Android.Spyware.DroidWatcher

Threat

com.delemento

Rasmlar

Analyzed on 2022-09-04T17:59:37.457535

114

permissions

2

activities

4

services

7

receivers

2

domains

File sums

MD5 eeecfa2999aea400deb8029d27db125e
SHA1 22d020539962c741734abcadb06878d676fa25b9
SHA256 902c5f46ac101b6f30032d4c5c86ecec115add3605fb0d66057130b6e11c57e6
Size 1.16MB

APKiD

Information computed with APKiD.

/tmp/tmp5a7kssyt!classes.dex
anti_vm
  • Build.MODEL check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.BOARD check
  • possible Build.SERIAL check
  • device ID check
  • subscriber ID check
  • emulator file check
anti_debug
  • Debug.isDebuggerConnected() check
compiler
  • dexlib 2.x

SSdeep

Information computed with ssdeep.

APK file 24576:viC5kMKyhbvQVXSchxprJwqrcTE80nzj/l7:KEkMxvupdwqoTE80zjN7
Manifest 768:67gSBpL3PQPUTT0QZAhipMKBm5gExDfSlAzOMywOh3KD3gL72bc+bAVhN321Vj7q:…
classes.dex 12288:/XgDWKscr0VD/kxPIasVb0HNBGVF336rwoOuDaD+ZUIJLXFWVJPOHICH/j7vl9Y…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 768:5GSKeuzuZvXeMxiGrtcjbI1PD0/ZPVdt2IJpJpLsiIK0DIUNWxIVx4jUhivQ//7i:…
classes.dex 768:5GSKeuzuZvXeMxiGrtcjbI1PD0/ZPVdt2IJpJpLsiIK0DIUNWxIVx4jUhivQ//7i:…

APK details

Information computed with AndroGuard and Pithus.

Package com.delemento
App name Rasmlar
Version name 1.0
Version code 1
SDK 16 - 16
UAID ad792809b97e2e7fc5d375cb286ec2b9486ba2cf
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 e89b158e4bcf988ebd09eb83f5378e87
SHA1 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
SHA256 a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Issuer Email Address: android@android.com, Common Name: Android, Organizational Unit: Android, Organization: Android, Locality: Mountain View, State/Province: California, Country: US
Not before 2008-02-29T01:33:46+00:00
Not after 2035-07-17T01:33:46+00:00

Manifest analysis

Information computed with MobSF.

High Debug Enabled For App[android:debuggable=true]
Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.
Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High Broadcast Receiver (com.delemento.receivers.SMSReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.delemento.receivers.OutgoingCallReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.delemento.receivers.CallReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.delemento.receivers.ConnectionReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.delemento.receivers.ServiceStarter) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.delemento.receivers.UpdateBroadcastReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Service (com.delemento.WindModule.Shoter_.ScreenshotService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
Medium High Intent Priority (2147483647)[android:priority]
By setting an intent priority higher than another intent, the app effectively overrides other requests.
Medium High Intent Priority (2147483647)[android:priority]
By setting an intent priority higher than another intent, the app effectively overrides other requests.
Medium High Intent Priority (2147483647)[android:priority]
By setting an intent priority higher than another intent, the app effectively overrides other requests.
Medium High Intent Priority (2147483647)[android:priority]
By setting an intent priority higher than another intent, the app effectively overrides other requests.

Main Activity

Information computed with AndroGuard.

com.delemento.activity.AndroidSMS

Activities

Information computed with AndroGuard.

com.delemento.activity.AndroidSMS
com.delemento.WindModule.Shoter_.MainActivity_shoter

Receivers

Information computed with AndroGuard.

com.delemento.receivers.SMSReceiver
com.delemento.receivers.OutgoingCallReceiver
com.delemento.receivers.CallReceiver
com.delemento.receivers.ConnectionReceiver
com.delemento.receivers.ServiceStarter
com.delemento.receivers.UpdateBroadcastReceiver
com.delemento.modules.location.LocationTimerBroadcastReceiver

Services

Information computed with AndroGuard.

com.delemento.services.AppService
com.delemento.services.ClipboardMonitorService
com.delemento.WindModule.RoosterConnectionService
com.delemento.WindModule.Shoter_.ScreenshotService

Sample timeline

Certificate valid not before Feb. 29, 2008, 1:33 a.m.
First submission on VT Feb. 5, 2019, 6:45 a.m.
Oldest file found in APK Feb. 5, 2019, 11:42 a.m.
Latest file found in APK Feb. 5, 2019, 11:42 a.m.
Last submission on VT Aug. 7, 2022, 9:32 a.m.
Upload on Pithus Sept. 4, 2022, 5:59 p.m.
Certificate valid not after July 17, 2035, 1:33 a.m.

MalwareBazaar

First seen 2021-11-11 12:56:56
Last seen None
Report https://bazaar.abuse.ch/sample/902c5f46ac101b6f30032d4c5c86ecec115add3605fb0d66057130b6e11c57e6/
ReversingLabs
Threat name Android.Spyware.DroidWatcher
Status MALICIOUS
First seen 2019-02-05 07:48:36
Score 10/47
CERT-PL MWDB
Detection None
Report https://mwdb.cert.pl/sample/902c5f46ac101b6f30032d4c5c86ecec115add3605fb0d66057130b6e11c57e6/

VirusTotal

Score 31/62
Report https://www.virustotal.com/gui/file/902c5f46ac101b6f30032d4c5c86ecec115add3605fb0d66057130b6e11c57e6/detection

Most Popular AV Detections

Provided by VirusTotal

Threat name: droidwatcher Identified 5 times
Threat name: monitor Identified 4 times
Threat name: spyapp Identified 3 times

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['microphone', 'location', 'NFC', 'camera', 'bluetooth', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to ['call lists', 'system logs', 'address book', 'calendar'].
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_COP.1.1(1) The application perform encryption/decryption in accordance with a specified cryptographic algorithm AES-CBC (as defined in NIST SP 800-38A) mode or AES-GCM (as defined in NIST SP 800-38D) and cryptographic key sizes 256-bit/128-bit.
Cryptographic Operation - Encryption/Decryption
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.1.1 The application invoked platform-provided functionality to validate certificates in accordance with the following rules: ['The certificate path must terminate with a trusted CA certificate'].
X.509 Certificate Validation
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication

Code analysis

Information computed with MobSF.

Medium
CVSS:5.9
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
M7: Client Code Quality
Files:
 com/delemento/modules/c/d.java
com/delemento/modules/c/a.java
com/delemento/a.java
com/delemento/modules/c/f.java
com/delemento/modules/c/b.java
com/delemento/modules/c/c.java
com/delemento/modules/c/g.java
com/delemento/modules/c/h.java
com/delemento/modules/c/e.java
com/delemento/modules/a/c.java
com/delemento/modules/c/i.java
Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 com/b/a/a.java
com/delemento/WindModule/Shoter_/ScreenshotService.java
com/delemento/services/ClipboardMonitorService.java
com/delemento/b.java
com/delemento/e.java
com/delemento/WindModule/k.java
com/a/c.java
com/delemento/modules/a/d.java
com/b/a/d/c.java
com/delemento/modules/i.java
com/delemento/WindModule/h.java
Low
CVSS:0
This app listens to Clipboard changes. Some malware also listen to Clipboard changes.
MASVS: MSTG-PLATFORM-4
Files:
 com/delemento/services/ClipboardMonitorService.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/delemento/c.java
com/delemento/i.java
com/delemento/modules/f.java
com/delemento/activity/AndroidSMS.java
com/delemento/e.java
com/delemento/services/AppService.java
com/delemento/a/f.java
com/delemento/modules/i.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 com/delemento/WindModule/h.java
Info
CVSS:0
This App uses SSL certificate pinning to detect or prevent MITM attacks in secure communication channel.
MASVS: MSTG-NETWORK-4
Files:
 c/a/c.java
Info
CVSS:0
This App may have root detection capabilities.
MASVS: MSTG-RESILIENCE-1
Files:
 com/delemento/f.java
Medium
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 c/v.java
c/a/k/a.java
c/a/k/d.java
High
CVSS:7.4
The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.
MASVS: MSTG-CRYPTO-3
CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
M5: Insufficient Cryptography
Files:
 com/delemento/i.java
Medium
CVSS:7.4
MD5 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/delemento/i.java
Pygal United States: 200

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

US ip-api.com 208.95.112.1
US api.ipify.org 3.220.57.224

URL analysis

Information computed with MobSF.

http://api.ipify.org/?format=txt
Defined in com/delemento/d.java
http://ip-api.com/json/
http://api.ipify.org/?format=txt
Defined in com/delemento/modules/e.java
http://ip-api.com/json/
http://api.ipify.org/?format=txt
Defined in com/delemento/modules/e.java

Permissions analysis

Information computed with MobSF.

High android.permission.SEND_SMS send SMS messages
Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.
High android.permission.RECEIVE_SMS receive SMS
Allows application to receive and process SMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.RECEIVE_MMS receive MMS
Allows application to receive and process MMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.READ_SMS read SMS or MMS
Allows application to read SMS messages stored on your phone or SIM card. Malicious applications may read your confidential messages.
High android.permission.WRITE_SMS edit SMS or MMS
Allows application to write to SMS messages stored on your phone or SIM card. Malicious applications may delete your messages.
High android.permission.RECEIVE_WAP_PUSH receive WAP
Allows application to receive and process WAP messages. Malicious applications may monitor your messages or delete them without showing them to you.
High android.permission.READ_CONTACTS read contact data
Allows an application to read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.
High android.permission.WRITE_CONTACTS write contact data
Allows an application to modify the contact (address) data stored on your phone. Malicious applications can use this to erase or modify your contact data.
High android.permission.READ_CALL_LOG Allows an application to read the user's call log.
High android.permission.WRITE_CALL_LOG Allows an application to write (but not read) the user's call log data.
High android.permission.READ_SOCIAL_STREAM read from the user's social stream
Allows an application to read from the user's social stream.
High android.permission.WRITE_SOCIAL_STREAM write the user's social stream
Allows an application to write (but not read) the user's social stream data.
High android.permission.READ_PROFILE read the user's personal profile data
Allows an application to read the user's personal profile data.
High android.permission.WRITE_PROFILE write the user's personal profile data
Allows an application to write (but not read) the user's personal profile data.
High android.permission.READ_CALENDAR read calendar events
Allows an application to read all of the calendar events stored on your phone. Malicious applications can use this to send your calendar events to other people.
High android.permission.WRITE_CALENDAR add or modify calendar events and send emails to guests
Allows an application to add or change the events on your calendar, which may send emails to guests. Malicious applications can use this to erase or modify your calendar events or to send emails to guests.
High android.permission.READ_USER_DICTIONARY read user-defined dictionary
Allows an application to read any private words, names and phrases that the user may have stored in the user dictionary.
High android.permission.ACCESS_FINE_LOCATION fine (GPS) location
Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
High android.permission.ACCESS_COARSE_LOCATION coarse (network-based) location
Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
High android.permission.GET_ACCOUNTS list accounts
Allows access to the list of accounts in the Accounts Service.
High android.permission.AUTHENTICATE_ACCOUNTS act as an account authenticator
Allows an application to use the account authenticator capabilities of the Account Manager, including creating accounts as well as obtaining and setting their passwords.
High android.permission.USE_CREDENTIALS use the authentication credentials of an account
Allows an application to request authentication tokens.
High android.permission.MANAGE_ACCOUNTS manage the accounts list
Allows an application to perform operations like adding and removing accounts and deleting their password.
High android.permission.RECORD_AUDIO record audio
Allows application to access the audio record path.
High android.permission.CAMERA take pictures and videos
Allows application to take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
High android.permission.PROCESS_OUTGOING_CALLS intercept outgoing calls
Allows application to process outgoing calls and change the number to be dialled. Malicious applications may monitor, redirect or prevent outgoing calls.
High android.permission.READ_PHONE_STATE read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.
High android.permission.CALL_PHONE directly call phone numbers
Allows the application to call phone numbers without your intervention. Malicious applications may cause unexpected calls on your phone bill. Note that this does not allow the application to call emergency numbers.
High android.permission.USE_SIP make/receive Internet calls
Allows an application to use the SIP service to make/receive Internet calls.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.GET_TASKS retrieve running applications
Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications.
High android.permission.SYSTEM_ALERT_WINDOW display system-level alerts
Allows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone.
High android.permission.WRITE_SETTINGS modify global system settings
Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration.
High android.permission.SET_ANIMATION_SCALE modify global animation speed
Allows an application to change the global animation speed (faster or slower animations) at any time.
High android.permission.PERSISTENT_ACTIVITY make application always run
Allows an application to make parts of itself persistent, so that the system can't use it for other applications.
High android.permission.MOUNT_UNMOUNT_FILESYSTEMS mount and unmount file systems
Allows the application to mount and unmount file systems for removable storage.
High android.permission.MOUNT_FORMAT_FILESYSTEMS format external storage
Allows the application to format removable storage.
High android.permission.SUBSCRIBED_FEEDS_WRITE write subscribed feeds
Allows an application to modify your currently synced feeds. This could allow a malicious application to change your synced feeds.
High android.permission.READ_LOGS read sensitive log data
Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information.
High android.permission.SET_DEBUG_APP enable application debugging
Allows an application to turn on debugging for another application. Malicious applications can use this to kill other applications.
High android.permission.SET_PROCESS_LIMIT limit number of running processes
Allows an application to control the maximum number of processes that will run. Never needed for common applications.
High android.permission.SET_ALWAYS_FINISH make all background applications close
Allows an application to control whether activities are always finished as soon as they go to the background. Never needed for common applications.
High android.permission.SIGNAL_PERSISTENT_PROCESSES send Linux signals to applications
Allows application to request that the supplied signal be sent to all persistent processes.
Low android.permission.WRITE_USER_DICTIONARY write to user-defined dictionary
Allows an application to write new words into the user dictionary.
Low android.permission.ACCESS_LOCATION_EXTRA_COMMANDS access extra location provider commands
Access extra location provider commands. Malicious applications could use this to interfere with the operation of the GPS or other location sources.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.CHANGE_WIFI_STATE change Wi-Fi status
Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.
Low android.permission.BLUETOOTH create Bluetooth connections
Allows applications to connect to paired bluetooth devices.
Low android.permission.BLUETOOTH_ADMIN bluetooth administration
Allows applications to discover and pair bluetooth devices.
Low android.permission.NFC control Near-Field Communication
Allows an application to communicate with Near-Field Communication (NFC) tags, cards and readers.
Low android.permission.CHANGE_WIFI_MULTICAST_STATE allow Wi-Fi Multicast reception
Allows an application to receive packets not directly addressed to your device. This can be useful when discovering services offered nearby. It uses more power than the non-multicast mode.
Low android.permission.VIBRATE control vibrator
Allows the application to control the vibrator.
Low android.permission.FLASHLIGHT control flashlight
Allows the application to control the flashlight.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.MODIFY_AUDIO_SETTINGS change your audio settings
Allows application to modify global audio settings, such as volume and routing.
Low android.permission.DISABLE_KEYGUARD Allows applications to disable the keyguard if it is not secure.
Low android.permission.REORDER_TASKS reorder applications running
Allows an application to move tasks to the foreground and background. Malicious applications can force themselves to the front without your control.
Low android.permission.RESTART_PACKAGES kill background processes
Allows an application to kill background processes of other applications, even if memory is not low.
Low android.permission.KILL_BACKGROUND_PROCESSES kill background processes
Allows an application to kill background processes of other applications, even if memory is not low.
Low android.permission.SET_WALLPAPER set wallpaper
Allows the application to set the system wallpaper.
Low android.permission.SET_WALLPAPER_HINTS set wallpaper size hints
Allows the application to set the system wallpaper size hints.
Low android.permission.EXPAND_STATUS_BAR expand/collapse status bar
Allows application to expand or collapse the status bar.
Low android.permission.READ_SYNC_SETTINGS read sync settings
Allows an application to read the sync settings, such as whether sync is enabled for Contacts.
Low android.permission.WRITE_SYNC_SETTINGS write sync settings
Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.
Low android.permission.READ_SYNC_STATS read sync statistics
Allows an application to read the sync stats; e.g. the history of syncs that have occurred.
Low android.permission.GET_PACKAGE_SIZE measure application storage space
Allows an application to find out the space used by any package.
Low android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.
Low android.permission.BROADCAST_STICKY send sticky broadcast
Allows an application to send sticky broadcasts, which remain after the broadcast ends. Malicious applications can make the phone slow or unstable by causing it to use too much memory.
Low android.permission.SUBSCRIBED_FEEDS_READ read subscribed feeds
Allows an application to receive details about the currently synced feeds.
Low android.permission.CHANGE_NETWORK_STATE change network connectivity
Allows applications to change network connectivity state.
Medium android.permission.INJECT_EVENTS press keys and control buttons
Allows an application to deliver its own input events (key presses, etc.) to other applications. Malicious applications can use this to take over the phone.
Medium android.permission.BIND_ACCESSIBILITY_SERVICE Must be required by an AccessibilityService, to ensure that only the system can bind to it.
Medium android.permission.BATTERY_STATS modify battery statistics
Allows the modification of collected battery statistics. Not for use by common applications.
Medium android.permission.INSTALL_PACKAGES directly install applications
Allows an application to install new or updated Android packages. Malicious applications can use this to add new applications with arbitrarily powerful permissions.
Medium android.permission.SET_TIME_ZONE set time zone
Allows an application to change the phone's time zone.
Medium android.permission.CHANGE_CONFIGURATION change your UI settings
Allows an application to change the current configuration, such as the locale or overall font size.
Medium android.permission.CLEAR_APP_CACHE delete all application cache data
Allows an application to free phone storage by deleting files in application cache directory. Access is usually very restricted to system process.
android.permission.ACCESS_SUPERUSER Unknown permission
Unknown permission from android reference
android.permission.READ_CELL_BROADCASTS Unknown permission
Unknown permission from android reference
android.permission.BIND_DIRECTORY_SEARCH Unknown permission
Unknown permission from android reference
com.android.browser.permission.READ_HISTORY_BOOKMARKS Unknown permission
Unknown permission from android reference
com.android.browser.permission.WRITE_HISTORY_BOOKMARKS Unknown permission
Unknown permission from android reference
com.google.android.providers.gsf.permission.READ_GSERVICES Unknown permission
Unknown permission from android reference
com.android.alarm.permission.SET_ALARM Unknown permission
Unknown permission from android reference
com.android.voicemail.permission.ADD_VOICEMAIL Unknown permission
Unknown permission from android reference
android.permission.ACCESS_WIMAX_STATE Unknown permission
Unknown permission from android reference
android.permission.CHANGE_WIMAX_STATE Unknown permission
Unknown permission from android reference
android.permission.BLUETOOTH_STACK Unknown permission
Unknown permission from android reference
android.permission.RECEIVE_DATA_ACTIVITY_CHANGE Unknown permission
Unknown permission from android reference
android.permission.REMOTE_AUDIO_PLAYBACK Unknown permission
Unknown permission from android reference
android.permission.INTERACT_ACROSS_USERS Unknown permission
Unknown permission from android reference
android.permission.INTERACT_ACROSS_USERS_FULL Unknown permission
Unknown permission from android reference
android.permission.MANAGE_USERS Unknown permission
Unknown permission from android reference
android.permission.GET_DETAILED_TASKS Unknown permission
Unknown permission from android reference
android.permission.START_ANY_ACTIVITY Unknown permission
Unknown permission from android reference
android.permission.ACCESS_ALL_EXTERNAL_STORAGE Unknown permission
Unknown permission from android reference
android.permission.FREEZE_SCREEN Unknown permission
Unknown permission from android reference
android.permission.FILTER_EVENTS Unknown permission
Unknown permission from android reference
android.permission.RETRIEVE_WINDOW_INFO Unknown permission
Unknown permission from android reference
android.permission.TEMPORARY_ENABLE_ACCESSIBILITY Unknown permission
Unknown permission from android reference
android.permission.MAGNIFY_DISPLAY Unknown permission
Unknown permission from android reference
android.permission.GRANT_REVOKE_PERMISSIONS Unknown permission
Unknown permission from android reference
android.permission.CONFIGURE_WIFI_DISPLAY Unknown permission
Unknown permission from android reference
android.permission.CONTROL_WIFI_DISPLAY Unknown permission
Unknown permission from android reference
android.permission.BIND_KEYGUARD_APPWIDGET Unknown permission
Unknown permission from android reference
android.permission.MODIFY_APPWIDGET_BIND_PERMISSIONS Unknown permission
Unknown permission from android reference
android.permission.READ_DREAM_STATE Unknown permission
Unknown permission from android reference
android.permission.WRITE_DREAM_STATE Unknown permission
Unknown permission from android reference
android.permission.SERIAL_PORT Unknown permission
Unknown permission from android reference
android.permission.ACCESS_CONTENT_PROVIDERS_EXTERNALLY Unknown permission
Unknown permission from android reference
android.permission.UPDATE_LOCK Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Run shell script programmably
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Method reflection
Confidence:
100%
Install other APKs from file
Confidence:
100%
Get the network operator name
Confidence:
100%
Load class from given class name
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Use absolute path of directory for the output media file path
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Put data in cursor to JSON object
Confidence:
100%
Open the camera and take picture
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Monitor incoming call status
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Query the IMSI number
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get last known location of the device
Confidence:
100%
Query the ICCID number
Confidence:
100%
Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.)
Confidence:
100%
Get location of the device
Confidence:
100%
Query the IMEI number
Confidence:
100%
Method reflection
Confidence:
100%
Send SMS
Confidence:
100%
Query data from URI (SMS, CALLLOGS)
Confidence:
100%
Read file into a stream and put it into a JSON object
Confidence:
100%
Query the phone number
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Get filename and put it to JSON object
Confidence:
100%
Query the SMS contents
Confidence:
80%
Read data and put it into a buffer stream
Confidence:
80%
Get location info of the device and put it to JSON object
Confidence:
80%
Connect to a URL and read data from it
Confidence:
80%
Monitor data identified by a given content URI changes(SMS, MMS, etc.)
Confidence:
80%
Read file and put it into a stream
Confidence:
80%
Open a file from given absolute path of the file
Confidence:
80%
Get Location of the device and append this info to a string
Confidence:
80%
Get calendar information
Confidence:
80%
Get the IMSI and network operator name
Confidence:
80%
Executes the specified string Linux command
Confidence:
80%
Get the time of current location
Confidence:
80%
Get resource file from res/raw directory

Behavior analysis

Information computed with MobSF.

Base64 decode
       com/delemento/WindModule/b.java
Base64 encode
       com/delemento/WindModule/b.java
com/delemento/modules/location/d.java
Certificate handling
       c/a.java
com/delemento/WindModule/g.java
c/a/c/j.java
com/delemento/WindModule/a.java
c/a/g/f.java
c/a/g/b.java
c/v.java
Crypto
       com/delemento/i.java
Execute os command
       com/delemento/f.java
Gps location
       com/delemento/modules/c/d.java
com/delemento/modules/c/a.java
com/delemento/a.java
com/delemento/a/g.java
com/delemento/modules/c/b.java
com/delemento/modules/c/g.java
com/delemento/modules/c/h.java
com/delemento/modules/location/f.java
com/delemento/modules/location/d.java
com/delemento/modules/location/e.java
com/delemento/modules/c/i.java
Get cell location
       com/delemento/modules/location/b.java
Get installed applications
       com/delemento/modules/d.java
Get network interface information
       com/delemento/WindModule/j.java
Get phone number
       com/delemento/WindModule/j.java
com/delemento/modules/e.java
Get sim serial number
       com/delemento/modules/e.java
Get subscriber id
       com/delemento/WindModule/j.java
com/delemento/modules/e.java
Get system service
       com/delemento/modules/c/d.java
com/delemento/modules/c/a.java
com/delemento/c.java
com/delemento/i.java
com/delemento/modules/c/g.java
com/delemento/services/ClipboardMonitorService.java
com/delemento/modules/d.java
com/delemento/modules/l.java
com/delemento/a/n.java
com/delemento/modules/location/d.java
com/delemento/modules/c/i.java
com/delemento/WindModule/Shoter_/ScreenshotService.java
com/delemento/modules/c/b.java
com/delemento/modules/c/c.java
com/delemento/modules/location/b.java
com/delemento/receivers/ConnectionReceiver.java
com/delemento/WindModule/j.java
com/delemento/modules/c/h.java
com/delemento/modules/j.java
com/delemento/receivers/CallReceiver.java
com/delemento/services/AppService.java
com/delemento/modules/location/e.java
com/delemento/WindModule/Shoter_/MainActivity_shoter.java
com/delemento/modules/e.java
Get wifi details
       com/delemento/modules/e.java
Http connection
       com/delemento/c.java
com/delemento/d.java
com/delemento/g.java
com/delemento/modules/l.java
com/delemento/modules/e.java
com/delemento/WindModule/h.java
Http requests, connections and sessions
       com/delemento/c.java
com/delemento/d.java
com/delemento/WindModule/a.java
Inter process communication
       com/delemento/i.java
com/delemento/modules/c.java
com/delemento/services/ClipboardMonitorService.java
com/delemento/activity/AndroidSMS.java
com/delemento/WindModule/i.java
com/delemento/modules/l.java
com/delemento/modules/location/d.java
com/delemento/receivers/OutgoingCallReceiver.java
com/delemento/modules/h.java
com/delemento/modules/k.java
com/delemento/services/AppService.java
com/delemento/WindModule/Shoter_/MainActivity_shoter.java
com/delemento/WindModule/h.java
com/delemento/modules/location/LocationTimerBroadcastReceiver.java
com/delemento/modules/d.java
com/delemento/g.java
com/delemento/receivers/UpdateBroadcastReceiver.java
com/delemento/WindModule/RoosterConnectionService.java
com/delemento/WindModule/Shoter_/ScreenshotService.java
com/delemento/receivers/SMSReceiver.java
com/delemento/d.java
com/delemento/receivers/a.java
com/delemento/receivers/ConnectionReceiver.java
com/delemento/receivers/b.java
com/delemento/h.java
com/delemento/receivers/CallReceiver.java
com/delemento/modules/location/e.java
com/delemento/receivers/ServiceStarter.java
Java reflection
       c/a/c.java
c/a/g/a.java
b/c/b/e.java
c/a/g/c.java
c/a/g/b.java
com/delemento/modules/c.java
c/a/g/e.java
com/delemento/modules/d.java
com/delemento/WindModule/i.java
com/b/a/c/c.java
com/delemento/a/n.java
c/a/g/d.java
Local file i/o operations
       com/delemento/modules/c/d.java
com/delemento/modules/c/a.java
com/delemento/modules/c/g.java
com/delemento/e.java
com/delemento/a/f.java
com/delemento/modules/c/i.java
com/delemento/modules/c/f.java
com/delemento/modules/c/b.java
com/delemento/modules/c/c.java
com/delemento/modules/c/h.java
com/delemento/modules/c/e.java
com/a/e.java
com/delemento/modules/e.java
Message digest
       com/delemento/i.java
d/u.java
d/h.java
Query database of sms, contacts etc
       com/delemento/modules/b/d.java
com/delemento/a.java
com/delemento/modules/b/b.java
com/delemento/modules/d.java
com/delemento/modules/b/c.java
com/delemento/g.java
com/delemento/modules/b/a.java
Send sms
       com/delemento/h.java
com/delemento/g.java
Sending broadcast
       com/delemento/services/AppService.java
Set or read clipboard data
       com/delemento/services/ClipboardMonitorService.java
Starting activity
       com/delemento/WindModule/Shoter_/ScreenshotService.java
com/delemento/modules/d.java
com/delemento/activity/AndroidSMS.java
com/delemento/g.java
com/delemento/services/AppService.java
com/delemento/WindModule/Shoter_/MainActivity_shoter.java
Starting service
       com/delemento/receivers/SMSReceiver.java
com/delemento/receivers/ConnectionReceiver.java
com/delemento/modules/d.java
com/delemento/activity/AndroidSMS.java
com/delemento/receivers/UpdateBroadcastReceiver.java
com/delemento/receivers/CallReceiver.java
com/delemento/services/AppService.java
com/delemento/receivers/ServiceStarter.java
com/delemento/receivers/OutgoingCallReceiver.java
Tcp socket
       d/w.java
c/a/g/a.java
c/a/b/c.java
c/a/e/g.java
c/a.java
c/a/h/a.java
c/a/c/j.java
c/a/a.java
c/a/b/f.java
c/j.java
c/v.java
c/a/c.java
d/o.java
com/delemento/WindModule/g.java
c/a/g/f.java
com/delemento/WindModule/j.java
c/a/b/g.java
c/a/k/a.java
c/a/e/i.java
Url connection to file/http/https/ftp/jar
       com/delemento/g.java

Control flow graphs analysis

Information computed by Pithus.

The application probably gets different information regarding the telephony capabilities

The application probably gets the IMEI of the phone

The application probably gets the serial number of the SIM card

The application probably gets the subscriber ID associated to the SIM card/ Should never be collected

The application probably determines the location based on cell towers

The application probably gets the phone number associated to the SIM card

The application probably gets network interfaces addresses (IP and/or MAC)

The application probably uses cryptography

The application probably plays sound