In the present article we'll see a new malicious script that uninstalls Google Update application package and Google Play Services (com.google.android.update and com.google.android.gms.update) and at the end it removes the downloaded APK malware.
Here are the details of the success subroutine for the installation of the "me.apk", the starting of the MainActivity class and the start of the adb service on the TCP port 62676:
The script contacts the IP address 176.65.139[.]72:
It has the SSH port 22 opened with Openbds OpenSSH:
The malicious script's hash is cefe4982af641fcbb0a1a30faaa639f0de617124bb282aa9394aa2a8ee4634e6, which is not known by OSINT sources:
The IP address in question has been registered by Storm Industries in Germany:
Here are the details of the SSH fingerprint of the C&C IP address:
IOCs:
- cefe4982af641fcbb0a1a30faaa639f0de617124bb282aa9394aa2a8ee4634e6
- 176.65.139[.]72
import "vt"
rule Possible_0Day_AndroidScript_20260328 {
meta:
description = "C&C IP address of a new possible 0 day Android malicious script"
author = "malwareanalysis0"
target_entity = "url"
condition:
vt.net.ip.ip_as_int == 2957085512
}
Sources of the OSINT screenshots: VirusTotal, AbuseIPDB and AlienVault