spyhide.apk
This report is generated from a file or URL submitted to this webservice on April 29th 2024 05:16:42 (UTC)
Report generated by
Falcon Sandbox v6.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Has the ability to record audio or other media
Has the ability to send SMS - Fingerprint
- Has the ability to read the device ID (e.g. IMEI or ESN)
Additional Context
Related Sandbox Artifacts
- Associated URLs
- spyhide.com/download/spyhide.apk
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 11
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 34/61 Antivirus vendors marked sample as malicious (55% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 34/61 Antivirus vendors marked sample as malicious (55% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
Has the ability to dial a phone number
- details
- Permission request for "android.permission.CALL_PHONE"
- source
- Static Parser
- relevance
- 3/10
-
Has the ability to read the device ID (e.g. IMEI or ESN)
- details
-
Found invoke in "com.virsys.system.common.Utility.smali" to "android.telephony.TelephonyManager.getDeviceId"
Found invoke in "com.virsys.system.common.Utility.smali" to "android.telephony.TelephonyManager.getLine1Number" - source
- Static Parser
- relevance
- 3/10
-
Has the ability to dial a phone number
-
Installation/Persistance
-
Has the ability to execute code after reboot
- details
- Permission request for "android.permission.RECEIVE_BOOT_COMPLETED"
- source
- Static Parser
- relevance
- 10/10
-
Has the ability to execute code after reboot
-
Spyware/Information Retrieval
-
Has the ability to record audio or other media
- details
-
Found invoke in "com.virsys.system.common.lame.RecMicToMp3$1.smali" to "android.media.AudioRecord.startRecording"
Found invoke in "com.camundo.AudioCall.smali" to "android.media.MediaRecorder.start" - source
- Static Parser
- relevance
- 3/10
-
Has the ability to record audio or other media
-
Unusual Characteristics
-
Has the ability to send SMS
- details
- Found invoke in "com.wifisettings.service.IncomingSms.smali" to "android.telephony.SmsManager.sendTextMessage"
- source
- Static Parser
- relevance
- 3/10
-
Has the ability to send SMS
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 9
-
General
-
Has the ability to invoke native commands
- details
-
Found invoke in "com.stericson.RootTools.execution.Shell.smali" to "java.lang.Runtime.exec"
Found invoke in "com.stericson.RootTools.containers.RootClass$AnnotationsFinder.smali" to "java.lang.ProcessBuilder.start"
Found invoke in "com.camundo.util.FFMPEGWrapper.smali" to "java.lang.Runtime.exec"
Found invoke in "com.camundo.media.pipe.FFMPEGAudioInputPipe.smali" to "java.lang.Runtime.exec"
Found invoke in "com.camundo.media.pipe.FFMPEGAudioOutputPipe.smali" to "java.lang.Runtime.exec" - source
- Static Parser
- relevance
- 3/10
-
Uses java reflection classes
- details
-
Found invoke in "com.sun.mail.util.SocketFetcher.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "com.google.gson.internal.UnsafeAllocator$1.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "com.google.gson.internal.UnsafeAllocator$3.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "com.google.gson.internal.UnsafeAllocator$2.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "com.google.gson.internal.UnsafeAllocator.smali" to "java.lang.reflect.Field.get"
Found invoke in "com.google.gson.internal.UnsafeAllocator.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.smali" to "java.lang.reflect.Field.get"
Found invoke in "com.google.gson.FieldAttributes.smali" to "java.lang.reflect.Field.get"
Found invoke in "com.stericson.RootTools.execution.Shell$Worker.smali" to "java.lang.reflect.Field.get"
Found invoke in "org.apache.http.impl.client.CloseableHttpResponseProxy.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.http.impl.client.cache.ResponseProxyHandler.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.http.util.ExceptionUtils.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.http.client.utils.JdkIdn.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.http.client.utils.CloneUtils.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.commons.logging.impl.LogFactoryImpl.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.commons.logging.impl.SimpleLog.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.commons.logging.impl.Log4JLogger.smali" to "java.lang.reflect.Field.get"
Found invoke in "org.apache.commons.logging.impl.ServletContextCleaner.smali" to "java.lang.reflect.Method.invoke"
Found invoke in "org.apache.commons.logging.LogFactory.smali" to "java.lang.reflect.Method.invoke" - source
- Static Parser
- relevance
- 3/10
-
Has the ability to invoke native commands
-
Installation/Persistance
-
Has the ability to access external storage
- details
-
Found invoke in "com.virsys.system.common.whatsapp.UtilsWhatsapp.smali" to "android.os.Environment.getExternalStorageDirectory"
Found invoke in "com.stericson.RootTools.internal.RootToolsInternalMethods.smali" to "android.os.Environment.getExternalStorageDirectory"
Found invoke in "com.stericson.RootTools.internal.RootToolsInternalMethods.smali" to "android.os.Environment.getExternalStorageState" - source
- Static Parser
- relevance
- 3/10
-
Has the ability to access external storage
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "1.3.6.1.5.5.2"
"127.0.0.255" - source
- File/Memory
- relevance
- 3/10
-
Has the ability to open an internet connection
- details
-
Found invoke in "javax.activation.URLDataSource.smali" to "java.net.URL.openConnection"
Found invoke in "com.sun.mail.util.SocketFetcher.smali" to "java.net.Socket.connect"
Found invoke in "com.virsys.system.ServerUtilities.smali" to "java.net.URL.openConnection"
Found invoke in "com.virsys.system.common.protocols.serverprotocol.network.Http.smali" to "java.net.URL.openConnection"
Found invoke in "com.virsys.system.common.appmanager.Downloader.smali" to "java.net.URL.openConnection"
Found invoke in "org.apache.http.impl.pool.BasicConnFactory.smali" to "java.net.Socket.connect"
Found invoke in "org.apache.http.conn.ssl.SSLConnectionSocketFactory.smali" to "java.net.Socket.connect"
Found invoke in "org.apache.http.conn.ssl.SSLSocketFactory.smali" to "java.net.Socket.connect"
Found invoke in "org.apache.http.conn.socket.PlainConnectionSocketFactory.smali" to "java.net.Socket.connect"
Found invoke in "org.apache.http.conn.scheme.PlainSocketFactory.smali" to "java.net.Socket.connect"
Found invoke in "org.apache.http.conn.MultihomePlainSocketFactory.smali" to "java.net.Socket.connect"
Found invoke in "org.apache.commons.logging.LogFactory$5.smali" to "java.net.URL.openConnection" - source
- Static Parser
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Has the ability to record audio
- details
- Permission request for "android.permission.RECORD_AUDIO"
- source
- Static Parser
- relevance
- 10/10
-
Has the ability to record audio
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 5
-
General
-
Requires permissions only available to signed APKs part of the system
- details
- Found permission request for "android.permission.WRITE_SECURE_SETTINGS"
- source
- Static Parser
- relevance
- 7/10
-
Tests the internet connectivity
- details
-
Found invoke in "com.virsys.system.common.Utility.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo"
Found invoke in "com.virsys.system.common.Utility.smali" to "android.net.NetworkInfo.isConnected"
Found invoke in "com.virsys.system.common.protocols.serverprotocol.ServerProtocol.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo"
Found invoke in "com.virsys.system.common.protocols.serverprotocol.network.Http.smali" to "android.net.NetworkInfo.isConnected"
Found invoke in "com.virsys.system.common.protocols.serverprotocol.network.Http.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo"
Found invoke in "com.virsys.system.common.Connectivity.smali" to "android.net.NetworkInfo.isConnected"
Found invoke in "com.virsys.system.common.Connectivity.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo"
Found invoke in "com.camundo.util.NetworkUtils.smali" to "android.net.NetworkInfo.isConnected"
Found invoke in "com.camundo.util.NetworkUtils.smali" to "android.net.ConnectivityManager.getActiveNetworkInfo" - source
- Static Parser
- relevance
- 3/10
-
Requires permissions only available to signed APKs part of the system
-
Installation/Persistance
-
Dropped files
- details
-
"dsn.mf" has type "ASCII text"
"javamail.charset.map" has type "ASCII text"
"javamail.default.address.map" has type "ASCII text"
"javamail.default.providers" has type "ASCII text"
"javamail.imap.provider" has type "ASCII text"
"javamail.pop3.provider" has type "ASCII text"
"javamail.smtp.address.map" has type "ASCII text"
"javamail.smtp.provider" has type "ASCII text"
"libmp3lame.so" has type "ELF 32-bit LSB shared object ARM EABI5 version 1 (SYSV) dynamically linked stripped"
"mailcap" has type "ASCII text"
"mailcap.default" has type "ASCII text"
"mimetypes.default" has type "ASCII text" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://client.spyhide.com"
Pattern match: "www.SpyHide.com"
Heuristic match: "lib/armeabi/libmp3lame.so"
Heuristic match: "user.name"
Heuristic match: "CONTACT javamail@sun.com"
Pattern match: "vnd.android.cursor.item/name"
Pattern match: "vnd.android.cursor.item/phone_v2"
Pattern match: "vnd.android.cursor.item/postal-address_v2"
Pattern match: "vnd.android.cursor.item/email_v2"
Pattern match: "vnd.android.cursor.item/photo"
Heuristic match: "mojmadah@gmail.com"
Heuristic match: "smtp.gmail.com"
Pattern match: "http://virsis.net/client:8080/gcm-demo/register"
Pattern match: "http://virsis.net/client:8080/gcm-demo/unregister"
Heuristic match: "flushdata3.hellospy.com"
Pattern match: "virsis.net/client"
Heuristic match: "flushdata3.virsys.com"
Pattern match: "com.bbm/files/bbmcore/"
Pattern match: "com.facebook.orca/databases/"
Pattern match: "com.google.android.gm/databases/"
Pattern match: "com.viber.voip/databases/"
Pattern match: "com.yahoo.mobile.client.android.im/databases/"
Heuristic match: "@facebook.com"
Pattern match: "http://virsis.net"
Heuristic match: "com.yahoo.mobile.client.android.im"
Pattern match: "http://hellospy.com/downloads/ffmpeg"
Pattern match: "http://virsis.net/client:8080/gcm-demo"
Pattern match: "http://example.com/"
Pattern match: "http://commons.apache.org/logging/tech.html"
Pattern match: "http://commons.apache.org/logging/troubleshooting.html" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "@facebook.com" (Indicator: "facebook.com")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
File Details
spyhide.apk
- Filename
- spyhide.apk
- Size
- 4.2MiB (4380361 bytes)
- Type
- java compressed jar
- Description
- Java Jar file data (zip)
- Architecture
- SHA256
- 1d6d2394e3cbff757197f1826c86a12a348cdb877d144fe959745f9e0f451118
- MD5
- 63cf2421a71e7a0f941fe58ecc2a9b55
- SHA1
- dc71d6f548778c2d6b6bd5bb9f9dbc9b8f7fb98e
Version Info
- Minimum SDK
- 9 (Gingerbread)
- Target SDK
- 21 (Lollipop)
- Version Code
- 4
- Version Name
- 1.4
- Package Name
- com.wifiset.service
- Entrypoint
- com.wifiset.servicecom.android.system.EntranceActivity
Classification (TrID)
- 73.9% (.APK) Android Package
- 20.4% (.JAR) Java Archive
- 5.6% (.ZIP) ZIP compressed archive
File Permissions
Permission | Description |
---|---|
android.permission.READ_PHONE_STATE | Allows read only access to phone state. |
android.permission.READ_CALL_LOG | Allows an application to read the user's call log. |
com.android.browser.permission.READ_HISTORY_BOOKMARKS | - |
android.permission.INTERNET | Allows applications to open network sockets. |
android.permission.WRITE_SMS | - |
android.permission.READ_SMS | Allows an application to read SMS messages. |
android.permission.PROCESS_OUTGOING_CALLS | Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. |
android.permission.READ_CONTACTS | Allows an application to read the user's contacts data. |
android.permission.SEND_SMS | Allows an application to send SMS messages. |
android.permission.RECEIVE_SMS | Allows an application to receive SMS messages. |
android.permission.READ_LOGS | Allows an application to read the low-level system log files. |
android.permission.CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. |
android.permission.ACCESS_FINE_LOCATION | Allows an app to access precise location. |
android.permission.ACCESS_COARSE_LOCATION | Allows an app to access approximate location. |
android.permission.GET_ACCOUNTS | Allows access to the list of accounts in the Accounts Service. |
android.permission.WRITE_CONTACTS | Allows an application to write the user's contacts data. |
android.permission.RECEIVE_BOOT_COMPLETED | Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting. |
android.permission.WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage. |
android.permission.WAKE_LOCK | Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming. |
android.permission.GET_TASKS | This constant was deprecated in API level 21. No longer enforced. |
android.permission.WRITE_SETTINGS | Allows an application to read or write the system settings. |
android.permission.WRITE_SECURE_SETTINGS | Allows an application to read or write the secure system settings. |
android.permission.CHANGE_WIFI_STATE | Allows applications to change Wi-Fi connectivity state. |
android.permission.CHANGE_NETWORK_STATE | Allows applications to change network connectivity state. |
android.permission.ACCESS_WIFI_STATE | Allows applications to access information about Wi-Fi networks. |
android.permission.ACCESS_NETWORK_STATE | Allows applications to access information about networks. |
android.permission.CAMERA | Required to be able to access the camera device. |
android.permission.RECORD_AUDIO | Allows an application to record audio. |
android.permission.STORAGE | - |
com.android.email.permission.ACCESS_PROVIDER | - |
com.virsys.system.permission.C2D_MESSAGE | - |
com.google.android.c2dm.permission.RECEIVE | - |
android.permission.READ_EXTERNAL_STORAGE | Allows an application to read from external storage. |
File Activities
Activity | Description |
---|---|
com.wifiset.servicecom.android.system.EntranceActivity | Entrypoint |
com.wifiset.servicecom.android.system.FirstActivityCheck | - |
com.wifiset.servicecom.android.system.MainActivity | - |
com.wifiset.servicecom.android.system.Splash | - |
com.wifiset.servicecom.android.system.TermActivity | - |
File Receivers
Receiver | Intents |
---|---|
com.android.system.BatteryLevelReceiver |
android.intent.action.ACTION_BATTERY_LOW
android.intent.action.ACTION_BATTERY_OKAY |
com.android.system.BootBroadcast |
android.intent.action.BOOT_COMPLETED
android.intent.action.QUICKBOOT_POWERON |
com.android.system.IncomingCallsReceiver | android.intent.action.PHONE_STATE (Priority: 1000) |
com.android.system.IncomingSMSReceiver | android.provider.Telephony.SMS_RECEIVED (Priority: 1000) |
com.android.system.LocationReceiver | - |
com.android.system.MyDeviceAdminReceiver | android.app.action.DEVICE_ADMIN_ENABLED |
com.android.system.NetworkChangeReceiver | android.net.conn.CONNECTIVITY_CHANGE |
com.android.system.OutgoingCallsReceiver | android.intent.action.NEW_OUTGOING_CALL (Priority: 1000) |
com.android.system.PowerConnectionReceiver |
android.intent.action.ACTION_POWER_CONNECTED
android.intent.action.ACTION_POWER_DISCONNECTED |
com.android.system.ProxyChangeReceiver | android.intent.action.PROXY_CHANGE |
com.android.system.SyncAndFlushReceiver | - |
com.google.android.gcm.GCMBroadcastReceiver |
com.google.android.c2dm.intent.RECEIVE
com.google.android.c2dm.intent.REGISTRATION |
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Android Debug, O=Android, C=US | CN=Android Debug, O=Android, C=US Serial: 4cdc0163 |
01/13/2017 15:43:55 01/06/2047 15:43:55 |
58:97:4A:44:2C:B4:7A:67:64:7F:D4:5E:8A:2D:A5:41 6E:B4:9E:72:D6:13:8B:42:10:D1:CA:60:24:7D:41:9E:56:60:31:5C |
Extracted Strings
Extracted Files
-
Informative 12
-
-
dsn.mf
- Size
- 357B (357 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- 9d61230f3455256d22351dbc6c342dc1
- SHA1
- 65c9d44e94d80b84fb8370d0f0599e0b5d1a9a42
- SHA256
- 6da3c8af22d0e97b5bbcd3e85371941f7693a405fbb12b5c010e2c8fc7f783ce
-
javamail.charset.map
- Size
- 1.3KiB (1296 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- ab2e19ec7ebd8b50e4715e5bfe0c7410
- SHA1
- e019d4d4740806426f88ee37b32d2e1a110cf15f
- SHA256
- 149ac3fbf3505bfbe1c46aacef85eaa0a55c55ba80ab8737b457efa85e7f1495
-
javamail.default.address.map
- Size
- 12B (12 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- fbe316c00a93e82d16a04fa30ef2e108
- SHA1
- 38301f4b7e2e46e4c1758cd828f069fb57aa1199
- SHA256
- d68603de588e040e34a32650320fe1eedb6c79abd731b486ee072d7017890c41
-
javamail.default.providers
- Size
- 721B (721 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- c569bccc1908a349f400339ac12549b4
- SHA1
- 6e4923dedf37e8e6490453bffeeb114424e36785
- SHA256
- 6d498025b02c1b62ab815a1e23052d70f134d7faceb85802df50d654ed3eb0b5
-
javamail.imap.provider
- Size
- 235B (235 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- db2ef6cf54f2498ba3b38e9a26314f03
- SHA1
- cf91f9fe1a9d9d9ab353d42ecea6e9442371a7bc
- SHA256
- 4e3c5662e0db687d5e3376c472c6c28fcd152acf26717f7c49824245aaf48f55
-
javamail.pop3.provider
- Size
- 236B (236 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- 9a8770ed87879a5e34301a37b0cad16d
- SHA1
- 5b315106aadfa457514d87f50c992a25bd8cec1b
- SHA256
- dd22cf25f70128198072a41d7616b9a502c156c1840563c3f5d85c3a0b37a49d
-
javamail.smtp.address.map
- Size
- 12B (12 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- fbe316c00a93e82d16a04fa30ef2e108
- SHA1
- 38301f4b7e2e46e4c1758cd828f069fb57aa1199
- SHA256
- d68603de588e040e34a32650320fe1eedb6c79abd731b486ee072d7017890c41
-
javamail.smtp.provider
- Size
- 251B (251 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- 7d1dbd60899090c7361afe80d964f81a
- SHA1
- bfb7c0fd8bd7a41121fa1e6098cbebe687a0fabf
- SHA256
- 3bd5ef23e3f960fa30d8210054a526aabb0fb89192a2f1ed0270ae64d9606795
-
libmp3lame.so
- Size
- 161KiB (164744 bytes)
- Type
- unknown
- Description
- ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped
- MD5
- d79a201536ee581e07203ada26b3cd63
- SHA1
- f772a5e52d11ca18befb791cf9876901d4321301
- SHA256
- 45425412661f7bfff0fb886a647b119c1c31d43cb8be8fbb195b1ae1c29e5666
-
mailcap
- Size
- 720B (720 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- 258341c7303cb61d00d690c38e07f8fe
- SHA1
- dc645f9f418c9c6959f761125027a8c2d9bae9ad
- SHA256
- 68d034485b4bfe5c9e6779a38b231ab6954a791aa98a449a11917a0d048b6e42
-
mailcap.default
- Size
- 292B (292 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- 6b097cd00752fc9fe349d8a002a4129a
- SHA1
- bf5d8403c45171ca2e0ec328704e06ce0d31ead1
- SHA256
- fc55453719bc94f8b831c4faf43080e2d47fa4e84206e02325a56cc68864c013
-
mimetypes.default
- Size
- 581B (581 bytes)
- Type
- text
- Description
- ASCII text
- MD5
- 331db016d0dda7b270725d6831e53826
- SHA1
- 15c469760142f4425b18ab81218707f6ccdf027d
- SHA256
- 19e63e40440517b8383e3670649ddab6d227b4e5d17e071d760ea6d1a66f45c2
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all sources for signature ID "static-27" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)