Monday, March 19, 2012

Faketoken or Opfake ?

Faketoken is a trojan banker on Android platform. You can find few analysis links on this malware on my open source database of android malware.

But I was working on my Android similarities tool in order to improve it and I found an interesting thing on the Faketoken sample (10/43) and the opfake.d/fakeinst sample (16/41) :

desnos@t0t0:~/androguard$ ./androsim.py -i apks/plagiarism/opfake/santander.apk apks/plagiarism/opfake/61da462a03d8651a6088958b438b44527973601e604e3ca18cb7aa0b3952d2ac -s 100 -d -e "Lorg/simpleframework/"

Elements:
         IDENTICAL:     9
         SIMILAR:       3
         NEW:           14
         DELETED:       11
         SKIPPED:       5260
        --> methods: 44.998713% of similarities
SIMILAR methods:
        Ltoken/bot/MainApplication; loadStartSettings (Ljava/lang/String;)Ltoken/bot/StartSettings; 230
                --> Lcom/load/wap/MainApplication; loadStartSettings (Ljava/lang/String;)Lcom/load/wap/StartSettings; 190 0.375
        Ltoken/bot/MainService; threadOperationRun (I Ljava/lang/Object;)V 197
                --> Lcom/load/wap/MainService; threadOperationRun (I Ljava/lang/Object;)V 122 0.319999992847
        Ltoken/bot/ServerResponse; <init> ()V 133
                --> Lcom/load/wap/ServerResponse; <init> ()V 125 0.214285716414
IDENTICAL methods:
        Ltoken/bot/MainApplication; DownloadApk (Ljava/lang/String; Ljava/lang/String;)Z 106
                --> Lcom/load/wap/MainApplication; DownloadApk (Ljava/lang/String; Ljava/lang/String;)Z 106
        Ltoken/bot/Settings; isCatchMessage (Ljava/lang/String; Ljava/lang/String;)Ltoken/bot/CatchResult; 165
                --> Lcom/load/wap/Settings; isCatchMessage (Ljava/lang/String; Ljava/lang/String;)Lcom/load/wap/CatchResult; 165
        Ltoken/bot/MainApplication; getContacts (Landroid/content/Context;)Ljava/util/Vector; 230
                --> Lcom/load/wap/MainApplication; getContacts (Landroid/content/Context;)Ljava/util/Vector; 230
        Ltoken/bot/MainApplication; dateFromString (Ljava/lang/String;)Ljava/util/Date; 103
                --> Lcom/load/wap/MainApplication; dateFromString (Ljava/lang/String;)Ljava/util/Date; 103
        Ltoken/bot/Settings; isDeleteMessage (Ljava/lang/String; Ljava/lang/String;)Z 132
                --> Lcom/load/wap/Settings; isDeleteMessage (Ljava/lang/String; Ljava/lang/String;)Z 132
        Ltoken/bot/UpdateActivity; setMainScreen ()V 107
                --> Lcom/load/wap/UpdateActivity; setMainScreen ()V 107
        Ltoken/bot/MainApplication; sendGetRequest (Ljava/lang/String; Ljava/util/List;)V 132
                --> Lcom/load/wap/MainApplication; sendGetRequest (Ljava/lang/String; Ljava/util/List;)V 132
        Ltoken/bot/MainService; onStart (Landroid/content/Intent; I)V 106
                --> Lcom/load/wap/MainService; onStart (Landroid/content/Intent; I)V 106
        Ltoken/bot/MainApplication; sendPostRequest (Ljava/lang/String; Ljava/util/List;)V 197
                --> Lcom/load/wap/MainApplication; sendPostRequest (Ljava/lang/String; Ljava/util/List;)V 197

As you can see, there is a lot of similarities between this two samples, and only DrWeb has the same signature (Android.SmsSend.350.origin).

Do you think that is the same author for both malwares ?

Publié par à l'adresse

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)