile Security
                               Security Alert: Android Trojan GGTracker Charges Premium Rate SMS Messages - Lookout Mobile Security


Download com.space.sexypic.apk (pass infected)
Download batterysaver.apk / t4t.power.management.apk (pass infected)



Wednesday, July 13, 2011

HippoSMS - SMS Trojan

Name:                    HippoSMS
File Name:             hippo.apk
MD5:                     f9bfec4403b573581c4d3807fb1bb3d2
Sample Credits:   
thanks to anonymous, July 13, 2011
Research:             
Security Alert: New Android Malware -- HippoSMS -- Found in Alternative Android Markets


Download  (pass infected)



Tuesday, July 12, 2011

HTC.apk - fake security patch


Name:                   HTC fake patch
File Name:             htc.apk
MD5:                    4c8f01db58987c2c3321cdbbb1a2e67a 
Sample Credits:    many thanks to William Hill CPU Media | Kinetoo.com: Android mobile malware scan July 12, 2011 
Research:              CPU Media | Kinetoo.com: Android mobile malware scan July 12, 2011
HTC.apk is a fake security patch found on circulating among Chinese users. It's a phishing attack disguised to appear as a security patch from China Mobile. The infected site is 1OO86.net (note that 10086.net is a legitimate China Mobile site).

Download  (pass infected)



Monday, July 11, 2011

New CONTAGIOminiDUMP

Please welcome the new section of Contagio - CONTAGIOminiDUMP.BLOGSPOT.COM
The old mobile malware Mini-dump (aka "Take a sample, leave a sample" ) grew too large and difficult to use. This section will allow better organization of all the mobile malware. There are not that many samples but it is steadily growing.

This is a work in progress and please send or post your comments regarding the design, hosting, organization and such.

Many thanks to Tim Strazzere for catalyzing the upgrade :)

 ~ Mila

Friday, July 8, 2011

Take a sample, leave a sample. Mobile malware mini-dump - July 8 Update

THE ORIGINAL POST  (I am in the process of breaking it out and organizing like you see in the posts below)


Download

Download files from the mobile malware mini-dump 
 use infected for the password

Current list (~50+ downloads = around 200 individual files as of June, 2011). Hyperlinks lead to Virustotal
Download from the dump link above or click on "download" link if present
  1. Zitmo Android Edition (Zeus for mobile) ecbbce17053d6eaf9bf9cb7c71d0af8d  Download (thanks to anonymous, July 8, 2011)  Zitmo hits Android Axelle Apvrille- Fortinet
  2. GoldDream.A  BloodvsZombie_com.gamelio.DrawSlasher_1_1.0.1.apk b87f2f3a927bf967736ed43ca2dbfb60 (many  thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more:Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets  Xuxian Jiang
  3. GoldDream.B v1.0_com.GoldDream.pg_1_1.0.apk f66ee5b8625192d0c17c0736d208b0b (many  thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more: Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets  Xuxian Jiang
  4. DroidKungFu2 -A _com.allen.txthej_1_1.0 F438ED38B59F772E03EB2CAB97FC7685 (many  thanks for the sample to oren@avg-mobilation July 3,2011) Download  Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets 

Zitmo Android Edition (Zeus for mobile)

MD5:        ecbbce17053d6eaf9bf9cb7c71d0af8d
Credits:     thanks to anonymous, July 8, 2011
Research links:



Download  (pass infected)