Clicky

Tuesday, December 25, 2012

Trojan.Rus.SMS."SystemSecurity" - Toll Fraud / ConnectSMS


Santa, aka DarkK3y, brought a new present.
Please read the malware report below. If you have any comments for the author, please email me and I will send him or get him to contact you.




Download. Email me if you need the password. 
Sample and Research credit: DarkK3y




DarkK3y / dark_k3y
Trojan.Rus.SMS."SystemSecurity"  

=== Summary of the analysis ===

This malware sample was recieved by SMS message with some web link inside. Malware seems to be Toll Fraud malware (according to Lookout Mobile Security classification). Middle-user inter-action required to infect mobile device -- user need to click link and install apk-file downloaded from it. The installation package requires many security permissions to run (see Characteristics section). After installation, "System Service" (com.android.systemsecurity) appears on the device. It loads on boot and make hooks on sms receiver service (with the greatest priority). Also, it uses alarm service to schedule periodic (3 mins and more) runs. Each run (except first) the SMS to the payed service sent. On the first run, information about payed service (SMS number and code) and sms filter (which SMS should be dropped and don't be showed to user) is downloaded from CnC server; OS information, IMEI, IMSI and user contact list is uploaded to CnC server. Possibly, the user contact list phone numbers are used by cnc server for further malware spread, by sending sms'es to them. Currently, malware seems to be undetectable by Norton Mobile Antivirus and some other antimalware mobile tools. It is only detected by heuristic scan methods (possibly, because of requiring too much security priviliges).

Monday, December 24, 2012

Merry Christmas and Happy New Year!



More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum

Sunday, December 23, 2012

Android.Tascudap - DDoS trojan


File: apk.apk
Size: 124568
MD5:  3CC7597A183B9A2C91127D18A04A2B26

Research Symantec : Android.Tascudap

Symantec - Android.Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

Email me if you need the password



Monday, December 17, 2012

Sunday, December 16, 2012

Android Carberp


December 2012

File: alfasafe.apk
Size: 270797
MD5:  07D2EE88083F41482A859CD222EC7B76


File: sber.apk
Size: 225905
MD5:  F27D43DFEEDFFAC2EC7E4A069B3C9516




File: vksafe.apk
Size: 226368
MD5:  117D41E18CB3813E48DB8289A40E5350


Sample credit: Pau Oliva Fora

Download. Email me if you need the password scheme


Tuesday, November 13, 2012

Android Uranico - infostealer

Android Enesoluty - Fake Antivirus, Spyware

September 2012

5DD6C326114BAB3A1D253200C2F897A1
SafeSearchActivity


FCA3D59B8F4A982E66DDD585737E3C48
SecureVirusScan




Research: Fake Antivirus App Steals Contact Data on Mobile Devices. Symantec

Download. Password as on contagio. Email me if you need the password

Android Sun Charger - Sumzand, spam sender

September 2012

Research: Sun Charger, the Latest Android.Sumzand Variant, Continues the Massive Spam Campaign, Symantec
Sample credit: Anonymous

File: schgg.apk
Size: 100930
MD5:  60673A78686A6D0FAF2DC9545EB841CC




Android Fakeguard

October 2012

Research: Android FakeGuard - Symantec
Sample credit: Sanjay

The Trojan may arrive as a package with the following characteristics: 

Package name: com.stech.stopphishing 
APK: 
  • com.stech.stopphishing.apk
  • com.stech.spamguard.apk
  • com.stech.stopphishing.apk

File: com.stech.spamguard-6.apk
Size: 210418
MD5:  74089D836A3D6768F766A85422819D21



Download. Same password scheme as contagio. Email me if you need the password.



File: com.cn.smsclient-8.apk
Size: 210430
MD5:  12CBEDC185D82C61150D8C9EE38A9FCB



Download. Same password scheme as contagio. Email me if you need the password.




Friday, October 19, 2012

Thursday, October 18, 2012

Android FinFisher / FinSpy



Size: 144688
MD5:  F59087BFA5A0211AA75C4BE2AF9DEE10


Size: 142822
MD5:  08CFFA8F55BE4BBED2704395876B618F

News:
http://en.wikipedia.org/wiki/FinFisher
http://www.ic3.gov/media/2012/121012.aspx

These are not really new - date back to September. Why they chose this + Loozfon (that is not spread in USA) but not more common types is beyond me.



Download (email me if you need the password) (new link)





Wednesday, October 17, 2012

Android Rogue Bad Piggies Versions -ANDROIDOS_FAKEINST.A

Research:  Malicious Developers Release Rogue Bad Piggies Versions
Files


  1. File: bad_piggies_android_0_installer.apk Size: 304822 MD5: 05DF6D050B84C090E4FCA42791B3BE37 << same is in the article
  2. File: bad_piggies_install (1).apk Size: 3415303 MD5:  83BF06A3CC73D395042A8743C74CB7BF
  3. File: Bad_Piggies_install.apk Size: 201591 MD5:  650D101AC283747DE25B8B32A089EFA6
  4. File: badpiggies_install.apk Size: 297118 MD5:  B16E47F11A0D980DD5F5EB4C32CC6C82





Download the files above (email me if you need the password)
http://contagio.deependresearch.org/files/Mobile/badpiggies-fakeapp_ANDROIDOS_FAKEINSTa.zip



Thursday, September 27, 2012

10 samples of SMSZombie Android SMS Trojan




45099416acd51a4517bd8f6fb994ee0bb9408bdd80dd906183a3cdb4b39c4791.apk            098c9874ca14b2544846b24ab8cea204
5f0dbf2b42bf9f400ea4cc81030de3eacd676e54b671a524259a5ceff938e210.apk            4084939a0864b645f6c6a915586fb1ab
576639b9c12143e558a4ff8866d6b0e1370c0705cf8701dfc296b497a4de20c7.apk            40f3f16742cd8ac8598bf859a23ac290
c9bb707b78a714771ade4c1b4adb1cab8e4e16915f0a022e3f742eba93c3334c.apk            4d13d1bc63026b9c26c7cd4946b1bae0
741684cfcbc861b076bd7561be29f8bd3f1814b9049034a0412601f786f0f0f0.apk            9f972dbe36d4ce709aa21c291d632d31
72f9752c809d8cd12da34b20f202cdf578c338ec956491cb7b5f18c6d4cbc250.apk            a31245022c60fc50b81f7ffc4f4967b2
f391cc4ea5961d649bc62a0466560dc76eaebcf26f0c8452c671c2d2b34361b8.apk            a354baf35efcc57752db8bd6ee7f6115
b48be6fec1c25afcf274c9f8c6ac038015f2b04c87a9b8da6519ee3510ef30a2.apk            b6cacc0cf7bad179d6bde68f5c013e6e
319a962f486080b4a7dbe1896a4f1a345d86c5644ebedb8f28ab2b737cf9deeb.apk            c71740ee94467ae70a71265116d54186
eb84256836a99417b13159ad285430bc879eb52fd755d90caec766b17793a265.apk            cafffdee7479a8816f4551ac8c3a0178

Sample credit Pau Oliva Fora

Download (email me if you need the password / use the contagio password scheme)


Fakelash - Android SMS trojan




Research Android malware distributed by malicious SMS in France


File: FlashPlayer.apk
Size: 2620250
MD5:  BE615D9730C1BBEBF73B2205F7B7D51B


File: flashnew.apk
Size: 2744902
MD5:  7DEC1C9174D0F688667F6C34C0FA66C2

Download (email me if you need the password / use the contagio password scheme)


Thursday, September 13, 2012

Android SimpleTemai - Fraud | Downloader Trojan


Research: Lookout: Security Alert: SimpleTemai
Sample credit: Tim Strazzere


File: com.polarbit.rthunderliteok-SiMPLETEMAi.apk
Size: 3386440
MD5:  DF4403B78CFFA505FDCB309CCF0D0E21


Download
https://contagiomobile.deependresearch.org/files/com.polarbit.rthunderliteok-SiMPLETEMAi.zip
(the password scheme is now the same as contagiodump.blogspot.com scheme, email me if you need, email address is in the profile)


Android Spyware samples


File: power_battery.apk
Size: 560429
MD5:  7ECB7A1FA96E18B85ED10D83537CFD3C


File: smartphone5-1.apk
Size: 285814
MD5:  6BAE149BC65576831AC635A23938BE36

Sample credit: Tushar Verma

Download
http://contagiomobile.deependresearch.org/files/6BAE149BC65576831AC635A23938BE36_smartphone5-1.zip
http://contagiomobile.deependresearch.org/files/7ECB7A1FA96E18B85ED10D83537CFD3C_power_battery.zip

 (the password scheme is now the same as contagiodump.blogspot.com scheme, email me if you need, email address is in the profile)


Thursday, September 6, 2012

Contagio mobile file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

Things are better now
See the last and final update on the main page.
http://contagiodump.blogspot.com/2012/09/contagio-file-downloads-are-not.html

I want to thank everyone who offered support, offered help with legal and hosting, and made public posts about it. I truly appreciate, it helped me sort it out.

Wednesday, September 5, 2012

Plankton related adware samples / Airpush


 
Research  Trend Micro -  More Adware and PLANKTON Variants Seen in App Stores

    0503B2F6C1349F7E1CD7E8B6BF17AC46
    11A7767BFE4926458EC84385214B82C9
    1485F498084F963801ED76013749C9FA
    4A300481411AB1992467959491DF412C
    4B7450406A38B522E69DE1426604BF7F
    5A1FD697C3ECD3D050B3D88D8A8649A1
    66C6A88DF66F0C2CF9194C13809FE05A
    67D85DFE26CDA45402CDAC3456D8A863
    7220C948659F9990040C9C20D5FD04EF
    8C7C8231DF0D799B12274B8B39C882B8
    8D52070201F2A81FB1298E133D74057C
    99E42DFA2C847FF0511F7C442999FFAA
    A4D6033F66DA3BE83CBF80724CA013D1
    AA6655B409B647065E19758AE5D242EA
    B5BCAB6FE08C9B6229F5D053705DEE9B
    B8B434AB21D394DAA0A9A78A515BD517
    BC2EEE6F861843EA6FE5A4A14CB44372
    CFB7E66B2FB605CC94DEBD01238B4995
    DF473E3D789C63BAE99828044DA74500
    E4BE39E5955FD3BD7AC97F58E66EF3E5
    E7F0656486EEBFD9AB236451FD980BD4
    E8063DE12976D371441F15F2C5715627
    F134FC245E50F031ED8B4FAE3F1D4EB0
    F1AA24C1641471F5FBEF08AE56A53FB4
    FEE6F3AB17688600E0E15AED1489D9AE

Download (pass infected) 





Tuesday, September 4, 2012

Loozfon - Japanese Android infostealer


File: AndroidLoozfon
Size: 544646
MD5:  157985FF7FCF1CA30F5B026D1B897F1F

File: Loozfon.apk
Size: 42913
MD5:  04C9E05D0F626CC3F47DC0BC9B65A8CF

Research: Loozfon Malware Targets Female Android Users by Symantec
Sample Credit: Sanjay

Download (password infected)






Monday, August 20, 2012

MSZombie.A - Chinese SMStrojan


Research: New Virus SMSZombie.A Discovered by TrustGo Security Labs
Sample credits: Pr0Zel and Tim Strazzere (Lookout security)
Files
  • 4D13D1BC63026B9C26C7CD4946B1BAE0 com.bntsxdn.pic.apk
  • A31245022C60FC50B81F7FFC4F4967B2 com.hxmv696.pic.apk 
  • cafffdee7479a8816f4551ac8c3a0178 com.lzll.pic
  • c71740ee94467ae70a71265116d54186 com.zqbb1221.pic
  • 4084939a0864b645f6c6a915586fb1ab com.gmdcd.pic
  • b6cacc0cf7bad179d6bde68f5c013e6e com.xqxmn18.pic
  • 40f3f16742cd8ac8598bf859a23ac290 com.ldh.no1  
dropped:
  • 9F972DBE36D4CE709AA21C291D632D31 a33.jpg.apk

Download (password infected)

Monday, August 13, 2012

LuckyCat.A Android APT malware


File: testService.apk
Size: 17810
MD5:  41B0C54AB4EF1A0983061B6F1354E562

Research: Adding Android and Mac OS X Malware to the APT Toolbox by Trend Micro

Sample Credit: Tim Strazzere Lookout Security

Download (password infected)




VDloader Android



1. File: zj_NinjaChicken_other.apk
Size: 5131151
MD5:  4BC1C8A05B8505662BE778B6DAD23B55




2. File: waterfall3dLive.boa.liveWPcube.apk
Size: 723022
MD5:  6AF90ADD478E4D27B4170FA791E635EE

Sample Credit: Tim Strazzere Lookout Security

Research: Symantec New Android Malware Spotted on Third Party App Markets

Download files (password infected)



Tuesday, August 7, 2012

New ZitMo for Android and Blackberry



MD5: e98791dffcc0a8579ae875149e3c8e5e
File zitmo.apk

MD5: 7d09ce7ff636c308b0bf43c0d1662652
File name:  zitmo.jar

MD5: 2451bd595bbc830ea76adb96a7f319f3
File name: zitmo1.cod

MD5: 6fe08b174c92fe439af0f84bd9643545
File name: zitmo2.cod

MD5: 763083a8627837b55316bf93c625c200
File name: zitmo3.cod


MD5: 2a63801d60c900c10ee13d42dc5fc4ab
File size: 549 bytes ( 549 bytes )
File name: seguridad.jad


Sample credits - Anonymous
Research:  New ZitMo for Android and Blackberry by Kaspersky


Download all files (password infected)  


Friday, July 13, 2012

DropDialer. A and DropDialer.B - Android SMS trojan

Research: Symantec Android.Dropdialer Identified on Google Play


DOWNLOADER DropDialer.a
File: com.nnew.GTAHDBackground.apk
Size: 3442089
MD5:  B7D33549AE6B438DF0A42838CACE4209

DOWNLOADED DropDialer.b

File: Activator.apk
Size: 15794
MD5:  1E0D68C2CA22471E83CC385E559A0A0D

Download - pass infected

Sample credit - Tim Strazzerre Lookout Security

MMMarketPay - Android Application buying trojan

 File: com.mediawoz.gotq.apk

Size: 4839186
MD5:  CD6F0C2FB0A5A9B2793F0BD9AED8E922

Research MMarketPay.A, New Android Malware Found in the Wild By TrustGo Security Labs On July 6, 2012 In Malware, Security
Sample credit:  Tim Strazzerre - Lookout security

 Download (password infected)


Tuesday, July 10, 2012

Android FindAndCall spyware


File: il.co.egv-3.apk
Size: 518611
MD5:  024E47BB9252C5537B94225C0E7D7932

Research Find and Call: Leak and Spam by Denis (Kaspersky)
Sample credit: thanks to anonymous, July 10, 2012


Download (password infected)





Apple IPhoneOS FindAndCall spyware

File  iPhoneOS/FindCall.A!tr.spy

File: FindAndCall 1.1.ipa
Size: 2940485
MD5:  4D99379EC9F2CA9A33BFE9841A931A80


Research Find and Call: Leak and Spam by Denis (Kaspersky)
Sample credit: thanks to anonymous, July 10, 2012

Download (password infected)


Monday, July 9, 2012

Android KungFu variant


File: _pl.byq.new_19_1.2.5.apk
Size: 81995
MD5:  079455DE5891F7E1BB19017C77F1BEC0


File: _com.tebs3.cuttherope_6_1.1.5.apk
Size: 90311
MD5:  45F86E5027495DC33D168F4F4704779C

Credit: thanks to anonymous, July 9, 2012


Download (password infected)




April 2012 - Dougalek.A - Android spyware

File

00e74c118fa3902e5c85fd8e37f3d084.apk
9d1625aa79b55a79064dac7a0ecc2f91.apk
857ee29d88796e1f1b7b440dc9eadc77.apk
b9622e587ae28cfff8ffc5645221e422.apk
c2dfe44d9f130033ecd89ba33f8a2e0a.apk
e8237a583fe7b2362b4addf01518600b.apk

Research McAfee: Android Malware Promises Video While Stealing Contacts - April 2012
Credit Thomas Wang

Download (password infected)






Thursday, June 21, 2012

Friday, May 18, 2012

See you in two weeks


Angus McIntyre
Greetings,
I will be traveling and will not have time for posts until June. If you sent any files to me recently and I did not post / did not reply, please accept my sincere apologies, it has been a busy period.

Please continue to share and upload files to  Contagio Community and Contagio Mobile dump where it will be available immediately to others via the main download link posted there.
I hope you all have a great end of spring and glorious summer.
Thank you
Mila

Tuesday, May 1, 2012

Android Gamex Trojan


File: de.mehrmannd.sdbooster-GAMEX.apk
Size: 256139
MD5:  50836808A5FE7FEBB6CE8B2109D6C93A
Sample Credits:   with many thanks to Tim Strazzere, April 30, 2012
Research:  
   Security Alert: Gamex Trojan Hides in Root-Required Apps – Tricking Users into Downloads - Lookout

Download (password infected)



Android PJApps - 2011 - Liveprints wallpaper



File: Newfpwap_com_liveprintslivewallpaper.apk
Size: 1316981
MD5:  A84997B0D220E6A63E2943DA64FFA38C
Sample Credits:   with many thanks to anonymous April 28, 2012
 


Download  - password infected





Friday, April 20, 2012

Android Copy9 - commercial spy app - Potentially Unwanted (PUP app)


File:       Copy9 - commerical product (http://copy9.com - "The Number 1 solution for Spy"
MD5:    
69B9691A8274A17CDC22E9681B3E1C74
Sample Credits:   with many thanks to Harsh, April 20, 2012
CleanMX report: http://support.clean-mx.de/clean-mx/viruses?id=1448570
Original location: http://copy9.com/download/copy9_23.apk


Download  - password infected

Wednesday, April 18, 2012

Fake Instagram - Fake App Tall Fraud - Android Malware


File:       Fake Instagram
MD5:    
69B9691A8274A17CDC22E9681B3E1C74
Sample Credits:   with many thanks to Tim Strazzere, April 18, 2012
Research:  
The Continuing Saga of Fake App Toll Fraud  - Lookout






Download  - password infected




Android.Qicsomos - Fake CarrierIQ detector-SMS Trojan


File:             Android.Qicsomos.apk
MD5:    
69B9691A8274A17CDC22E9681B3E1C74
Sample Credits:   with many thanks to Anonymous,April 17 2012
Research:  
Symantec: The Day After the Year in Mobile Malware?
Symantec: Android.Qicsomos


Download  - password infected

Wednesday, April 11, 2012

Spyera (Android commercial App) - aka Tigerbot

Looks like  Tigerbot is a commercial spy app developed by Spyera



File: spyera.apk aka Tigerbot
MD5:  9D0B1B6BBC1568A8A0C7F186B8944905
Sample Credits:   with many thanks to Tim Strazzere to the sample and information, Lookout Security, April 11,  2012
Research:   NQ: Security Alert: New Android Malware — TigerBot — Identified in Alternative Markets






Download  - password infected



Saturday, March 31, 2012

Android DKFBootKit aka LeNa.b and LeNa.c DroidKungFu variant) - new samples



File: com.rovio.new.ads-LeNa.c.apk
MD5:  3B524DD4A7BBD2DE633EBFCFF167FED2


Research: Security Alert: New Variants of Legacy Native (LeNa) Identified By Tim Wyatt
Sample Credits:   with many thanks to Tim Strazzere, April 3, 2012


File:        com.atools.cuttherope-LeNa.b.apk
MD5:      7503128D14FA8FC6B9B64CE6E9CD90E3
SHA1      64013d749086e90bdcfccb86146ad6e62b214cfa

Sample Credits:   with many thanks to Tim Strazzere, March 31, 2012

which is the same as LeNa featured below

Monday, March 26, 2012

Android.Stiniter / TGLoader (malware utilizing Root exploit)

File:                 android.dds.com-STiNiTER.apk
MD5:    
E9AA097C6E87690F938BE8C75EF91C27
Sample Credits:   with many thanks to Tim Strazzere, March 27, 2012
Research:  
Original Detection Symantec Android.Stiniter
Research:  Security Alert: New TGLoader Android Malware Utilizes the Exploid Root Exploit


Download  - password infected