The sample "simseg.apk", was not really hard to find.
I'm not really good at Android reversing (and I even don't have a mobile phone in real life :þ)
So, i've read some posts about how this malware work :)
I retained two important things when it return informations:
- Data are sent with GET request.
- The C&C have no login form.
Now, more recently when SpyEye 1.3.48 was released, EP_X0FF have found a sample.
By brute forcing folders on the SpyEye 1.3.48 server i've found the same C&C described on Trusteer.
There is nothing to do for exploit the C&C, the php code is really poor.
But due to the presence of the SpyEye C&C, it was possible to dump the stuff.
(Once again found by brute force and a little common sense)
The guys seem use a legit version of SpyEye, ok cool but he don't know shit's about panels.
Server do many timeouts, 815 bots who call the gate and that already hangs like hell ^_-
Folder /sms/:
gate.php:
SQL dump (made by me):
Even found the same "simseg.apk" sample on the server, accompanied with SpyEye stuff, gates, twitter/mails spammers...
Contrary to Μ Ayelet Heyman, I don't think Spitmo will have a future (more probable variants writen by others guys, based on simseg.apk)
Spitmo is weak and the guys who use it is clearly not a professional.
Improved... well.
No comments:
Post a Comment