├── _config.yml
├── index.md
└── libandroid_runtime.so


/_config.yml:
--------------------------------------------------------------------------------
1 | remote_theme: pages-themes/hacker@v0.2.0
2 | plugins:
3 | - jekyll-remote-theme
4 | 
5 | theme: jekyll-theme-hacker


--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
 1 | # Not so boring Android malware
 2 | 
 3 | Welcome! The purpose of this website is to gather a diverse set of different Android malware samples. So often the Android malware datasets are boring. They have the same or very similar malware families and, if used to practice reverse engineering, may become very repetitive.
 4 | 
 5 | I've decided to create a list of samples which are different. Each one should give you a different, fun reverse engineering challenge. The samples are divded in three sections: easy, average and difficult. Each one contains a short description of what the malware does (but no spoilers!). All samples are sourced from publicly available websites and link to these websites.
 6 | 
 7 | My promise to you is that in this list there is only one banking phishing app and there will always be only one banking phishing app.
 8 | 
 9 | *Have fun!*
10 | 
11 | ## Easy samples
12 | * [`5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e`](https://bazaar.abuse.ch/sample/5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e/#intel) - a very simple screen locker (ransomware) with a clear text password.
13 | * [`355cd2b71db971dfb0fac1fc391eb4079e2b090025ca2cdc83d4a22a0ed8f082`](https://bazaar.abuse.ch/download/355cd2b71db971dfb0fac1fc391eb4079e2b090025ca2cdc83d4a22a0ed8f082/) - very simple SMS stealer
14 | * [`86361fcace1ac9458d930d3cabffece4caaaa37ea17b690c2e0eafec5976795d`](https://bazaar.abuse.ch/download/86361fcace1ac9458d930d3cabffece4caaaa37ea17b690c2e0eafec5976795d/) - stalkerware / commercial spyware used to monitor devices to which the attacker has physical access
15 | * [`00b8a464947aab72651801844d303c15481af26506028cc483eb00297b39bc95`](https://bazaar.abuse.ch/sample/00b8a464947aab72651801844d303c15481af26506028cc483eb00297b39bc95/) - fairly basic app dropper
16 | * [`5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5`](https://bazaar.abuse.ch/sample/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/) - a very comprehensive spyware sample with almost no obfuscation
17 | 
18 | ## Average samples
19 | * [`058a26ed7cbd3970edeccd39c03383bf48974be8b755e48961eca15837b61e3c`](https://github.com/Ch0pin/AndroidMalware_2021/blob/main/hydra.apk) - Hydra banking trojan (a bit of obfuscation and native code)
20 | * [`c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2`](https://bazaar.abuse.ch/download/c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2/) - infostealer from a targeted attack
21 | * [`960a508a362cd881f91182409f39643e2a923dd2b676227e690bb34b1985635a`](https://bazaar.abuse.ch/download/960a508a362cd881f91182409f39643e2a923dd2b676227e690bb34b1985635a/) - app which makes unwanted calls and has some clever obfuscation techniques
22 | * [`0e30948b3327a093bd7b35a10f65bc1f03a9b8d1d3e242dd6b5726e9136aaff0`](https://bazaar.abuse.ch/download/0e30948b3327a093bd7b35a10f65bc1f03a9b8d1d3e242dd6b5726e9136aaff0/) - backdoored legitimate apkpure application with a component responsible for additional downloads and adware
23 | * [`200cf6e828ceecf44add627d97c0a893a517d8e318047b760c339b1572a0b303`](https://bazaar.abuse.ch/sample/200cf6e828ceecf44add627d97c0a893a517d8e318047b760c339b1572a0b303/) - fairly obfuscated stalkerware sample, with some code flow obfuscation
24 | 
25 | ## Difficult samples
26 | * [`854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3`](https://bazaar.abuse.ch/sample/854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3/) - fairly complex spyware called FinSpy, obfuscated with lots of advanced features and proprietary protocols
27 | * [`ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5`](https://samples.vx-underground.org/samples/Families/Pegasus/7c3ad8fec33465fed6563bbfabb5b13d.7z) - Old Android Chrysaor (Pegasus) sample, I highly recommend going through the native code section
28 | * [`4406fb8e027a03c570b43778fe5d6bc38ea285f36221eee03f2e1abaa2d20651`](https://bazaar.abuse.ch/download/4406fb8e027a03c570b43778fe5d6bc38ea285f36221eee03f2e1abaa2d20651/) - Joker sample packed with an annoying packer
29 | * [`124228375f48e29f237d9a3256d0634d0b7fd5351a6a858a934ba29bed4632f4`](libandroid_runtime.so) - Triada sample, a library from [the system image](https://www.mediafire.com/file/x3sqa117eryt8gb/Tecno_W2_AW600B1_M_MT6580_161103V15_6.0.zip/file) (hint: look for encrypted strings)
30 | 
31 | 
32 | ----
33 | *The list was put together by me, [@maldr0id](https://twitter.com/maldr0id)*
34 | 


--------------------------------------------------------------------------------
/libandroid_runtime.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/maldroid/android-malware-samples/ff71c1bb3ab9c6a973faabb78defd253911c5736/libandroid_runtime.so


--------------------------------------------------------------------------------