SMU::EE Adware or official state spyware going under the detection radar?

Viruses and worms
1

See: http://www.avgthreatlabs.com/en-ww/android-app-reports/app/com.example.dzsjga
See: https://virustotal.com/en/file/306ccab13ca5ba76c9213169599c549a432c97e7332b87db8ed5afb32d0d7749/analysis/1501143452/

Detected: https://www.maldun.com/analysis/YXNkZmRzZmFkc2YxMDQ0Njhkc2Zhc2RmYXNkZg==/

Is Verizon in on this mainland China surveillance spyware? Re: he file being studied is Android related! APK Android file more specifically. The application’s main package name is com.example.dzsjga. The internal version number of the application is 1. The displayed version string of the application is 1.1.1. The minimum Android API level for the application to run (MinSDKVersion) is 14. The target Android API level for the application to run (TargetSDKVersion) is 21. non-public on htxs://landamobilesystems.com/company/news/cn/

On backgrounds read: https://nextjs-hn.chrisdwheatley.com/item/14826977 (Is this a spyware-nuker?)
VirusTotal is trying to prevent scraping and abuse, we are going to bother you with this captcha and then you can enjoy your malware hunting

Required permissions
android.permission.READ_EXTERNAL_STORAGE (read from external storage)
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.INTERNET (full Internet access)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.MOUNT_UNMOUNT_FILESYSTEMS (mount and unmount file systems)
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)

Broadcast receiver could be used to disguise spyware in the form of a regular update, hidden inside the APP’s code.
For example in service location service etc.

polonus (volunteer website security analyst and website error-hunter)

2

The only sensible thing to do when Magic Quadrant AV vendors do not offer detection for this kind of state-spyware,
is to turn on Google Play Protect to monitor the behaviour of apps.

AV promished to flag governmental spyware without delay and exemption, but as now tested did not keep up to their word.

polonus

3

Update of detection situation as we have now (info credits go to Bitwiper):

Detection for 46/63 https://www.virustotal.com/en/file/320008650befd4d89bae59eb57029064b7695e2ad56278ef583b61d9b8d0438d/analysis/1502130023/

Certificate still has not been revoked, but still was being used to sign malware (at 06:36:01 CMT) - re: “20170807043601Z” in htxps://www.hybrid-analysis.com/sample/76282e7506de8f2d97eaa0957873ac55741768783b6062e07de952eeeddfbb73?environmentId=100.

File downloaded from uri (hxxp://foolerpolwer.info/admin.php?f=3) mentioned on the hybrid-analysis page and there also has an new file being launched , not digitally signed. That particular file now has 10/64, see: https://www.virustotal.com/en/file/3f172b181e579b4d7d4cb8f2b55c7424d1e7a85eb649f4845625a2a58962ec46/analysis/1502130786/

polonus (volunteer website security analyst and website error-hunter)

4

Update, thanks to Bitwiper, file downloaded from hxxp://foolerpolwer.info/admin.php?f=3 seems to have changed again, and still the Media Lid Authenticode has not been revoked. Avast soon to detect this now as “Win32:Malware-gen”.

So certification anomalies & validation issues should be reported to avast. It is a sure way to get the bad apples from the basket.
Symantec’s versus Google issues certainly opened some eyes to such problems. As requests here cannot be resolved: https://certificate.revocationcheck.com/

Damian

5

Update concerning https://www.virustotal.com/en/ip-address/91.214.114.215/information/

Most responses for queries on that IP with various domains now resolve to 0.0.0.
like a request for GET /3 HTTP/1.1
Host: -grooveterrace.win

Also all are blacklisted at Fortinet’s.

What once was detected there ( malware is not active for very long, few here persistent for more than 92.7 hrs! overdue!)
see: https://malwr.com/analysis/ZmRlOGJmNWFlYjZjNDE5Yzk5ZGQ1YzU0ZjRmZmM2OGU/

All spamvertised & trackback detections: http://support.clean-mx.de/clean-mx/portals.php?descr=europlanet%20network53%20Irene%20Pefki&sort=url%20ASC&response=alive

Domains now blacklisted at SURBL Multi.

polonus (volunteer website security analyst and website error-hunter)

6

update:

See: http://toolbar.netcraft.com/site_report?url=http://119.28.78.96
Via a scanbot scan we arrived for that IP at |

/attachments/ /help/ /xentrade/ /unanswered/ /ReadPC/
| /search/ /register/ /lost-password/ /recent-activity/
|_/account/ /admin.php /conversations/ /find-new/ /goto/ /login/
|_http-server-header: nginx
|_http-title: ProCrd - ILLEGAL SPYING IS ILLEGAL
| ssl-cert: Subject: commonName=procrd.co
| Subject Alternative Name: DNS:procrd.co, DNS:www.procrd.co

This is the name of the game: ‘carding’ outside CIS countries terrain: -https://procrd.co/threads/en-carding-class.5568/
cr edit card abuse going on from there. Certs. should be revoked.

polonus