Clicky

Saturday, October 22, 2011

Collection of 96 mobile malware samples for Kmin, Basebridge, Geinimi, Root exploits, and PJApps


All files are sorted by types in folders and named by MD5. The list of files is below. I posted examples of what you will find in the previous 20 posts.  Enjoy

Download Android-Malware_SortedTYPE-MD5.zip (password infected)
 
MALWARE TYPE (number of samples)
BASEBRIDGE (3)
YZHC (2)
ROOT EXPLOIT (7)
PJAPPS (16)
GEINIMI (28)
KMIN (40)


Sample credit: Thank to anonymous, Oct. 22, 2011


Please send classification corrections, I will post. Also, if you wish to analyse and post analysis, I will be happy to post that sample separately with a link to your explanations. Thanks - Mila

UPDATE OCT 26, 2011 - Anthony Desnos offered a better and more correct classification using Androguard

Download the file here



This is the original classification

BASEBRIDGE (3)

YZHC (2)

 ROOT EXPLOIT (7)
Except the two below maybe DroidDream variants (Thanks to Vesselin Bontchev for correction)

4B0A9F03E664C32143F57E4857F32E1B
A3F63AA22A9698C1F54D5A2C2695943F





PJAPPS (16)



GEINIMI (28)
except the two below that belong to Andrd family (Thanks to Vesselin Bontchev for correction)

8947EAE5C65DF02D9C538B12DDAF636F
839C37F3A2C8D31561D28F619A2A712E

 




KMIN (40)

3 comments:

  1. Ahem, could you please provide some insight into Anthony Desnos' classification and why it is "better"? It looks more like a memory dump to me than as something sensible...

    ReplyDelete
  2. Hi,

    you have the malware and the detected signature (full debug) in the database.

    Follow the link in the post to find more information about the signature.

    ReplyDelete
  3. I did follow the link to Androguard - but I am no wiser because of it.

    So, there is this tool called Androguard, written in some difficult to understand language (Python?), which claims to have all kinds of magical "features", none of which is explained adequately. In addition, the few "signatures" listed on that site bear no resemblance to the "memory dump" above.

    In fact, I have trouble even differentiating between the different entries in the "memory dump". For instance, is the first entry this:

    GingerMaster (0 and 1)
    ---> METHSIM L:0 I:0 N:0 J:2 1045 [4.9593749046325684, 4.3729357719421387, 4.7183656692504883, 4.4228439331054688, 3.9754178524017334]
    ---> METHSIM L:0 I:1 N:1 J:2 1341 [4.9452362060546875, 4.7812762260437012, 4.7661762237548828, 4.5302424430847168, 3.9754178524017334]

    How does this relate to the "gingermaster signature" listed on the Androguard site as

    [ { "SAMPLE" : "apks/malwares/gingermaster/35bda16e09b2e789602f07c08e0ba2c45393a62c6e52aa081b5b45e2e766edcb" }, { "BASE" : "AndroidOS", "NAME" : "GingerMaster", "SIGNATURE" : [ { "TYPE" : "METHSIM", "CN" : "Lcom/igamepower/appmaster/GameService;", "MN" : "l", "D" : "()Lcom/igamepower/appmaster/aq;" }, { "TYPE" : "METHSIM", "CN" : "Lcom/igamepower/appmaster/GameService;", "MN" : "m", "D" : "()V" } ], "BF" : "0 and 1" } ]

    and what the blazes do both mean?

    Not to mention that Gingermaster is an exploit, not a particular piece of malware, and if you base malware classification on a "signature" extracted from the original proof-of-concept exploit app, you'll end up classifying in this "family" every single malware that uses the same exploit. In fact, I suspect that this is exactly what you are doing with several things classified as "Ozotshielder" - which I have no idea what it is, but the name implies that it might be some kind of code obfuscator.

    Or is the whole beginning of the "memory dump", until the first empty line, some kind of debug output and the first "real" classification line is this:

    B5444E6C3C8376F7D2ECCB974F31C7C3 : loading apk.. loading dex.. M S C:23 CC:11 CMP:9 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]

    And how is AECB7C76CB497401BE48459FF944F5FE "invalid APK"? It seems perfectly valid to me - a ZIP file containing classes.dex with valid checksums and so on.

    ...

    OK, assuming the stuff before the first empty line is some meaningless to me debug output, I wrote a small script that stripped all the garbage from from the "memory dump" and left only the MD5 of the sample and the name of the malware it was classified as, ending up with the following:

    33 samples classified as "Ozotshielder"
    7 samples classified as "Ozotshielder.C"
    25 samples classified as "Geinimi"
    2 samples classified as "Hongtoutou"
    2 samples classified as "DroidDream"
    2 samples classified as "RageagainstTheCage"
    4 samples classified as "Pjapps"
    10 samples classified as "Pjapps.B"
    2 samples classified as "Pjapps.C"
    2 samples classified as "YZHCSMS.B"
    6 samples not classified as anything

    In which case I am still left wondering how is this classification "better". It differs from Mila's only in the family names (Ozotshielder->Kmin, Hongtoutou->Adrd, RageagainstTheCage->Root Exploit), plus it doesn't classify as anything a few samples that Mila does.

    ReplyDelete