New Malware Alert: Parasites Android Malware

A new android malware,  Parasites Android Malware, has been reported by my friend Rick’s malware team.  After I got the sample last night, I have done a quick analysis using trustlook’s malware analysis platform. Here you are the detail report.

Note: here is Zhi Xu’s original report

The malware application general information.

Screen Shot 2013-08-28 at 10.14.19 AM

Here is the permissions the malware reserved

Screen Shot 2013-08-28 at 10.26.39 AM

Here is the two android package embedded in the application itself.

Screen Shot 2013-08-28 at 10.28.10 AM



When the application loaded, it will load a dynamic Jar library included in its package and also try to get ROOT shell by running “su” command.


Screen Shot 2013-08-28 at 10.18.30 AM



It will read your device information


Screen Shot 2013-08-28 at 10.21.01 AM


Some of its DNS related traffic


Screen Shot 2013-08-28 at 10.22.47 AM Screen Shot 2013-08-28 at 10.22.30 AM


steal user’s IMEI number using HTTP POST:


Screen Shot 2013-08-28 at 10.23.42 AM


Screen Shot 2013-08-28 at 10.30.00 AM

Screen Shot 2013-08-28 at 10.30.14 AM

Dumbest Mobile Application Wall

It is hard to raise awareness for many mobile application developers to let them learn security. In this blog, I will share with you some dumb developers who included the private key signing published applications in the application itself which mean anyone can act as him/her to release a newer version without being detected.

Based on the android developer portable, the private key is critical to everyone developer and you should keep them in a safe place. Here is from Android Developer:

Securing Your Private Key

Maintaining the security of your private key is of critical importance, both to you and to the user. If you allow someone to use your key, or if you leave your keystore and passwords in an unsecured location such that a third-party could find and use them, your authoring identity and the trust of the user are compromised.


Screen Shot 2013-08-22 at 12.23.41 PM



Here you are the dumb application wall, please make sure your application name is not on the list.

For enterprise users including MDM/MAM vendors, I suggest you to add all of them to the suspicious list because their private key has been leaked out and their is no way to detect the original application and hacked patched and wrapper one.  

If you are an application market vendor, please add those private key signed application to your blacklist. There is no way you can prove the application is from the original developer, not from another hacker.


 Application Name  MD5 Hash  3E823A7A4EE335AB4398A39BBAAE0ED2
 com.canofsleep.wwdiary  7083EC983B7B9FFC85F1816D7EE50D43
 com.bubblebreaker  416DB17ED251186838857E958C692D0A
 com.infinitedreamfactory.bikinigamehd  06BA1F4B8E26D1195131EB0E65BB2E3F
 com.qxue2000.bubblebreaker  10017FA87DC4CB8D5B602DD89B64D99E
 com.infinitedreamfactory.animalgame  14D51EDC16044FFBB844ED20B027E3FD
 com.dskelly.heartsfree  1C33CE65781BAE0F6F63B0FB5D88AC4D  2BA210A9DA19A70B1160129ACAC54D31
 com.soribadagames.TurnNDrop  2CB7D30CEB6EE6F1A8185E0557618692  3E643D246DA08164C44CA0A24CC5B456
 com.treeline.spt  3E25D2E67801D4305D04CCB088728D07
 com.fasthatchapps.carpuzzleforkids  524965728AB62B5E531D42F855CB5E63
 net.metabirds.botbird  573E9FB1E8606F7B85147AF195502334
 com.hummingbirdpos  54120FB8C1026271CA983C6BECAE01A4
 com.nofouls.footballninja  6B0AA33C79A506CDB8D892275C75CD04
 com.metaswitch.cp.Accession  74FE817BA605B059C34EDB7201D3AB64  7C7B6CC2C9BCDABE6D583071D4C15421  81F5323D90AB383E2557ACF78CBFBB9B
 com.metaswitch.cp.PCS1  7A9DEEF500C508A78B132FB6051A10CA
 com.geowok.chickrush  B4E4DFC873D8A50535951748C16BDBD9
 com.tencent.meishi  D0A3B0C24128C60870F00629F94B7140
 com.infinitedreamfactory.bikinigame  E6AC8EFB0FEC40F84E8C8CE96EC3759B  327F508D03F26B08C1F94676A345D300  843E837E0180FBA25E01CDBEA37F0566
 com.tx.fate  2798A3739A6FBB1C93FAEE2E76A13D77
 com.dskelly.galacticconquestdemo  E7F5909035C86075D6157F99D4E92AFA  2E3093D3C4E2944CD02FC90546B06B99  22B355482D5F3EDF49DBE82816759058  EFEA4FA2A10571E9605B883012432E4F  5B13F6C8E28D172E7E53F1DF5340A38D
 com.anmo  D54462839EF2BE638349F7D6610DF790
 com.tx.look  4C6E8FCE998C72AB15ED2FF6D36E01AA
 com.tx.fate  38727F3FA2D0AF36C0DF262F95CAD50E  AEB7F5FCE77A940B2BB06187BBB6F6D6
 com.tx.twitter  57D69E65812DA5B933F4E3BC1AA9B92D  95C58C487486FFB5D242C99E75901C6A  03F1B94F5FE334E7402B96484072F2FD
 com.tx.huangdao  39F6FA5658909D112745FCA39E8834F5  2D1901B89B47C8201DDE87183785F596
 com.Accountabillity  3C64757304E78C46F5465C8CCB45978B
 com.standalone.CrosswordLight  5EC469052EC393F7B246A91A308C1CB6  B107C8CC7C64D6D2ADF8F49D3A0D8C8C  1847BD16AD97073B34D47CA29DC314F3  5C188728E927DBAE6F1E3BE0F980B829  CB25A32D842E487530FDD4637959C50C  63BEF35BEAF928A26CE270A47989C3B0  F7B184D2BBA3E5189F137F49A526B4E7  145EBFC36BF2F2BCC9C8222AD045F972  85DDD590F55FEB3682082C4361FC919E
 com.thrutu.client  F7AF9F29B23ECC30D613E9B4A765D878
 com.tx.fate  917A1AA8FAFB97CDB91475709CA15CDB  51F82C9540248DFA28F6313CF9369595  34F302CDA4CD05E7099BE0FC8D8FFA4F  7E93CFEF66A940FD90E96CFC5DC5DEE9  2E20120AFBEB65A743B48C3CFBA94F93  E5383DE0F33DAE332070CF5F1D8F8FF7
 com.tx.huangdao  452A8543E4BAAD6F601DCC2301D9B315  631442DDE6A7AC73D39EC84B4F9EE175  DD6AE8B9E6497A6E539CBC7FB06A7BD6
 com.tx.fate  B6695C6E334E66419C216439A9110DDB  E3BF03BDA9C338613A4E605D497EE92F  DA3D105A6EE12D4CF9996ACECB9AD5CC
 com.tx.twitter  9CB32D837D1105E9FBF3AF75DBAD7C79
 com.jifenka.lottery  5FE3A43B5FACF686D8BFA762F7F3FDFD  E36BAFBBBB15EBB7A573BC015DE201C0
 com.geewiztech.mcadmin4android  57ED60FF7F86EB5FB9CCADFC235D33BE  5FADC09335C2458FBEFCC27674A1E8C1
 com.tx.huangdao  0599DEEA339807218DE78E57FCA7EC12
 com.threejacks.tenthousandlite  45DACDE30AC25B0DD2A8B5542BB6A517  498681EAFB625ABA710134F826B51B13
 cn.itkt.travelsky  6AEDCB5C4BD6CAE5218A4337222CF8DC  2CC0C8BE04950642F8EC0C1A10770359
 com.tx.huangdao  2A138F538874891C22D8B96778F5C899  1ECBF860FEB0ADB5B5F388E87DA73170
 com.tx.twitter  EB8F7F1214BEE57F3EBC1632BF9CBED5  E3BC5183FFF19EC7E69D03ED6E9FE3C1  C229D2211982BE6CAF195E8E4777F1E3  B238628FF1263C0CD3F0C03E7BE53BFD  BB15DBB81EEC07C65AFD41244C6A958E
 game.xjgw  0B5FB4468CAC4B315646F3BF3DED9C6B  5022328FE80FC5217AD4E6089FA12DD7
 com.mzpai  EDE936373F61070610895F3E661860B7
 com.sbeq.ibox  3B749189E95DD0D03B937A4479E8BDF0  3E3EB3C061641637D7DDB65A99EC82CD
 app.sxol.sxolapp  32F6F9119013906BA89F659F50481A6F
 com.tx.huangdao  80D276DC1ABBEA319AA8D782A8C2BF7F
 com.UCMobile  252FA0297A2383F94BE21D29B39BA087
 com.UCMobile  9B1EE3CEE23C6286A63AF8C02238FC99
 com.aa_app.ui  F79643BFF2A58B5B87D59BDBA0B092D6  B5BFA59F47B64B94438656820CCCF919







Craig Young's POC malware bypassed all security detection

These days mobile malware has become much harder to detect than two year’s ago and everyone is noticing.  The latest is Craig Young, from nCircle’s VERT team (read his blog DEFCON SNEAK PEEK: HOW RISKY IS GOOGLE APPS FOR YOUR BUSINESS and, if you missed it, check out his talk at DEFCON 21, Android WebLogin: Google’s Skeleton Key).

Note: Craig Young is from nCircle VERT team (now Tripwire VERT team) and he has reported many vulnerabilities over the years. Full disclosure: Mike Murray created VERT team in year 2004 and I used to work on the team where we discovered many vulnerabilities and did a bunch of hacking together.)

The short version of the story is that Craig created a POC malicious Android application and uploaded to Google Play market.  He made the app $150.00 to download (to discourage people from actually purchasing it). The funny thing is that in the app description it clearly said that the application would be “completely compromising your privacy” and discourages everyone from downloading it. Here you are the screen shot if you missed it:



The long and short of the story is that Google not only accepted the app in the Android App Store, but it took them a MONTH to block it.

The interesting thing is that this simple application (you can find the binary here) is as simple as my BSides Las Vegas demo APK file.   The program has just one activity, which is not recognized as malicious by any of the APK analyzers that Craig tried.  Before he had written to me and request to join our BETA program, he already tried Lookout, AVG, Trend, Sophos, Avast, Anubis, which are the most popular Antivirus or analysis platforms.


Screen Shot 2013-08-21 at 6.00.57 PM



This morning, I received another email from him because he really wanted to know the detection result for Trustlook’s platform before he heading to another security conference. Here is the detection result from Craig’s DEFCON presentation.

To be honest, when I load his application on our platform it crashed. I reversed the app’s binary and find it needs google apps because it will read your device account and then try to authenticate to  Based on Google’s policy, we can not load those apps in our virtualized cloud-sandbox environment. I have to hack a real phone and load Trustlook’s ROM and then load Google Apps to make it legal.  So, that’s what I did.

To make a long story short, here is the detection result we had for the binary, High Risk (7/10) which is the threshold at which Trustlook recommends that an application really is too risky to be used by anyone. Below are some screenshots:

Screen Shot 2013-08-21 at 5.53.01 PM


Here is the Risk summary.   For for the list of risky behaviors, you can see that the application steals user account information, reads the device browser’s private data, manipulates browser setting. (WTF, a spell error, s/provoider/provider/?  Our dev team just fixed it).

Screen Shot 2013-08-21 at 5.53.12 PM


Here is one of the most suspicious behavior that looks strange to me.  Craig’s application steals the user’s account information using SSL and send to external server.


Screen Shot 2013-08-21 at 5.53.27 PM

If only any users who installed this (or Google before they approved it) had been using Trustlook, they’d have detected Craig’s malicious application instantly.

Note: The detection result we had is not perfect as we are still in a private BETA and there are a lot of features need to be implemented, many bugs need to be fixed. If you find we have anything wrong, please feel free to write us a email ( or write on our facebook wall.



BSides Las Vegas: Your Droid Has No Clothes

Update: Here is the presentation Allan and I had at BSide conference last week.


If you’re going to be at BSides Las Vegas, come to see Allan Zhang ( Trustlook founder and CEO ) and Mike Murray (Trustlook advisor and managing partner of the Hacker Academy). We talk on Wednesday, July 31 at 5:30PM.

When Allan started talking to me about potentially doing this talk with him, we were going to do it as a completely “Undgerground” session at BSides because of the demonstration we wanted to do.   We’re going to get up on stage and show precisely how easy it is to create malware for Android devices that will go undetected by the major app stores, as well as by the security products on the market today.

It’s always fun to be able to do a talk at a security conference that has a really cool demo.

Rather than stay underground, though, we decided to put our names on it.  It’s going to be a fascinating talk where we show the ins-and-outs of what advanced Android malware and Android-based APTs are using to gather and exfiltrate data from phones.


More update:

Here is a app store risk report  we released during BSIDE talk which is based on applications analyzed since we released our beta version one week ago.  From the chart below you can see, Google Play is the safest store and there are 3.15% applications in Google Play market is leak user privacy data or malicious purpose. And 91 app store which is the largest app store in China which is the most risky app store and there are 19.70% of the applications from 91 app store are leak user privacy data or malicious purpose.





Note: As trustlook platform is still in beta testing, there maybe some bugs in our software which could cause false alert during analysis.


Malware Demo


For the demo of malware, I written five demo malware on the flight to Las Vegas and here they are:


1. Steal user’s phone number and send it to external server ( without user confirmation. Here the user’s cell phone number just an example of the privacy data which could be your pictures, SMS, Files, Videos or account information.  This demo has already bypassed all vendors detection include the major antivirus vendors and Google Play Market. Here is the detection result of Trustlook platform,

Screen Shot 2013-08-05 at 10.08.36 PM


2. The second demo case, It has been changed a little bit to steal partial data of user’s phone number (“727”).  The malware itself may chunk your phone number into several chunks and steal one at a time. For sure it bypass all vendors detection except trustlook. Here is our detection result.



Screen Shot 2013-08-05 at 10.13.48 PM

3.  The 3rd demo case, I changed to steal one digit at a time, I do not expect any vendor can detect this. Here is trustlook’s detection result.



Screen Shot 2013-08-05 at 10.15.57 PM

4. If you think this is still not crazy, let’s try the 4th demo case, steal AES encrypted phone number and send it to external server directly when you start the application.  It is impossible for existing antivirus vendors to detection the data leak, but once again trustlook platform catch the risk.



Screen Shot 2013-08-05 at 10.18.01 PM


5. The last Demo case is to steal multiple round AES encrypted phone number which we did not expect any vendors can detect it. We just want to challenge our platform itself. Here is the detection result from


Screen Shot 2013-08-05 at 10.22.37 PM