One of the malicious apps posing as a skin app for Minecraft PE
出典: https://www.symantec.com/connect/fr/blogs/android-malware-google-play-adds-devices-botnet-and-performs-ddos-attacks
【概要】
- Sockbot
【ニュース】
◆Minecraft PEのスキンアプリに偽装したマルウェア、Google Playストアで発見 (ITmedia, 2017/10/20 09:04)
問題のアプリはMinecraft PEのキャラクターの外見を変更できるとうたい、バックグラウンドで高度な攻撃機能を実装していた
http://www.itmedia.co.jp/news/articles/1710/20/news060.html
【ブログ】
◆Android malware on Google Play adds devices to botnet (Symantec, 2017/10/18)
https://www.symantec.com/connect/fr/blogs/android-malware-google-play-adds-devices-botnet-and-performs-ddos-attacks
◆Sockbot Android malware discovered in eight popular apps on Google Play (BGR, 2017/10/19 16:42)
http://bgr.com/2017/10/19/android-sockbot-malware-google-play-minecraft-apps/
◆More trouble in Google Play land (MalwareBytes, 2017/10/20)
https://blog.malwarebytes.com/cybercrime/2017/10/more-trouble-in-google-play-land/
【インディケータ情報】
■マルウェア情報(c9ca73de0f766607c9c499af2ecf98fb3cbb17b99380a976739f8459d9102f68)
MD5 | d72ba66106842b141d8f0a929a061259 |
SHA1 | be72c4880a01cb02f85158d3d9aa9aea1457b477 |
SHA256 | c9ca73de0f766607c9c499af2ecf98fb3cbb17b99380a976739f8459d9102f68 |
SHA512 | |
SSDEEP | 98304:wCEJmmY1n3ls1caSZeu0FR6h4kdsxe04E:wdI93lmRSQJ043n4E |
authentihash | |
imphash | |
File Size | 8.45 MB |
File Type | Android |
コンパイル日時 | |
Debug Path | |
File Name | |
File Path | |
生成ファイル | |
特徴 | |
参考情報 | https://www.virustotal.com/#/file/c9ca73de0f766607c9c499af2ecf98fb3cbb17b99380a976739f8459d9102f68/detection |
このマルウェアには以下の文字列が含まれる(要 hxxp -> http変換)
- hxxp://
- hxxp://adeco.adecosystems.com:1628/appwall?type=app
- hxxp://adeco.adecosystems.com:1628/dialog
- hxxp://adeco.adecosystems.com:1628/install
- hxxp://api.vungle.com/api/v4/
- hxxp://avr2.smaato.net/report2?
- hxxp://data.flurry.com/aap.do
- hxxp://dd.adecosystems.com:2000/dd/counter
- hxxp://i.xx.openx.com/ef3/ef31c13c898edcdfc73feb3c0193b64bcfa70082/754/7544eb4e2c8cb99b125559b8846ce948_2.jpeg
- hxxp://market.android.com/
- hxxp://market.android.com/details
- hxxp://mediation.adnxs.com
- hxxp://mediation.adnxs.com/mob?
- hxxp://play.google.com/store/apps/details?id=
- hxxp://smaato-android-sdk.s3.amazonaws.com/x.png
- hxxp://soma.smaato.net/oapi/reqAd.jsp?
- hxxp://www.example.com
- hxxp://www.google.com
- hxxp://www.multiappmc.com/promo/cros.json
- hxxp://www.smaato.com
- hxxp://xmlpull.org/v1/doc/features.html#process-namespaces
- hxxps://
- hxxps://ad6.%s.liverail.com/
- hxxps://ad6.liverail.com/
- hxxps://ads.nexage.com
- hxxps://analytics.mopub.com/i/jot/exchange_client_event
- hxxps://androidads23.adcolony.com/configure
- hxxps://androidquery.appspot.com
- hxxps://app.getsentry.com:443
- hxxps://app.getsentry.com:443/api/43633/store/
- hxxps://config.unityads.unity3d.com/webview/
- hxxps://csi.gstatic.com/csi
- hxxps://data.flurry.com/aap.do
- hxxps://data.flurry.com/pcr.do
- hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/mraid/v2/mraid_app_banner.js
- hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/mraid/v2/mraid_app_expanded_banner.js
- hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/mraid/v2/mraid_app_interstitial.js
- hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/native_ads.html
- hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/native_video_ads.html
- hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/sdk-core-v40.html
- hxxps://graph.%s.facebook.com/network_ads_common/
- hxxps://graph.facebook.com/network_ads_common/
- hxxps://ingest.vungle.com/
- hxxps://live.chartboost.com
- hxxps://pagead2.googlesyndication.com/pagead/gen_204
- hxxps://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
- hxxps://play.google.com/
- hxxps://play.google.com/store/apps/details?id=
- hxxps://plus.google.com/
- hxxps://proton.flurry.com/sdk/v1/config
- hxxps://sdk01.adecosystems.net:8890/beacon
- hxxps://sdk02.adecosystems.net:8890/beacon
- hxxps://support.google.com/dfp_premium/answer/7160685#push
- hxxps://twitter.com/%s/status/%s
- hxxps://www.%s.facebook.com
- hxxps://www.facebook.com/
- hxxps://www.google.com/dfp/debugSignals
- hxxps://www.google.com/dfp/inAppPreview
- hxxps://www.google.com/dfp/linkDevice
- hxxps://www.google.com/dfp/sendDebugData
- hxxps://www.googleapis.com/auth/appstate
- hxxps://www.googleapis.com/auth/datastoremobile
- hxxps://www.googleapis.com/auth/drive.appdata
- hxxps://www.googleapis.com/auth/drive.file
- hxxps://www.googleapis.com/auth/fitness.activity.read
- hxxps://www.googleapis.com/auth/fitness.activity.write
- hxxps://www.googleapis.com/auth/fitness.body.read
- hxxps://www.googleapis.com/auth/fitness.body.write
- hxxps://www.googleapis.com/auth/fitness.location.read
- hxxps://www.googleapis.com/auth/fitness.location.write
- hxxps://www.googleapis.com/auth/fitness.nutrition.read
- hxxps://www.googleapis.com/auth/fitness.nutrition.write
- hxxps://www.googleapis.com/auth/games
- hxxps://www.googleapis.com/auth/plus.login
- hxxps://www.googleapis.com/auth/plus.me
- hxxps://www.mopub.com/optout
- hxxps://www.mopub.com/optout/
- hxxps://www.vungle.com/privacy/
■マルウェア情報(https://www.virustotal.com/#/file/5793be5a524dce808bac8259fd484146aad71f691e0760185f009b8b54d5691e/detection)
MD5 | 9880ed8adfbab106dad83562a9c410a8 |
SHA1 | e281826b4e0b1bdd94309a9d561da4187babad02 |
SHA256 | |
SHA512 | |
SSDEEP | 196608:EHRQ7fLbzmsKUsgkhgJXw7mJwKxSgZRZnJbP4sQdgEw:yQ7fLbRKzfy60ZxSYnJTnQqp |
authentihash | |
imphash | |
File Size | 8.5 MB |
File Type | |
コンパイル日時 | |
Debug Path | |
File Name | Assassins skins for Minecraft_v1.2_apkpure.com.apk |
File Path | |
生成ファイル | |
特徴 | |
参考情報 | https://www.virustotal.com/#/file/5793be5a524dce808bac8259fd484146aad71f691e0760185f009b8b54d5691e/details |