Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Possible Android Malware - cable modem botnet creation? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Possible Android Malware - cable modem botnet creation?
Started 10/24/2017 I've seen some unusual traffic being blocked in a public wifi segment. A particular android device is making repeated requests to
192.168.2.1 UDP 9003
192.168.1.2 TCP 5678
192.168.1.1 TCP 2345
The UDP traffic is always sourced from port 10002.

I did a brief packet capture of the UDP traffic and the data field looks like
2b:80:81:32:00:00:00:18:08:94:64:00:96:00:c0:05:14:00:01:0a:00:c8:00:c8:00:c0:05:14:00:00:c8:00:14:00:64:00:c0:05:14:00:00:0a:00
or as ascii it's just a string of this
+..2......d........
..............d......
.+..2......d........
..............d......
.+..2......d........
..............d......
.+..2......d........
..............d......
.+..2......d........
..............d......
.+..2......d........
..............d......

I've searched online and it seems Belkin is the biggest player using the 192.168.2.1 default.

I did briefly get my hands on the device today, and the only non-mainstream recently updated app that I saw was Trickster Pitch from Trickster Cards, Inc.
Updated October 23, 2017 on the store.
https://play.google.com/store/apps/details?id=com.trickstercards.pitch&hl=en

I asked the user if he could return when he had more time so we could try to verify which app is causing the traffic.

Any other ideas of where I should be looking?
Thanks
Mark

2 Posts

Sign Up for Free or Log In to start participating in the conversation!