Fake AV Investigation Unearths KevDroid, New Android Malware
Contents
This blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from Jungsoo An.
Summary
Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media, it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.
Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim's phone calls. One variant uses a known Android exploit (CVE-2015-3636) in order to get root access on the compromised Android device. The data of both variants was sent using an HTTP POST to a unique command …
Summary
Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media, it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.
Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim's phone calls. One variant uses a known Android exploit (CVE-2015-3636) in order to get root access on the compromised Android device. The data of both variants was sent using an HTTP POST to a unique command …
IoC
4cb16189f52a428a49916a8b533fdebf0fe95970b4066ce235777d3e95bff95b
6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7
7a82cc0330e8974545d5a8cdca95b8d87250224aabc6a4f75a08dddaebb79670
86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378
90abfe3e4f21b5a16cd1ff3c485f079f73f5e7bbaca816917204858bb08007fc
9ff7240c77fca939cde0eb1ffe7f6425c4dcfde2cdd1027dde6d07386c17f878
c015292aab1d41acd0674c98cd8e91379c1a645c31da24f8d017722d9b942235
d24d1b667829db9871080b97516dbe2e93ffaa3ac6fb0a4050a7616016c10d32
dd3f5ad44a80e7872e826869d270cbd5c0dc4efafff6c958bd1350ce1db973eb
f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
http://cgalim.com/admin/1211me/Ant_3.5.exe
http://cgalim.com/admin/1211me/Ant_4.5.exe
http://cgalim.com/admin/1211me/desktops.ini
http://cgalim.com/admin/hr/1.apk
http://cgalim.com/admin/hr/hr.doc
http://cgalim.com/admin/hr/pu/pu.php
http://ebsmpi.com/ipin/360/Ant_3.5.exe
http://ebsmpi.com/ipin/360/Ant_4.5.exe
http://ebsmpi.com/ipin/360/desktops.ini
6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7
7a82cc0330e8974545d5a8cdca95b8d87250224aabc6a4f75a08dddaebb79670
86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378
90abfe3e4f21b5a16cd1ff3c485f079f73f5e7bbaca816917204858bb08007fc
9ff7240c77fca939cde0eb1ffe7f6425c4dcfde2cdd1027dde6d07386c17f878
c015292aab1d41acd0674c98cd8e91379c1a645c31da24f8d017722d9b942235
d24d1b667829db9871080b97516dbe2e93ffaa3ac6fb0a4050a7616016c10d32
dd3f5ad44a80e7872e826869d270cbd5c0dc4efafff6c958bd1350ce1db973eb
f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
http://cgalim.com/admin/1211me/Ant_3.5.exe
http://cgalim.com/admin/1211me/Ant_4.5.exe
http://cgalim.com/admin/1211me/desktops.ini
http://cgalim.com/admin/hr/1.apk
http://cgalim.com/admin/hr/hr.doc
http://cgalim.com/admin/hr/pu/pu.php
http://ebsmpi.com/ipin/360/Ant_3.5.exe
http://ebsmpi.com/ipin/360/Ant_4.5.exe
http://ebsmpi.com/ipin/360/desktops.ini