GroDDViewer: BadNews

Sample name: ru.blogspot.playsib.savageknife

Malware Family

Undesired applications installation

Sample description:

The graph shows the download of two applications, their installation and the execution of one of them. The SFG shows the android.browser process sending data to two remote servers and the creation of two APKs in the download directory by the ider.downloads process. One of the server is the one from which the two applications are downloaded. The downloaded APKs are doodle.jump.apk and adobe.flash.apk. The malware uses the default browser to download these files and the browser delegates the download task to a ider.downloads. That is why we observe these information flows. The middle part of the SFG shows a part of the installation of the two applications and the execution of one of them. For instance, the id.defcontainer process creates a new APK file, com.realarcade.DOJ.apk, in the /data/app/ directory. This directory contains the APK of all applications installed on a device. From this new APK, the dexopt process extracts an optimized bytecode that is later read by a new process named realarcade.DOJ. These flows indicate that a new application has been installed and started.

File details:

  • MD5 : 474e37797d3106df25c87151876222f4
  • SHA256 : 2ee72413370c543347a0847d71882373c1a78a1561ac4faa39a73e4215bb2c3b
  • Size : 4.0 MB
View mode
System Flow Graph
Type: Group: Socket: .db-shm: .apk: .xml: .eVB806: .db: .db-journal: .db-mj3661CBCC: .dex: .bin: .tmp: .sks: .journal: .db-wal: .shaders_cache: .db-mj4238BD88: .dat: .db-shm: .apk: .xml: .eVB806: .db: .db-journal: .db-mj3661CBCC: .dex: .bin: .tmp: .sks: .journal: .db-wal: .shaders_cache: .db-mj4238BD88: .dat:
Grid Layout
Nb processes:
  • Graph legend
  • process
  • file
  • socket
Interactions frequency and zoom on time intervals
Min: 0 | Max: 1000 |
Current: 0
Speed: 500