├── _config.yml ├── index.md └── libandroid_runtime.so /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: pages-themes/hacker@v0.2.0 2 | plugins: 3 | - jekyll-remote-theme 4 | 5 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | # Not so boring Android malware 2 | 3 | Welcome! The purpose of this website is to gather a diverse set of different Android malware samples. So often the Android malware datasets are boring. They have the same or very similar malware families and, if used to practice reverse engineering, may become very repetitive. 4 | 5 | I've decided to create a list of samples which are different. Each one should give you a different, fun reverse engineering challenge. The samples are divded in three sections: easy, average and difficult. Each one contains a short description of what the malware does (but no spoilers!). All samples are sourced from publicly available websites and link to these websites. 6 | 7 | My promise to you is that in this list there is only one banking phishing app and there will always be only one banking phishing app. 8 | 9 | *Have fun!* 10 | 11 | ## Easy samples 12 | * [`5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e`](https://bazaar.abuse.ch/sample/5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e/#intel) - a very simple screen locker (ransomware) with a clear text password. 13 | * [`355cd2b71db971dfb0fac1fc391eb4079e2b090025ca2cdc83d4a22a0ed8f082`](https://bazaar.abuse.ch/download/355cd2b71db971dfb0fac1fc391eb4079e2b090025ca2cdc83d4a22a0ed8f082/) - very simple SMS stealer 14 | * [`86361fcace1ac9458d930d3cabffece4caaaa37ea17b690c2e0eafec5976795d`](https://bazaar.abuse.ch/download/86361fcace1ac9458d930d3cabffece4caaaa37ea17b690c2e0eafec5976795d/) - stalkerware / commercial spyware used to monitor devices to which the attacker has physical access 15 | * [`00b8a464947aab72651801844d303c15481af26506028cc483eb00297b39bc95`](https://bazaar.abuse.ch/sample/00b8a464947aab72651801844d303c15481af26506028cc483eb00297b39bc95/) - fairly basic app dropper 16 | * [`5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5`](https://bazaar.abuse.ch/sample/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/) - a very comprehensive spyware sample with almost no obfuscation 17 | 18 | ## Average samples 19 | * [`058a26ed7cbd3970edeccd39c03383bf48974be8b755e48961eca15837b61e3c`](https://github.com/Ch0pin/AndroidMalware_2021/blob/main/hydra.apk) - Hydra banking trojan (a bit of obfuscation and native code) 20 | * [`c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2`](https://bazaar.abuse.ch/download/c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2/) - infostealer from a targeted attack 21 | * [`960a508a362cd881f91182409f39643e2a923dd2b676227e690bb34b1985635a`](https://bazaar.abuse.ch/download/960a508a362cd881f91182409f39643e2a923dd2b676227e690bb34b1985635a/) - app which makes unwanted calls and has some clever obfuscation techniques 22 | * [`0e30948b3327a093bd7b35a10f65bc1f03a9b8d1d3e242dd6b5726e9136aaff0`](https://bazaar.abuse.ch/download/0e30948b3327a093bd7b35a10f65bc1f03a9b8d1d3e242dd6b5726e9136aaff0/) - backdoored legitimate apkpure application with a component responsible for additional downloads and adware 23 | * [`200cf6e828ceecf44add627d97c0a893a517d8e318047b760c339b1572a0b303`](https://bazaar.abuse.ch/sample/200cf6e828ceecf44add627d97c0a893a517d8e318047b760c339b1572a0b303/) - fairly obfuscated stalkerware sample, with some code flow obfuscation 24 | 25 | ## Difficult samples 26 | * [`854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3`](https://bazaar.abuse.ch/sample/854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3/) - fairly complex spyware called FinSpy, obfuscated with lots of advanced features and proprietary protocols 27 | * [`ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5`](https://samples.vx-underground.org/samples/Families/Pegasus/7c3ad8fec33465fed6563bbfabb5b13d.7z) - Old Android Chrysaor (Pegasus) sample, I highly recommend going through the native code section 28 | * [`4406fb8e027a03c570b43778fe5d6bc38ea285f36221eee03f2e1abaa2d20651`](https://bazaar.abuse.ch/download/4406fb8e027a03c570b43778fe5d6bc38ea285f36221eee03f2e1abaa2d20651/) - Joker sample packed with an annoying packer 29 | * [`124228375f48e29f237d9a3256d0634d0b7fd5351a6a858a934ba29bed4632f4`](libandroid_runtime.so) - Triada sample, a library from [the system image](https://www.mediafire.com/file/x3sqa117eryt8gb/Tecno_W2_AW600B1_M_MT6580_161103V15_6.0.zip/file) (hint: look for encrypted strings) 30 | 31 | 32 | ---- 33 | *The list was put together by me, [@maldr0id](https://twitter.com/maldr0id)* 34 | -------------------------------------------------------------------------------- /libandroid_runtime.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/maldroid/android-malware-samples/ff71c1bb3ab9c6a973faabb78defd253911c5736/libandroid_runtime.so --------------------------------------------------------------------------------