Skip to main content

ยท 7 min read
Ian French
File Information

File name: com.bigos.androdumpper.apk
Size: 11MiB
Type: android
Mime: application/zip
SHA256: d2490fc5fc5a5f6fd9f58a8e3c488601367638d4dd9f3a5f892131dc50df9031
Last VirusTotal Scan: 11/17/2023 23:23:14
Last Sandbox Report: 11/17/2023 23:23:13
Malware Family: Luminati (not currently classified as malware)

0x1 Introโ€‹

Not all malicious (or at least dishonest) code can rightfully be called malware, even if the tactics used by the software in question are similar or even undistinguishable from actual malware. The difference is in how they are used. And sometimes - as in this case - you can grant developers permission to turn your Android device into a hidden SOCKS proxy for paying customers.

One of my favorite methods of poking around on Android devices is to install a Linux chroot image on a rooted device so that I can make use of my favorite command-line tools. This gives me access to a full Linux distro on my device.

I recently discovered an Android app called AndroDumpper that seemed innocent enough. However, when first starting the application you see this message asking you to agree to sharing some of your device's wifi and cellular data:

ยท 5 min read
Ian French

0x01 Initโ€‹

Note

This is a repost of an old blog post I made on another site.

Sometimes it's fun to turn the tables on the bad guys. A hobby of mine is hijacking botnets to see what all the fuss is about. The goal for today is to gain a shell on the malware host server.

danger

Don't actually do any of this. Someone once sent me threatening pictures of my children after I poked around the wrong botnet

Anyway. C&C web panels are commonly included with malware, and act as a central dashboard providing statistics, command functionality, and access to stolen information such as passwords. As they are essentially the heart and brain of a malware campaign and can be used to control thousands of infected hosts they tend to be hidden on obscure domains, deep from the prying eyes of Google and other search indexers, making them difficult to discover. The panels themselves are usually secured with long and complicated passwords and sometimes require specific URL parameters to be present before access is granted.

They also tend to be poorly coded and subject to exploitation, which we will leverage to our advantage ๐Ÿ˜.