Loading Joe Sandbox Report ...

Edit tour

Android Analysis Report
com.skycure.skycure_(4.12.0).apk

Overview

General Information

Sample Name:com.skycure.skycure_(4.12.0).apk
Analysis ID:725289
MD5:6b7085b76a503ca431c1f25ed99972ce
SHA1:ec0d67f37b91d4f6560d0d085943754e2999512d
SHA256:3cb8459635ada20215cfa8afb21eb279c323754c9168c371586fcfa1f72ecd63
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Removes its application launcher (likely to stay hidden)
Tries to disable the administrator user
Requests to ignore battery optimizations
Might try to detect if ADB is running
Found potential keylogger
Kills background processes
May wipe phone data
Tries to detect XPosed instrumentation framework
Scans for WIFI networks
Checks if a SIM card is installed
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)
Queries list of running processes/tasks
Queries SMS data
Starts/registers a service/receiver on phone boot (autostart)
Checks if phone is rooted (checks for Superuser.apk)
Obfuscates method names
Has permission to read the SMS storage
Installs a new wake lock (to get activate on phone screen on)
Found suspicious command strings (may be related to BOT commands)
Monitors incoming SMS
Checks an internet connection is available
Queries list of installed packages
Found very long method strings
Queries package code path (often used for patching other applications)
Requests potentially dangerous permissions
Requests root access
Checks if phone is rooted (checks for test-keys build tags)
Potential date aware sample found
Registers a clipboard change listener (to get access to clipboard data)
Queries the phones location (GPS)
Opens an internet connection
Queries the network operator name
May access the Android keyguard (lock screen)
Checks if debugger is running
Has permissions to create, read or change account settings (inlcuding account password settings)
Has permission to receive SMS in the background
Lists and deletes files in the same context
Queries a list of installed applications
Detected TCP or UDP traffic on non-standard ports
Has functionality to send UDP packets
Has functionalty to add an overlay to other apps
Queries stored mail and application accounts (e.g. Gmail or Whatsup)
Queries the unqiue device ID (IMEI, MEID or ESN)
Accesses /proc
Removes or disables configured WIFI access points
Has permission to read the phones state (phone number, device IDs, active call ect.)
Queries the SIM provider ISO country code
Tries to add a new device administrator
Accesses android OS build fields
Executes native commands
Queries the list of configured WIFI access points
Checks partitions
May dial phone number
Reads boot loader settings of the device
Queries the network MAC address
Queries MMS data
Checks if the device administrator is active
Has permission to change the WIFI configuration including connecting and disconnecting
Performs DNS lookups (Java API)
Queries the network operator numeric MCC+MNC (mobile country code + mobile network code)
Queries several sensitive phone informations
Queries the unique operating system id (ANDROID_ID)
Has permission to terminate background processes of other applications
Sets an intent to the APK data type (used to install other APKs)
Queries the WIFI MAC address
Has permission to execute code after phone reboot
Uses reflection

Classification

No yara matches
No Snort rule has matched

There are no malicious signatures, click here to show all signatures.

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Application Discovery
1
Input Capture
1
System Network Connections Discovery
Remote Services11
Location Tracking
Exfiltration Over Other Network Medium1
Encrypted Channel
1
Eavesdrop on Insecure Network Communication
Remotely Track Device Without Authorization1
Generate Fraudulent Advertising Revenue
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information
1
Capture Clipboard Data
2
System Network Configuration Discovery
Remote Desktop Protocol3
Network Information Discovery
Exfiltration Over Bluetooth1
Non-Standard Port
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
Delete Device Data
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2
Capture SMS Messages
11
Location Tracking
SMB/Windows Admin Shares1
Input Capture
Automated Exfiltration1
Ingress Tool Transfer
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary Padding1
Access Stored Application Data
1
Application Discovery
Distributed Component Object Model1
Capture Clipboard Data
Scheduled Transfer2
Non-Application Layer Protocol
SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSH2
Capture SMS Messages
Data Transfer Size Limits3
Application Layer Protocol
Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
Process Discovery
VNC1
Access Stored Application Data
Exfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

This section contains all screenshots as thumbnails, including those not shown in the slideshow.