Our automated crawling and analysis system, SherlockDroid / Alligator, has just discovered a new Android malware family, on a third party marketplace. Figure 1: Part of SherlockDroid report. Android/BadMirror sample found as suspicious The malware is an application whose name translated to "Phone Mirror". Because it is malicious, we have dubbed it 'BadMirror'.  The malware sends loads of information to its remote CnC (phone number, MAC adddress, list of installed applications...) - see Figure 2 - but it also has... [Read More]
by RSS Axelle Apvrille  |  Mar 07, 2016  |  Filed in: Security Research
The main issue with Hack.Lu this year was that there were too many interesting things in parallel: interesting talks, workshops, CTF... :) Talks 19 year old Filippo Valsorda talked about the setup of (heartbleed testing website) and his surprise at how many requests the website got. Several end-users also misunderstood the site and thought he would fix the issue, not just say if vulnerable. Attila Marosi presented his reverse engineering of some leaked Android FinSpy spyware. His tools to run a fake FinFisher server... [Read More]
by RSS Axelle Apvrille  |  Nov 10, 2014  |  Filed in: Security Research
Yet another discovery from our SherlockDroid/Alligator, while we were scanning an 'alternative' marketplace for Android : Android/Odpa.A!tr.spy This sample consists of a smartphone cleaner, giving the end-user the opportunity to clean up obsolete or unused data from the device. In theory, this looks like a good idea. Unfortunately, the HTTP requests the sample posts are far from clean. As soon as you click on the icon, the malware posts over 25 system properties (yes, that much!) along with other private information such as your phone number, IMEI,... [Read More]
by RSS Axelle Apvrille  |  Jul 07, 2014  |  Filed in: Security Research
A few months ago, we reported Alligator helped us detect an unknown GPS-leaking adware no vendor had yet spotted: Adware/Geyser!Android. The number has now increased with the discovery of Riskware/Zdchical!Android and Riskware/SmsCred!Android. The former leaks the IMEI and IMSI to a remote server, the latter leaks login/password credentials in cleartext. While those samples are not of the most malignant form - they pose security threats but not with a clear malicious intent - we are happy to improve our surveillance techniques on Android marketplaces... [Read More]
by RSS Axelle Apvrille  |  Nov 14, 2013  |  Filed in: Security Research