secmobi/Muda-README

## Muda-README
FAMILY: Adware.iPhoneOS.Muda.a


DOWNLOAD: https://paloaltonetworks.box.com/MudaSample
PASSWORD: infected

SHA256:
388519364946e147f4cd675d2db4511f3308f395c19b36a14b39d205ee49d2d4  FreeApp.deb
2a36bbf40cde33b09ce6e25119b3d434fb0abaf32a5d0d033ecbf9b920b03969  FreeApp.dylib


LICENSE:
You can use it for any purpose. The only requirement is, if you publish any analysis report, blog or paper specially for this family, please give me proper credit. (Email me for details: iClaudXiao@gmail.com)


BACKGROUND:

1. The Adware has been spread for over 2 years (at least since Oct 2013).

2. It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices.

3. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted.

4. There're some more variants. Some variants will change the dylib's name to a random string. Some variants will keep alive (re-drop itself later) even user manually deleted the dylib and the plist files. Except for "FreeApp", some other meaningful file names include "AppSafety" and "MobileSync".

5. It used these domains for information uploading, apps promotion, self updating, etc. (Note that this isn't a complete list):
- f.adusapp.info
- f.umscape.com
- a.iosappus.info
- a.iosappmm.info
- iosapi.iosappua.info

6. The author also registered domains such as appfreestore.com and oappstore.net that were used by an Android backdoor "SysPhones": http://seclab.safe.baidu.com/2014-11/sysphones.html

7. Google keywords to find victims: "iPhone 精品推荐", "f.adusapp.info".

8. In VirusTotal, Qihoo detected it as "AdLord". But I personally prefer another name "Muda" -- from its code prefix "UMAd". I shared the samples with some security vendors at Oct 9th. As far as I know, Symantec and DrWeb have adopted the name of "Muda".
	FAMILY: Adware.iPhoneOS.Muda.a


	DOWNLOAD: https://paloaltonetworks.box.com/MudaSample
	PASSWORD: infected

	SHA256:
	388519364946e147f4cd675d2db4511f3308f395c19b36a14b39d205ee49d2d4 FreeApp.deb
	2a36bbf40cde33b09ce6e25119b3d434fb0abaf32a5d0d033ecbf9b920b03969 FreeApp.dylib


	LICENSE:
	You can use it for any purpose. The only requirement is, if you publish any analysis report, blog or paper specially for this family, please give me proper credit. (Email me for details: iClaudXiao@gmail.com)


	BACKGROUND:

	1. The Adware has been spread for over 2 years (at least since Oct 2013).

	2. It spreads via third party Cydia sources in China, and only affects jailbroken iOS devices.

	3. Its main behaviors include to display advertisements over other apps or in notification bar, and to ask user downloading iOS apps it promoted.

	4. There're some more variants. Some variants will change the dylib's name to a random string. Some variants will keep alive (re-drop itself later) even user manually deleted the dylib and the plist files. Except for "FreeApp", some other meaningful file names include "AppSafety" and "MobileSync".

	5. It used these domains for information uploading, apps promotion, self updating, etc. (Note that this isn't a complete list):
	- f.adusapp.info
	- f.umscape.com
	- a.iosappus.info
	- a.iosappmm.info
	- iosapi.iosappua.info

	6. The author also registered domains such as appfreestore.com and oappstore.net that were used by an Android backdoor "SysPhones": http://seclab.safe.baidu.com/2014-11/sysphones.html

	7. Google keywords to find victims: "iPhone 精品推荐", "f.adusapp.info".

	8. In VirusTotal, Qihoo detected it as "AdLord". But I personally prefer another name "Muda" -- from its code prefix "UMAd". I shared the samples with some security vendors at Oct 9th. As far as I know, Symantec and DrWeb have adopted the name of "Muda".