Malicious
17
/63

Threat

com.android.tester

Bloflender Hack Tool

Analyzed on 2021-07-13T06:54:02.439926

51

permissions

2

activities

4

services

7

receivers

0

domains

File sums

MD5 2fd9d3fe6ba2a5827adc53262b89c8f3
SHA1 a89e098222c31ac3bb3e20fe8d47830af3ea7294
SHA256 6af959da4e5188801ecc41f14372c30501f157e51f6decb72919bd41e3105fc8
Size 0.76MB

APKiD

Information computed with APKiD.

/tmp/tmpwalquv6j!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MANUFACTURER check
  • Build.BOARD check
  • possible Build.SERIAL check
compiler
  • dexlib 2.x

SSdeep

Information computed with ssdeep.

APK file 12288:dzU7Vawwot/UZ7VuLSFswQmEYERKTqtEBmQzZAhCCSoeNECSLx:dzU7Qwwot/U/uGOTmELsLmQzZAxeNyV
Manifest 384:bVgSilXDjojLVY6BousXBuk8LVWnI0D2+wbh3HIyU7Po8CROmozo/5oroSWiKTR6:…
classes.dex 12288:7lN4xna9A3OTrkS/2JiVlV7VuHwIaWiIahUJRw4NC0pbv:7unaKOTgSCnN9pL

Dexofuzzy

Information computed with Dexofuzzy.

APK file 96:Arn4hmWoLm2BXfKlsZUDLDRfmaS9rvP0BRsN5mhAirNei8l/:6n4hBoL3klsZU1fBS…
classes.dex 96:Arn4hmWoLm2BXfKlsZUDLDRfmaS9rvP0BRsN5mhAirNei8l/:6n4hBoL3klsZU1fBS…

APK details

Information computed with AndroGuard and Pithus.

Package com.android.tester
App name Bloflender Hack Tool
Version name 6.4.4
Version code 1
SDK 10 - 22
UAID dee4a617dbbe8239fa154b670efe66482017ecb7
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 e89b158e4bcf988ebd09eb83f5378e87
SHA1 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
SHA256 a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Issuer Email Address: android@android.com, Common Name: Android, Organizational Unit: Android, Organization: Android, Locality: Mountain View, State/Province: California, Country: US
Not before 2008-02-29T01:33:46+00:00
Not after 2035-07-17T01:33:46+00:00

File Analysis

Information computed with MobSF.

Findings Files
Certificate/Key files hardcoded inside the app. META-INF/com/android/otacert

Manifest analysis

Information computed with MobSF.

Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High Broadcast Receiver (com.android.tester.C10) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.android.tester.C9) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.android.tester.C13) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (com.android.tester.C4) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (com.android.tester.C1) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_ACCESSIBILITY_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (com.android.tester.C2) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_DEVICE_ADMIN [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (com.android.tester.C3) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.android.tester.C8) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.

Main Activity

Information computed with AndroGuard.

['com.android.tester.C7', 'com.android.tester.C6']

Activities

Information computed with AndroGuard.

com.android.tester.C7
com.android.tester.C6

Receivers

Information computed with AndroGuard.

com.android.tester.C10
com.android.tester.C9
com.android.tester.C13
com.android.tester.C4
com.android.tester.C2
com.android.tester.C3
com.android.tester.C8

Services

Information computed with AndroGuard.

com.android.tester.C11
com.android.tester.C5
com.android.tester.C15
com.android.tester.C1

Sample timeline

Certificate valid not before Feb. 29, 2008, 1:33 a.m.
Oldest file found in APK Feb. 29, 2008, 9:33 a.m.
Latest file found in APK Feb. 29, 2008, 9:33 a.m.
First submission on VT July 13, 2021, 4:45 a.m.
Last submission on VT July 13, 2021, 4:45 a.m.
Upload on Pithus July 13, 2021, 6:54 a.m.
Certificate valid not after July 17, 2035, 1:33 a.m.

VirusTotal

Score 17/63
Report https://www.virustotal.com/gui/file/6af959da4e5188801ecc41f14372c30501f157e51f6decb72919bd41e3105fc8/detection

Most Popular AV Detections

Provided by VirusTotal

Threat name: spynote Identified 5 times

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['microphone', 'bluetooth', 'location', 'network connectivity', 'camera'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to ['call lists', 'address book'].
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit

Permissions analysis

Information computed with MobSF.

High android.permission.CAMERA take pictures and videos
Allows application to take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
High android.permission.WRITE_CALL_LOG Allows an application to write (but not read) the user's call log data.
High android.permission.SYSTEM_ALERT_WINDOW display system-level alerts
Allows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone.
High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.GET_ACCOUNTS list accounts
Allows access to the list of accounts in the Accounts Service.
High android.permission.WRITE_CONTACTS write contact data
Allows an application to modify the contact (address) data stored on your phone. Malicious applications can use this to erase or modify your contact data.
High android.permission.READ_CONTACTS read contact data
Allows an application to read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.
High android.permission.RECORD_AUDIO record audio
Allows application to access the audio record path.
High android.permission.READ_SMS read SMS or MMS
Allows application to read SMS messages stored on your phone or SIM card. Malicious applications may read your confidential messages.
High android.permission.READ_CALL_LOG Allows an application to read the user's call log.
High android.permission.READ_PHONE_STATE read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.
High android.permission.CALL_PHONE directly call phone numbers
Allows the application to call phone numbers without your intervention. Malicious applications may cause unexpected calls on your phone bill. Note that this does not allow the application to call emergency numbers.
High android.permission.ACCESS_COARSE_LOCATION coarse (network-based) location
Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
High android.permission.ACCESS_FINE_LOCATION fine (GPS) location
Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
High android.permission.RECEIVE_SMS receive SMS
Allows application to receive and process SMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.GET_TASKS retrieve running applications
Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications.
High android.permission.PROCESS_OUTGOING_CALLS intercept outgoing calls
Allows application to process outgoing calls and change the number to be dialled. Malicious applications may monitor, redirect or prevent outgoing calls.
Low android.permission.FLASHLIGHT control flashlight
Allows the application to control the flashlight.
Low android.permission.BLUETOOTH create Bluetooth connections
Allows applications to connect to paired bluetooth devices.
Low android.permission.SET_WALLPAPER set wallpaper
Allows the application to set the system wallpaper.
Low android.permission.SET_WALLPAPER_HINTS set wallpaper size hints
Allows the application to set the system wallpaper size hints.
Low android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.
Low android.permission.KILL_BACKGROUND_PROCESSES kill background processes
Allows an application to kill background processes of other applications, even if memory is not low.
Low android.permission.VIBRATE control vibrator
Allows the application to control the vibrator.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.CHANGE_WIFI_STATE change Wi-Fi status
Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
com.android.browser.permission.READ_HISTORY_BOOKMARKS Unknown permission
Unknown permission from android reference
android.permission.BROADCAST_PACKAGE_ADDED Unknown permission
Unknown permission from android reference
android.permission.BROADCAST_PACKAGE_CHANGED Unknown permission
Unknown permission from android reference
android.permission.BROADCAST_PACKAGE_INSTALL Unknown permission
Unknown permission from android reference
android.permission.BROADCAST_PACKAGE_REPLACED Unknown permission
Unknown permission from android reference
com.sec.android.provider.badge.permission.READ Unknown permission
Unknown permission from android reference
com.sec.android.provider.badge.permission.WRITE Unknown permission
Unknown permission from android reference
com.htc.launcher.permission.READ_SETTINGS Unknown permission
Unknown permission from android reference
com.htc.launcher.permission.UPDATE_SHORTCUT Unknown permission
Unknown permission from android reference
com.sonyericsson.home.permission.BROADCAST_BADGE Unknown permission
Unknown permission from android reference
com.sonymobile.home.permission.PROVIDER_INSERT_BADGE Unknown permission
Unknown permission from android reference
com.anddoes.launcher.permission.UPDATE_COUNT Unknown permission
Unknown permission from android reference
com.majeur.launcher.permission.UPDATE_BADGE Unknown permission
Unknown permission from android reference
com.huawei.android.launcher.permission.CHANGE_BADGE Unknown permission
Unknown permission from android reference
com.huawei.android.launcher.permission.READ_SETTINGS Unknown permission
Unknown permission from android reference
com.huawei.android.launcher.permission.WRITE_SETTINGS Unknown permission
Unknown permission from android reference
android.permission.READ_APP_BADGE Unknown permission
Unknown permission from android reference
com.oppo.launcher.permission.READ_SETTINGS Unknown permission
Unknown permission from android reference
com.oppo.launcher.permission.WRITE_SETTINGS Unknown permission
Unknown permission from android reference
me.everything.badger.permission.BADGE_COUNT_READ Unknown permission
Unknown permission from android reference
me.everything.badger.permission.BADGE_COUNT_WRITE Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Start another application from current application
Confidence:
100%
Query the current data network type
Confidence:
100%
Run shell script programmably
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Query the phone number from SMS sender
Confidence:
100%
Method reflection
Confidence:
100%
Install other APKs from file
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Query user account information
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get Location of the device and append this info to a string
Confidence:
100%
Get last known location of the device
Confidence:
100%
Get the current WIFI information
Confidence:
100%
Query the IMEI number
Confidence:
100%
Method reflection
Confidence:
100%
Hide the current app's icon
Confidence:
100%
Query WiFi information and WiFi Mac Address
Confidence:
100%
Calculate WiFi signal strength
Confidence:
100%
Get the current WiFi MAC address
Confidence:
80%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Open a file from given absolute path of the file
Confidence:
80%
Get absolute path of the file and store in string
Confidence:
80%
Get location of the device
Confidence:
80%
Query data from URI (SMS, CALLLOGS)
Confidence:
80%
Executes the specified string Linux command
Confidence:
80%
Get resource file from res/raw directory

Control flow graphs analysis

Information computed by Pithus.

The application probably dynamically loads code

The application probably gets the IMEI of the phone

The application probably gets the serial number of the SIM card

The application probably gets the subscriber ID associated to the SIM card/ Should never be collected

The application probably determines the location based on cell towers

The application probably gets the phone number associated to the SIM card

The application probably gets the Wi-Fi connection information

The application probably gets the network connections information

The application probably gets network interfaces addresses (IP and/or MAC)

The application probably reads SMS/MMS messages

The application probably lists all installed applications

The application probably creates an accessibility service