Validating machine

posted by | Leave a comment

We recently announced an extension of the framework that detects previously unknown mobile malware.This extension is known as “z9 for Mobile Malware”, and was officially announced in September 2017.So we decided to go further and understand if other infected applications have been uploaded and published.

After decoding, we can see that is equal to and the content is just a single file.At first sight, the two applications appear to be uploaded by different developers, with different email addresses and with different privacy links.A proper investigation of the read.physical.trian package revealed code designed to trick the Facebook Ads SDK and generate fake clicks on the advertisements spawned by the application.After a quick check of the privacy links from the two applications, some things were clear: Other than the previously listed files there are other inaccessible files and folders related to logs (e.g. After a quick inspection of the file, it was clear that part of it was encoded in some way; in fact, it wasn’t a valid APK file.Comparing the and files byte by byte, it’s easy to see that only the first 2048 bytes of the file are encoded.

Leave a Reply

updating software for use with the