Wednesday, October 19, 2022


As always, IOCs at the end. 


  • Uses IRC to send data to the attacker and FTP.

  • Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service.

  • Get list of applications

  • Send SMS using the device.

  • Requests several permissions:

    • android.permission.INTERNET

    • android.permission.READ_EXTERNAL_STORAGE

    • android.permission.RECEIVE_BOOT_COMPLETED

    • android.permission.REBOOT

    • android.permission.CALL_PHONE

    • android.permission.READ_SMS

    • android.permission.READ_CONTACTS

    • android.permission.SEND_SMS

    • android.permission.WRITE_EXTERNAL_STORAGE

    • android.permission.READ_CALL_LOG

    • android.permission.SYSTEM_ALERT_WINDOW

  • Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country. 

  • The IP the duckdns serves the APK from is from Spain.

  • Useful links:

  • Virustotal Graph: 

  • Virustotal Collection:

This sample seems like work in progress. There is functionality implemented that is not called during execution. 

The channel and ids and credentials used to send data via IRC or via FTP. 

When connecting to the remote IRC server it answers from `irc.prodigybot[.]net`:

The random ID is generated by choosing a random number which is hardcoded:

It iterates in a loop to ensure that the BOT_IP is always the latest one:

There is functionality to get the list of applications installed in the device but it is not called, the same goes for sending SMS and getting the contacts list. 

The owner or owners point to maybe two different actors, SharK and G0ku, as seen in the code:


On the other side, this duckdns dynDNS url has been used in the past for other payloads and has hosted other unrelated malicious files:

Also, the serving IP address 95.60.57[.]103 is from Spain:

Similar samples were seen in the wild previously the 12th of August of 2022 and points to a work in progress. In previous samples, it contains similar functionality with slight differences. For example, data is stored in resources and the credentials stay the same. The resource owner might point to two actors.

Some functions not present in the current sample such as fetching mails via accountmanager are present in these old samples:


  • Sample SHA256: a0715a88e289763cac6ca6ce5b5b24575c6d966591c7949eb88d0024dcace2bc

  • IRC port

  • Owners: {"G0KU", "SharK"}

  • Resolving IP address of the dyndns: 95.60.57[.]103

  • Other SHA256:

    • ca0f0b0f2175ad5a982c6a135fb833e0d0f6093fdbd8004483804e5177c89671

    • 496590c57e3c3cc1cebbfb5135667a00ff11678ca0a3c913c5532ce8169221f4

    • c3fa7ac9db35a7d28468b25429a8334d22c6819b12df923e6dd65e2d0f9c8aa3

    • 7e339c8bac29595a26185bdda3242919e0c0ab64fa54ce454ede738c983c306d

    • 33c9320da28b5d1bd7b1a3ef1ac2b16f2977dfb6cd5e03f2868d956fa1d6ab45

    • 2855011ea35cb91642ca75bd3d027273b83cb4511f5a4da50c41b15df9490793


Every year I start writing about a wrap-up of my year but I never end up finishing it. Hope this year is different. I'm starting with th...