Saturday, September 24, 2016

New Mobile Malware Hits Google Play, Hundreds of Users Affected

We've, recently, intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, of, Google, Play, users, potentially, exposing, their, devices, to, a, multi-tide, of, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, their, devices. Largely, relying, on a, set, of, social, engineering, vectors, cybercriminals, continue, populating, Google, Play, with, hundreds, of, malicious, releases, successfully, bypassing, Google, Play's, security, mechanisms.

Thanks, to, a, vibrant, cybercrime, ecosystem, stolen, and, compromised, accounting, data, continues, to, represent, an, underground, market, commodity, successfully, empowering, novice, cybercriminals, with, the, necessary, tools, and, know-how, to, continue, launching, malicious, attacks. Largely, relying, on, a, set, of, social, engineering, vectors, cybercriminals, continue, to, successfully, compromise, and, take, advantage, of, stolen, publisher's, account, successfully, bypassing, Google, Play's, security, mechanisms, potentially, exposing, hundreds, of, thousands, of, users, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, expose, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related malicious MD5s known to have participated in the campaign:
MD5: 3c4f56ebf48a0b47bffec547804d94f4
MD5: 8a81ef6673321bddc557c486bce2a025
MD5: 789cb05effb586bda98e87e71e340c39
MD5: 505e4d58c53d47245aa89c0fd7cded83
MD5: c7bb64012126e7f75feb5d021e755903

Once, executed, a, sample, malware (MD5: 3c4f56ebf48a0b47bffec547804d94f4), phones, back, to, the, following, C&C, server, IPs:
hxxp://art.hornymilfporna.com/g/getasite/
hxxp://art.hornymilfporna.com/z/orap/
hxxp://art.hornymilfporna.com/z/z2/
hxxp://art.hornymilfporna.com/z/z5/

Related malicious MD5s known to have phoned back to the same C&C server IP (art.hornymilfporna.com):
MD5: ee329ffcd6fe835bfdc0ec1a7f033584

Related malicious MD5s known to have phoned back to the same C&C server IP (hornymilfporna.com - 54.72.9.51; 104.27.188.20; 104.24.124.113):
MD5: d990fe6ed56e5f087dfc4c1ad09e2591
MD5: d129b79a68dd362714a4d35f9901c661
MD5: d74aab1f688c670c172c3767a17c4953
MD5: 5f8a4de87409b399d262bd0ae0a908d7
MD5: 189803a93cde9e0c401ac386c154328f

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server IPs:
hxxp://fullset.link
hxxp://allmodel-pro.com
hxxp://sso.anbtr.com
hxxp://xsso.allmodel-pro.com
hxxp://fullset.info
hxxp://groupmodel.biz

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
212.61.180.100
195.22.28.222
212.61.180.100
54.72.9.51

Once, executed, a, sample, malware (MD5: 8a81ef6673321bddc557c486bce2a025), phones, back, to, the, following, C&C, server, IPs:
hxxp://cinar.pussyteenx.com/g/getasite/ - 8.5.1.44; 46.45.168.84
hxxp://cinar.pussyteenx.com/z/orap/
hxxp://cinar.pussyteenx.com/z/z2/
hxxp://cinar.pussyteenx.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: b9a2447a5b292566b4998c5d996f488b

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84):
MD5: f8205b4b9ae5d8ac8bf7b3996a6be408
MD5: a73138a8275b68296bfcf0ed39b2665c
MD5: ff06679eb18932e31f8b05d92a48b4eb
MD5: 107993dce5417356d40279feb2be0017
MD5: d5ed564fd2f4c10e3a26df9342a09545

Once, executed, a, sample, malware (MD5: f8205b4b9ae5d8ac8bf7b3996a6be408), phones, back, to, the, following, C&C, server, IPs:
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net
hxxp://thoughanger.net
hxxp://figurealways.net
hxxp://thoughalways.net
hxxp://figureforest.net
hxxp://thoughforest.net
hxxp://picturewheat.net
hxxp://cigarettewheat.net
hxxp://pictureanger.net
hxxp://cigaretteanger.net
hxxp://picturealways.net
hxxp://cigarettealways.net
hxxp://pictureforest.net
hxxp://cigaretteforest.net
hxxp://childrenwheat.net
hxxp://familywheat.net
hxxp://childrenanger.net
hxxp://familyanger.net
hxxp://childrenalways.net
hxxp://familyalways.net
hxxp://childrenforest.net
hxxp://familyforest.net
hxxp://eitherwheat.net
hxxp://englishwheat.net
hxxp://eitheranger.net
hxxp://englishanger.net
hxxp://eitheralways.net
hxxp://englishalways.net
hxxp://eitherforest.net
hxxp://englishforest.net
hxxp://expectschool.net
hxxp://becauseschool.net
hxxp://expectwhile.net
hxxp://becausewhile.net
hxxp://expectquestion.net
hxxp://becausequestion.net
hxxp://expecttherefore.net
hxxp://becausetherefore.net
hxxp://personschool.net
hxxp://machineschool.net
hxxp://personwhile.net
hxxp://machinewhile.net
hxxp://personquestion.net
hxxp://machinequestion.net

Once, executed, a, sample, malware (MD5: a73138a8275b68296bfcf0ed39b2665c), phones, back, to, the, following, C&C, server, IPs:
hxxp://figurefather.net
hxxp://thoughfather.net
hxxp://figureapple.net
hxxp://thoughapple.net
hxxp://figurebuilt.net
hxxp://thoughbuilt.net
hxxp://figurecarry.net
hxxp://thoughcarry.net
hxxp://picturefather.net
hxxp://cigarettefather.net
hxxp://pictureapple.net
hxxp://cigaretteapple.net
hxxp://picturebuilt.net
hxxp://cigarettebuilt.net
hxxp://picturecarry.net
hxxp://cigarettecarry.net
hxxp://childrenfather.net
hxxp://familyfather.net
hxxp://childrenapple.net
hxxp://familyapple.net
hxxp://childrenbuilt.net
hxxp://familybuilt.net
hxxp://childrencarry.net
hxxp://familycarry.net
hxxp://eitherfather.net
hxxp://englishfather.net
hxxp://eitherapple.net
hxxp://englishapple.net
hxxp://eitherbuilt.net
hxxp://englishbuilt.net
hxxp://eithercarry.net
hxxp://englishcarry.net
hxxp://expectmeasure.net
hxxp://becausemeasure.net
hxxp://expectdinner.net
hxxp://becausedinner.net
hxxp://expectafraid.net
hxxp://becauseafraid.net
hxxp://expectcircle.net
hxxp://becausecircle.net
hxxp://personmeasure.net
hxxp://machinemeasure.net
hxxp://persondinner.net
hxxp://machinedinner.net
hxxp://personafraid.net
hxxp://machineafraid.net
hxxp://personcircle.net
hxxp://machinecircle.net
hxxp://suddenmeasure.net
hxxp://foreignmeasure.net
hxxp://suddendinner.net
hxxp://foreigndinner.net
hxxp://suddenafraid.net
hxxp://foreignafraid.net
hxxp://suddencircle.net
hxxp://foreigncircle.net
hxxp://whethermeasure.net
hxxp://rightmeasure.net
hxxp://whetherdinner.net
hxxp://rightdinner.net
hxxp://whetherafraid.net
hxxp://rightafraid.net
hxxp://whethercircle.net
hxxp://rightcircle.net
hxxp://figuremeasure.net
hxxp://thoughmeasure.net
hxxp://figuredinner.net
hxxp://thoughdinner.net
hxxp://figureafraid.net
hxxp://thoughafraid.net
hxxp://figurecircle.net
hxxp://thoughcircle.net
hxxp://picturemeasure.net
hxxp://cigarettemeasure.net
hxxp://picturedinner.net
hxxp://cigarettedinner.net
hxxp://pictureafraid.net
hxxp://cigaretteafraid.net
hxxp://picturecircle.net
hxxp://cigarettecircle.net
hxxp://childrenmeasure.net
hxxp://familymeasure.net
hxxp://childrendinner.net
hxxp://familydinner.net
hxxp://childrenafraid.net
hxxp://familyafraid.net
hxxp://childrencircle.net
hxxp://familycircle.net
hxxp://eithermeasure.net
hxxp://englishmeasure.net
hxxp://eitherdinner.net
hxxp://englishdinner.net
hxxp://eitherafraid.net
hxxp://englishafraid.net
hxxp://eithercircle.net
hxxp://englishcircle.net
hxxp://expectwheat.net
hxxp://becausewheat.net
hxxp://expectanger.net
hxxp://becauseanger.net
hxxp://expectalways.net
hxxp://becausealways.net
hxxp://expectforest.net
hxxp://becauseforest.net
hxxp://personwheat.net
hxxp://machinewheat.net
hxxp://personanger.net
hxxp://machineanger.net
hxxp://personalways.net
hxxp://machinealways.net
hxxp://personforest.net
hxxp://machineforest.net
hxxp://suddenwheat.net
hxxp://foreignwheat.net
hxxp://suddenanger.net
hxxp://foreignanger.net
hxxp://suddenalways.net
hxxp://foreignalways.net
hxxp://suddenforest.net
hxxp://foreignforest.net
hxxp://whetherwheat.net
hxxp://rightwheat.net
hxxp://whetheranger.net
hxxp://rightanger.net
hxxp://whetheralways.net
hxxp://rightalways.net
hxxp://whetherforest.net
hxxp://rightforest.net
hxxp://figurewheat.net
hxxp://thoughwheat.net
hxxp://figureanger.net

Once, executed, a, sample, malware, phones, back, to the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://195.22.28.199
hxxp://184.168.221.55
hxxp://208.100.26.234
hxxp://184.168.221.35
hxxp://98.124.243.42
hxxp://208.100.26.234
hxxp://184.168.221.104
hxxp://173.236.80.218
hxxp://195.22.26.248
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://98.130.238.135

Once, executed, a, sample, malware (MD5: ff06679eb18932e31f8b05d92a48b4eb), phones, back, to, the, following, C&C, server, IPs:
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
hxxp://fellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
hxxp://fellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net
hxxp://brokenspring.net
hxxp://resultspring.net
hxxp://brokensuccess.net
hxxp://resultsuccess.net
hxxp://brokenbanker.net
hxxp://resultbanker.net
hxxp://preparefound.net
hxxp://desirefound.net
hxxp://preparespring.net
hxxp://desirespring.net
hxxp://preparesuccess.net
hxxp://desiresuccess.net
hxxp://preparebanker.net
hxxp://desirebanker.net
hxxp://strengthfound.net
hxxp://stillfound.net
hxxp://strengthspring.net
hxxp://stillspring.net
hxxp://strengthsuccess.net
hxxp://stillsuccess.net
hxxp://strengthbanker.net
hxxp://stillbanker.net
hxxp://movementairplane.net
hxxp://outsideairplane.net
hxxp://movementstraight.net
hxxp://outsidestraight.net
hxxp://movementguard.net
hxxp://outsideguard.net
hxxp://movementfence.net
hxxp://outsidefence.net
hxxp://buildingairplane.net
hxxp://eveningairplane.net
hxxp://buildingstraight.net
hxxp://eveningstraight.net
hxxp://buildingguard.net
hxxp://eveningguard.net
hxxp://buildingfence.net
hxxp://eveningfence.net
hxxp://storeairplane.net
hxxp://mightairplane.net
hxxp://storestraight.net
hxxp://mightstraight.net
hxxp://storeguard.net
hxxp://mightguard.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://98.124.243.39
hxxp://195.22.28.198
hxxp://216.239.34.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66
hxxp://81.21.76.62
hxxp://50.63.202.55
hxxp://208.91.197.25
hxxp://5.2.189.251
hxxp://195.22.28.198

Once, executed, a, sample, malware (MD5: 107993dce5417356d40279feb2be0017), phones, back, to, the, following, C&C, server, IPs:
hxxp://movementindustry.net
hxxp://outsideindustry.net
hxxp://movementbecame.net
hxxp://outsidebecame.net
hxxp://movementcontain.net
hxxp://outsidecontain.net
hxxp://movementbasket.net
hxxp://outsidebasket.net
hxxp://buildingindustry.net
hxxp://eveningindustry.net
hxxp://buildingbecame.net
hxxp://eveningbecame.net
hxxp://buildingcontain.net
hxxp://eveningcontain.net
hxxp://buildingbasket.net
hxxp://eveningbasket.net
hxxp://storeindustry.net
hxxp://mightindustry.net
hxxp://storebecame.net
hxxp://mightbecame.net
hxxp://storecontain.net
hxxp://mightcontain.net
hxxp://storebasket.net
hxxp://mightbasket.net
hxxp://doctorindustry.net
hxxp://prettyindustry.net
hxxp://doctorbecame.net
hxxp://prettybecame.net
hxxp://doctorcontain.net
hxxp://prettycontain.net
hxxp://doctorbasket.net
hxxp://prettybasket.net
hxxp://fellowindustry.net
hxxp://doubleindustry.net
hxxp://fellowbecame.net
hxxp://doublebecame.net
hxxp://fellowcontain.net
hxxp://doublecontain.net
hxxp://fellowbasket.net
hxxp://doublebasket.net
hxxp://brokenindustry.net
hxxp://resultindustry.net
hxxp://brokenbecame.net
hxxp://resultbecame.net
hxxp://brokencontain.net
hxxp://resultcontain.net
hxxp://brokenbasket.net
hxxp://resultbasket.net
hxxp://prepareindustry.net
hxxp://desireindustry.net
hxxp://preparebecame.net
hxxp://desirebecame.net
hxxp://preparecontain.net
hxxp://desirecontain.net
hxxp://preparebasket.net
hxxp://desirebasket.net
hxxp://strengthindustry.net
hxxp://stillindustry.net
hxxp://strengthbecame.net
hxxp://stillbecame.net
hxxp://strengthcontain.net
hxxp://stillcontain.net
hxxp://strengthbasket.net
hxxp://stillbasket.net
hxxp://movementsettle.net
hxxp://outsidesettle.net
hxxp://movementlanguage.net
hxxp://outsidelanguage.net
hxxp://movementdevice.net
hxxp://outsidedevice.net
hxxp://movementbefore.net
hxxp://outsidebefore.net
hxxp://buildingsettle.net
hxxp://eveningsettle.net
hxxp://buildinglanguage.net
hxxp://eveninglanguage.net
hxxp://buildingdevice.net
hxxp://eveningdevice.net
hxxp://buildingbefore.net
hxxp://eveningbefore.net
hxxp://storesettle.net
hxxp://mightsettle.net
hxxp://storelanguage.net
hxxp://mightlanguage.net
hxxp://storedevice.net
hxxp://mightdevice.net
hxxp://storebefore.net
hxxp://mightbefore.net
hxxp://doctorsettle.net
hxxp://prettysettle.net
hxxp://doctorlanguage.net
hxxp://prettylanguage.net
hxxp://doctordevice.net
hxxp://prettydevice.net
hxxp://doctorbefore.net
hxxp://prettybefore.net
fhxxp://ellowsettle.net
hxxp://doublesettle.net
hxxp://fellowlanguage.net
hxxp://doublelanguage.net
fhxxp://ellowdevice.net
hxxp://doubledevice.net
hxxp://fellowbefore.net
hxxp://doublebefore.net
hxxp://brokensettle.net
hxxp://resultsettle.net
hxxp://brokenlanguage.net
hxxp://resultlanguage.net
hxxp://brokendevice.net
hxxp://resultdevice.net
hxxp://brokenbefore.net
hxxp://resultbefore.net
hxxp://preparesettle.net
hxxp://desiresettle.net
hxxp://preparelanguage.net
hxxp://desirelanguage.net
hxxp://preparedevice.net
hxxp://desiredevice.net
hxxp://preparebefore.net
hxxp://desirebefore.net
hxxp://strengthsettle.net
hxxp://stillsettle.net
hxxp://strengthlanguage.net
hxxp://stilllanguage.net
hxxp://strengthdevice.net
hxxp://stilldevice.net
hxxp://strengthbefore.net
hxxp://stillbefore.net
hxxp://movementfound.net
hxxp://outsidefound.net
hxxp://movementspring.net
hxxp://outsidespring.net
hxxp://movementsuccess.net
hxxp://outsidesuccess.net
hxxp://movementbanker.net
hxxp://outsidebanker.net
hxxp://buildingfound.net
hxxp://eveningfound.net
hxxp://buildingspring.net
hxxp://eveningspring.net
hxxp://buildingsuccess.net
hxxp://eveningsuccess.net
hxxp://buildingbanker.net
hxxp://eveningbanker.net
hxxp://storefound.net
hxxp://mightfound.net
hxxp://storespring.net
hxxp://mightspring.net
hxxp://storesuccess.net
hxxp://mightsuccess.net
hxxp://storebanker.net
hxxp://mightbanker.net
hxxp://doctorfound.net
hxxp://prettyfound.net
hxxp://doctorspring.net
hxxp://prettyspring.net
hxxp://doctorsuccess.net
hxxp://prettysuccess.net
hxxp://doctorbanker.net
hxxp://prettybanker.net
hxxp://fellowfound.net
hxxp://doublefound.net
hxxp://fellowspring.net
hxxp://doublespring.net
hxxp://fellowsuccess.net
hxxp://doublesuccess.net
hxxp://fellowbanker.net
hxxp://doublebanker.net
hxxp://brokenfound.net
hxxp://resultfound.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://207.148.248.143
hxxp://50.63.202.56
hxxp://208.100.26.234
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://98.124.243.39
hxxp://195.22.28.199
hxxp://216.239.32.21
hxxp://208.100.26.234
hxxp://195.22.26.248
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://50.63.202.6
hxxp://54.207.35.233
hxxp://8.5.1.44
hxxp://74.208.236.66

Once, executed, a, sample, malware (MD5: d5ed564fd2f4c10e3a26df9342a09545), phones, back, to, the, following, C&C, server, IPs:
hxxp://desiredress.net
hxxp://strengthcatch.net
hxxp://stillcatch.net
hxxp://strengtheearly.net
hxxp://stilleearly.net
hxxp://strengthpublic.net
hxxp://stillpublic.net
hxxp://strengthdress.net
hxxp://stilldress.net
hxxp://expectlength.net
hxxp://becauselength.net
hxxp://expectnotice.net
hxxp://becausenotice.net
hxxp://expectindeed.net
hxxp://becauseindeed.net
hxxp://expectduring.net
hxxp://becauseduring.net
hxxp://personlength.net
hxxp://machinelength.net
hxxp://personnotice.net
hxxp://machinenotice.net
hxxp://personindeed.net
hxxp://machineindeed.net
hxxp://personduring.net
hxxp://machineduring.net
hxxp://suddenlength.net
hxxp://foreignlength.net
hxxp://suddennotice.net
hxxp://foreignnotice.net
hxxp://suddenindeed.net
hxxp://foreignindeed.net
hxxp://suddenduring.net
hxxp://foreignduring.net
hxxp://whetherlength.net
hxxp://rightlength.net
hxxp://whethernotice.net
hxxp://rightnotice.net
hxxp://whetherindeed.net
hxxp://rightindeed.net
hxxp://whetherduring.net
hxxp://rightduring.net
hxxp://figurelength.net
hxxp://thoughlength.net
hxxp://figurenotice.net
hxxp://thoughnotice.net
hxxp://figureindeed.net
hxxp://thoughindeed.net
hxxp://figureduring.net
hxxp://thoughduring.net
hxxp://picturelength.net
hxxp://cigarettelength.net
hxxp://picturenotice.net
hxxp://cigarettenotice.net
hxxp://pictureindeed.net
hxxp://cigaretteindeed.net
hxxp://pictureduring.net
hxxp://cigaretteduring.net
hxxp://childrenlength.net
hxxp://familylength.net
hxxp://childrennotice.net
hxxp://familynotice.net
hxxp://childrenindeed.net
hxxp://familyindeed.net
hxxp://childrenduring.net
hxxp://familyduring.net
hxxp://eitherlength.net
hxxp://englishlength.net
hxxp://eithernotice.net
hxxp://englishnotice.net
hxxp://eitherindeed.net
hxxp://englishindeed.net
hxxp://eitherduring.net
hxxp://englishduring.net
hxxp://expectclear.net
hxxp://becauseclear.net
hxxp://expectgeneral.net
hxxp://becausegeneral.net
hxxp://expectinclude.net
hxxp://becauseinclude.net
hxxp://expectnorth.net
hxxp://becausenorth.net
hxxp://personclear.net
hxxp://machineclear.net
hxxp://persongeneral.net
hxxp://machinegeneral.net
hxxp://personinclude.net
hxxp://machineinclude.net
hxxp://personnorth.net
hxxp://machinenorth.net
hxxp://suddenclear.net
hxxp://foreignclear.net
hxxp://suddengeneral.net
hxxp://foreigngeneral.net
hxxp://suddeninclude.net
hxxp://foreigninclude.net
hxxp://suddennorth.net
hxxp://foreignnorth.net
hxxp://whetherclear.net
hxxp://rightclear.net
hxxp://whethergeneral.net
hxxp://rightgeneral.net
hxxp://whetherinclude.net
hxxp://rightinclude.net
hxxp://whethernorth.net
hxxp://rightnorth.net
hxxp://figureclear.net
hxxp://thoughclear.net
hxxp://figuregeneral.net
hxxp://thoughgeneral.net
hxxp://figureinclude.net
hxxp://thoughinclude.net
hxxp://figurenorth.net
hxxp://thoughnorth.net
hxxp://pictureclear.net
hxxp://cigaretteclear.net
hxxp://picturegeneral.net
hxxp://cigarettegeneral.net
hxxp://pictureinclude.net
hxxp://cigaretteinclude.net
hxxp://picturenorth.net
hxxp://cigarettenorth.net
hxxp://childrenclear.net
hxxp://familyclear.net
hxxp://childrengeneral.net
hxxp://familygeneral.net
hxxp://childreninclude.net
hxxp://familyinclude.net
hxxp://childrennorth.net
hxxp://familynorth.net
hxxp://eitherclear.net
hxxp://englishclear.net
hxxp://eithergeneral.net
hxxp://englishgeneral.net
hxxp://eitherinclude.net
hxxp://englishinclude.net
hxxp://eithernorth.net

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://195.22.28.197
hxxp://208.100.26.234
hxxp://8.5.1.44
hxxp://208.100.26.234
hxxp://195.22.28.199
hxxp://162.255.119.249
hxxp://208.100.26.234
hxxp://98.124.243.44

Once, executed, a, sample, malware (MD5: 789cb05effb586bda98e87e71e340c39), phones, back, to, the, following, C&C, server, IPs:
hxxp://diyar.collegegirlteen.com/g/getasite/ - 46.45.168.84
hxxp://diyar.collegegirlteen.com/z/orap/
hxxp://diyar.collegegirlteen.com/z/z2/
hxxp://diyar.collegegirlteen.com/z/z5/

Related, malicious, MD5s, known, to, have, phoned, back, to, the, following, C&C, server, IPs:
MD5: acd62483446c7ed057f312784bfddd61

Once, executed, a, sample, malware (MD5: 505e4d58c53d47245aa89c0fd7cded83), phones, back, to, the, following, C&C, server, IPs:
hxxp://van.cowteen.com/g/getasite/ - 46.45.168.84
hxxp://van.cowteen.com/z/orap/
hxxp://van.cowteen.com/z/z2/
hxxp://van.cowteen.com/z/z5/

Related. malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP:
MD5: 13f2e7b3141b84666e0209e140663ef2

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://w.bestmobile.mobi/ - 104.31.66.169; 104.31.67.169; 104.28.0.226; 104.28.1.226

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:
MD5: 92bd8e7e58816bcb14f9dcbf839178ca
MD5: 1ee44596b174edb55c4bc497c1fe5f34
MD5: 443f732e406b3d96e53184917525e14a
MD5: a24fad894881b746c48420b019a225cf
MD5: 7c8a8f96c5b31e6ccae936ddc5226c91

Once, executed, a, sample, malware (MD5: a24fad894881b746c48420b019a225cf), phones, back, to, the, following, C&C, server, IPs:
hxxp://au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210
hxxp://au.umeng.com/api/check_app_update - 140.205.134.243; 140.205.170.6; 140.205.250.51; 140.205.230.45; 140.205.155.238; 110.173.196.195; 211.151.151.6; 211.151.139.210;
211.151.139.211

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IP (au.umeng.co - 140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 110.173.196.195; 211.151.139.211; 211.151.139.210):
MD5: 65a6f1e29b09ba7caa98a9763593aedb
MD5: 102111b9024b71f6ab584d22abdbc589
MD5: 9ad137e51a5b6b2288c774a74a7e80da
MD5: a70595e99b3471216404400b736eaf7c
MD5: 3d3360250c96dff33e177121113b5a3f

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:
hxxp://211.139.191.223
hxxp://221.179.35.113

Once, executed, a, sample, malware, phones, back, to, the, same, C&C, server, IPs:
hxxp://115.28.174.189/hft/rq.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs:
MD5: c0464c5193dec0980a07fa2e50deffb1

We'll, continue, monitoring, the, market, segment, for, mobile, malware, and, post, updates, as, soon, as, new, developments, take, place.