Author Topic: trojan.android.agent.ddovzd outbreak from chinese fake pokemon games  (Read 7131 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Title reference: http://www.escapistmagazine.com/forums/read/7.351547-Counterfeit-Pokemon-Game-Tops-App-Charts
luckly that case is NOT a virus.
Unfortunately, we have three new one which is actually worked (and free) because these are just chinese online game style pokemon (wouldn't want to say it look like they just create a game and put pokemon character in because the chinese playing these game don't like) which is likely malware!!!
Here, I am not going to critize that it is illegal (because they make profit by in game events using Nintendo property), but to show the malware activity of some samples.

1. Pokemon main edition (original name:宠物小精灵官方版)
downloaded from: h**p://t.cn/RhcDRSe
see: https://www.virustotal.com/en/file/0901f06e86ca19cf36c6ed343c0bd36c52c97ca47b161c69f02e1ac2515465dc/analysis/1411999420/

I still keep a clean copy for comparision: https://www.virustotal.com/zh-tw/file/9ad2e014389e32287c27ad71c6b20037eb6777a7b77f51b5025ad869342a5403/analysis/
but they decide to inject adware (I don't think you are interested because this is a free game) https://www.virustotal.com/zh-tw/file/3e782625fd099892b386d8fe106f5e097ec612a2f554a486ef287e3a3d05be2e/analysis/1412004019/   downloaded from h**p://sj.img4399.com/game_list/404/com.duole.koudai.m4399/koudai.m4399.v50765.apk

2. Go!Pikachu (original name:去吧!皮卡丘)
see: https://www.virustotal.com/zh-tw/file/cc602d8b6f03b5d0047b2e84bdabc8e7570e5b48a7779c651edca16e398202bf/analysis/
same source, updated? https://www.virustotal.com/zh-tw/file/fbf961ddf062d196f3ee068a313ca19602ca4f74416ff7d0634c144273afa86f/analysis/1412004647/

Different sample: h**p://api.m.duoku.com:8090/charged/charged/download?url=http%3A%2F%2Fdl.m.duoku.com%2Fgame%2F67000%2F67427%2F20140709111941_13005.apk via http://tieba.baidu.com/p/3209623544
different detection https://www.virustotal.com/zh-tw/file/34333883063012d4ad8ca13bc6881bdf5622978678fa276b487b2b55c085c1d0/analysis/1412005687/
This were injected into the game in an update. I still have the clean old version file, see https://www.virustotal.com/zh-tw/file/1db241f0ad35ce86b063a610cd357f78b6cb7bdd3fc8aa60ee28b690280ac392/analysis/

3. Pocket Monster: Pokemon 3D (original name: 口袋妖怪:神奇宝贝·3D)
downloaded from: h**p://sj.img4399.com/game_list/340/com.trenddna.sy4399/trenddna.sy4399.v51045.apk
see: https://www.virustotal.com/zh-tw/file/2fd6f978e84cf39a6aaef1e8786faba8d322073ae2d04e7d84cf272b0f41c259/analysis/1412006321/

I found another file of the same game without trojan virus
source: h**p://www.appgame.com/archives/315073.html
see: https://www.virustotal.com/zh-tw/file/13cc9c4cba71898f80ca053d2c8389bfe330bbddb08142080cd8352c29660aad/analysis/1412007812/

No apk file mentioned above is currently detected by avast.

PS: look like 4399 android market want even more trojan virus on their site because game #3 is a very new one. Luckly the whole 4399 is blocked by avast!
« Last Edit: September 29, 2014, 07:02:04 PM by rickyyeung »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: trojan.android.agent.ddovzd outbreak from chinese fake pokemon games
« Reply #2 on: September 30, 2014, 12:00:40 AM »
Hi rickyyeung and other malcode analysts,

So be aware when on this site: 4399安卓游戏排行榜为您提供安卓游戏下载,安卓游戏免费下载,好玩的安卓游戏,安卓游戏推荐,安卓手机游戏,更多安卓游戏尽在4399手机游戏。
aka 4399 Andrews Andrews game list to provide you with game downloads, android games free download, fun Android game, Android game recommendation, Android mobile phone games, and more games all in 4399 Duo Anzhuo mobile games.

See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.4399.com&useragent=Fetch+useragent&accept_encoding=
code going to //try{new Image().src = "htxp://adtrace.5054399.com/skin.js?from="+index4399skin;}catch(ex){}
 
Authenticode signature block
File version 1, 0, 2, 1031
Description 360????????????
Signature verification  The digital signature of the object did not verify.

Is there a link on page to a trojan downloader, see: http://www.threatexpert.com/report.aspx?md5=da2c389b15b5e8439fad1285dc40bdb5    because, htxp://w.cnzz.com/c.php?id=30039538, was blocked by an extension in my browser.

polonus
« Last Edit: September 30, 2014, 12:44:22 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: trojan.android.agent.ddovzd outbreak from chinese fake pokemon games
« Reply #3 on: September 30, 2014, 02:58:11 PM »
Quote
htxp://w.cnzz.com/c.php?id=30039538, was blocked by an extension in my browser.
flagged in zulu as adware/spyware. I scanned some url under hxxp://www.4399.com/ and that was the result.

I don't know why the cnzz website traffic pluggin is easily blocked by ad blocker as reported in their own forum. Must be a bug in their code ???

Quote
So be aware when on this site: 4399安卓游戏排行榜为您提供安卓游戏下载,安卓游戏免费下载,好玩的安卓游戏,安卓游戏推荐,安卓手机游戏,更多安卓游戏尽在4399手机游戏。
aka 4399 Andrews Andrews game list to provide you with game downloads, android games free download, fun Android game, Android game recommendation, Android mobile phone games, and more games all in 4399 Duo Anzhuo mobile games.
Not only the site component, but the game apk files is not trustworthily. I already provide a few game file from 4399 in the first post.

I somewhat break the "whitelist" on 4399 by qihoo360 in virustotal using a possible program bug. If you use one html file, they won't detect anything, But if you use a compressed file of 2 or more html file, they detect the script trojan (Win32/trojan.script.fa2). And I will still rely on this fact to judge if a chinese website contain malware or not.