Edit tour
Android
Analysis Report
com.skycure.skycure_(4.12.0).apk
Overview
General Information
| Sample Name: | com.skycure.skycure_(4.12.0).apk |
| Analysis ID: | 725289 |
| MD5: | 6b7085b76a503ca431c1f25ed99972ce |
| SHA1: | ec0d67f37b91d4f6560d0d085943754e2999512d |
| SHA256: | 3cb8459635ada20215cfa8afb21eb279c323754c9168c371586fcfa1f72ecd63 |
| Infos: | |
 | |
Detection
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Removes its application launcher (likely to stay hidden)
Tries to disable the administrator user
Requests to ignore battery optimizations
Might try to detect if ADB is running
Found potential keylogger
Kills background processes
May wipe phone data
Tries to detect XPosed instrumentation framework
Scans for WIFI networks
Checks if a SIM card is installed
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)
Queries list of running processes/tasks
Queries SMS data
Starts/registers a service/receiver on phone boot (autostart)
Checks if phone is rooted (checks for Superuser.apk)
Obfuscates method names
Has permission to read the SMS storage
Installs a new wake lock (to get activate on phone screen on)
Found suspicious command strings (may be related to BOT commands)
Monitors incoming SMS
Checks an internet connection is available
Queries list of installed packages
Found very long method strings
Queries package code path (often used for patching other applications)
Requests potentially dangerous permissions
Requests root access
Checks if phone is rooted (checks for test-keys build tags)
Potential date aware sample found
Registers a clipboard change listener (to get access to clipboard data)
Queries the phones location (GPS)
Opens an internet connection
Queries the network operator name
May access the Android keyguard (lock screen)
Checks if debugger is running
Has permissions to create, read or change account settings (inlcuding account password settings)
Has permission to receive SMS in the background
Lists and deletes files in the same context
Queries a list of installed applications
Detected TCP or UDP traffic on non-standard ports
Has functionality to send UDP packets
Has functionalty to add an overlay to other apps
Queries stored mail and application accounts (e.g. Gmail or Whatsup)
Queries the unqiue device ID (IMEI, MEID or ESN)
Accesses /proc
Removes or disables configured WIFI access points
Has permission to read the phones state (phone number, device IDs, active call ect.)
Queries the SIM provider ISO country code
Tries to add a new device administrator
Accesses android OS build fields
Executes native commands
Queries the list of configured WIFI access points
Checks partitions
May dial phone number
Reads boot loader settings of the device
Queries the network MAC address
Queries MMS data
Checks if the device administrator is active
Has permission to change the WIFI configuration including connecting and disconnecting
Performs DNS lookups (Java API)
Queries the network operator numeric MCC+MNC (mobile country code + mobile network code)
Queries several sensitive phone informations
Queries the unique operating system id (ANDROID_ID)
Has permission to terminate background processes of other applications
Sets an intent to the APK data type (used to install other APKs)
Queries the WIFI MAC address
Has permission to execute code after phone reboot
Uses reflection
Classification
⊘No yara matches
⊘No Snort rule has matched
There are no malicious signatures, click here to show all signatures.
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Application Discovery | 1 Input Capture | 1 System Network Connections Discovery | Remote Services | 11 Location Tracking | Exfiltration Over Other Network Medium | 1 Encrypted Channel | 1 Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Generate Fraudulent Advertising Revenue |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | 1 Capture Clipboard Data | 2 System Network Configuration Discovery | Remote Desktop Protocol | 3 Network Information Discovery | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | 1 Delete Device Data |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | 2 Capture SMS Messages | 11 Location Tracking | SMB/Windows Admin Shares | 1 Input Capture | Automated Exfiltration | 1 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | 1 Access Stored Application Data | 1 Application Discovery | Distributed Component Object Model | 1 Capture Clipboard Data | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 2 System Information Discovery | SSH | 2 Capture SMS Messages | Data Transfer Size Limits | 3 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Process Discovery | VNC | 1 Access Stored Application Data | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
