2025-10-02: Android malware
这篇文章描述了2025年10月2日发现的Android恶意软件活动,包括从Telegram渠道下载恶意应用、登录界面、服务器位置选择以及相关流量和TCP流数据。攻击者通过伪装应用窃取用户信息,并利用配置和WebSocket流量进行控制。 2025-10-7 02:31:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:14 收藏
这篇文章描述了2025年10月2日发现的Android恶意软件活动,包括从Telegram渠道下载恶意应用、登录界面、服务器位置选择以及相关流量和TCP流数据。攻击者通过伪装应用窃取用户信息,并利用配置和WebSocket流量进行控制。 2025-10-7 02:31:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:14 收藏
2025-10-02 (THURSDAY): ANDROID MALWARE
NOTES:
- Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
REFERENCES:
- https://www.linkedin.com/posts/unit42_phantomcard-activity-7378820202773299200-95tU/
- https://x.com/Unit42_Intel/status/1973054563469951480
- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-25-IOCs-for-NFC-relay-Android-malware.txt
ASSOCIATED FILES:
- 2025-10-02-traffic-from-infected-Android-phone.pcap.zip 22.4 MB (22,419,678 bytes)
NOTES:
- This is a pcap of traffic and images from an Android malware infection based on information from late last month (see the above references for details).
IMAGES
Shown above: Telegram channel where I downloaded the malware from.
Shown above: Screenshot of the app icon in the device's home screen after I downloaded it.
Shown above: Screenshot of the login screen that appears when you first open the app.
Shown above: Screenshot of the app after I logged in.
Shown above: I had the choice to change server locations.
Shown above: Traffic from the Android device when I downloaded, opened, and logged into the malicious app.
Shown above: TCP stream of configuration traffic after I'd logged into the malicious app.
Shown above: TCP stream of websocket traffic generated by the app after logging in.
Click here to return to the main page.
文章来源: https://www.malware-traffic-analysis.net/2025/10/02/index.html
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh