Profile picture
Elliot Alderson @fs0c131y
, 13 tweets, 6 min read Read on Twitter
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
blog.alyac.co.kr/1587
Articles on the same subject by @PaloAltoNtwks and @TalosSecurity
researchcenter.paloaltonetworks.com/2018/04/unit42…
blog.talosintelligence.com/2018/04/fake-a…
The samples are available on @koodous_project and @virusbay_io
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
In the 1st downloader, in the OnCreate method of the MainActivity, they checked if the package called com.cool.pu is installed. If not, they display a message prompting the user to update the application
In the downloadapk method, they retrieves the payload from cgalim[.]com and saves it to the external device memory as AppName.apk
I like their log: Log.i("aaaaa", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)
Interesting, the 2nd downloader is checking if the package com.aykuttasil.callrecorder is installed
Yeah, more samples to analyse!!!
2 more samples signed by the same “kevin”:
* b318ec859422cbb46322b036d5e276cf7a6afc459622e845461e40a328ca263e
* f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
I uploaded them to @virusbay_io
Nothing shady here: the launcher activity of the payload is called MainTransparentActivity and start a RootingTask :D
To give you an idea of the payload capabilities, this screenshot is the list of all the available actions
This is the list of the command types, in this sample not everything is used
unroll
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#KevDroid #Android #malware #ESTSecurity

More from @fs0c131y see all

Profile picture
In 1981, the Primrose fails on a beach of the North Sentinel Island, pushed by a typhoon. You can still see the wreckage on Google Map, in a creek, in the northwest. The crew was saved only by a helicopter operated by the Indian Navy.
Exact coordinates on Google Maps. Open the link, this Island is wonderful! google.com/maps/place/Nor…
Awesome article in French about the North Sentinel Island from @lemondefr lemonde.fr/international/…
Read 3 tweets
Profile picture
I have a @Frida question: How to deal with a HashMap? I'm intercepting a Java method, "this" has a Hashmap in his attributes. I want to print the content of this HashMap cc @oleavr @enovella_
cc @NowSecureMobile 👋
cc @fridadotre
Read 3 tweets
Profile picture
.@Paytm, the most used banking app in #India, just sent a dummy notification to his users in the middle of the night. Imagine the reaction of the guy (hacker?) when he realised that he just sent a notification to millions of people
Paytm published a tweet regarding this notification
Read 3 tweets

Related threads

Profile picture
1. #qanon says watch Iran. Something incredible About to happen. Hasan Rouhani is at the mercy of the great people of Iran. This will be exciting ! Amazing times!
2. Foxnews confirming #qanon post last night about FBI leaking to get basis for FISA warrant. #qanon
3. Large swath of info posted by #qanon. Always seems to drop when I’m buried with work. Will take a stab at it when I get back to office. #wwg1wga
Read 76 tweets
Profile picture
A thread about INTRIGUE IN THE OFFICE OF NET ASSESSMENT, BARACK OBAMA’S BITTER EXIT AND THE ISRAELI ANGLE
On Sept 20 2016, an extraordinary meeting occurred between Peter Strzok, Glenn Fine and “Baker.”
By now, everyone is aware of FBI agent Peter Strzok and his many faces.
Read 77 tweets
Profile picture
Several days ago I went to an antique shop and I'm still thinking about this object. Why didn't I buy it? How could I be such a fool?
I went back and got it.
Here's a little video showing it in action. And yeah, the description was right: the FM doesn't seem to work. I haven't yet tested the 8-track.
I'll pop it open later and try to fix that.
Read 3 tweets
Profile picture
LONG THREAD:

On the subject of #PitbullDropOff and cognitive dissonance in American life and politics.
Whether you are new to this twitter account or a long-time follower, you are probably aware that I have recently found myself at the heart of a controversy over a viral hashtag: #PitbullDropOff
A few weeks ago, I tweeted that I had joined the ranks of those who were picking up unwanted pitbull terriers being advertised as free giveaways and delivering them to animal shelters which performed euthanasia. I did not come up this idea.
Read 87 tweets
Profile picture
Hello all. Sorry for the late hour, but I wanted to give you just some quick updates on #Italy’s political deadlock. As I had hinted here in the past, despite many discarded it in the 1st place, a sort of “populist” collaboration between LEGA and M5S is more likely
I tell you why
1. Today LEGA leader Salvini and M5S leader Di Maio had a phone call. It is the 1st actual, concrete contact between the two after #Italyelection2018, after pretending to ignore each other. It was “a frank and kind call”, they said. But what did they discuss on the phone?
2. Well, according to official statements, they primarily discussed the question of the two Parliaments speakers (House of reps + Senate, it is the first stel after elections), stressing the fact that the matter is “unrelated” to the formation of a potential government
#Italy
Read 23 tweets
Profile picture
Starting today, it will be a crime in Poland to say the country helped Nazi Germany during the Holocaust.
apnews.com/2a09f2c3d4ef49…
The measure, part of a strategy by Poland’s nationalist administration to “defend the country’s honor and pride,” is aimed to prevent younger generations from believing that Poland had any role in the Holocaust.
The legislation establishes fines or prison sentences of up to three years for anyone intentionally attributing Nazi crimes against humanity to Poland. Referring to “Polish death camps” is an example of what could put a person in jail now.
Read 16 tweets

Trending hashtags

#New #FAKENEWS #SNPP #ItsOnlySoftware #HomervLisaandThe8thCommandment #WeAreQ #skillz #ThoseYouTrustMost #rakes #LeonardNimoy #BowlingInstructor #SFGiants #D5 #OBeNice #NorthKoreaRemains #BartSimpson #Ronco #PutinPuppets #Trump #PrincessPenelope #UPFight #MusicMan #GreatAwakeningWorldwide #fails #SideshowBob

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!