{ "id": "937938bb-999c-4e31-8f95-233b71f68662", "created_at": "2026-04-06T00:19:11.351242Z", "updated_at": "2026-04-10T03:37:50.54405Z", "deleted_at": null, "sha1_hash": "d16133f168a1d59e95e07f9c8c94e00459183058", "title": "Update on the Fancy Bear Android malware (poprd30.apk) – CrySyS Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 134580, "plain_text": "Update on the Fancy Bear Android malware (poprd30.apk) –\r\nCrySyS Blog\r\nPublished: 2017-03-02 · Archived: 2026-04-05 22:09:23 UTC\r\nAbout the APK:\r\nThe APK file, that was investigated by Crowd Strike and us is actually corrupt, unzipping yields two warnings and\r\na CRC Error.\r\n$ unzip 6f7523d3019fa190499f327211e01fcb.apk\r\nArchive: 6f7523d3019fa190499f327211e01fcb.apk\r\nwarning [6f7523d3019fa190499f327211e01fcb.apk]: 1 extra byte at beginning or within zipfile\r\n(attempting to process anyway)\r\nfile #1: bad zipfile offset (local header sig): 1\r\n(attempting to re-compensate)\r\ninflating: META-INF/MANIFEST.MF\r\ninflating: META-INF/CERT.SF\r\ninflating: META-INF/CERT.RSA\r\ninflating: AndroidManifest.xml\r\ninflating: classes.dex\r\nextracting: res/drawable-hdpi/dmk.png\r\nextracting: res/drawable-hdpi/ic_launcher.png\r\nextracting: res/drawable-mdpi/fon_1.jpg\r\nextracting: res/drawable-mdpi/fon_2.png\r\nextracting: res/drawable-mdpi/fon_3.png\r\nextracting: res/drawable-mdpi/ic_action_search.png\r\nextracting: res/drawable-mdpi/ic_launcher.png\r\nextracting: res/drawable-mdpi/panel_2.gif\r\nextracting: res/drawable-mdpi/panel_4.png\r\nextracting: res/drawable-mdpi/panel_5.png\r\nextracting: res/drawable-mdpi/panel_6.png\r\nextracting: res/drawable-mdpi/panel_7.png\r\nextracting: res/drawable-mdpi/warnings.png bad CRC 73cded37 (should be 902e9cdb)\r\nfile #19: bad zipfile offset (local header sig): 660433\r\n(attempting to re-compensate)\r\nextracting: res/drawable-xhdpi/ic_launcher.png\r\nextracting: res/drawable-xxhdpi/ic_launcher.png\r\ninflating: res/layout/activity_reg_form.xml\r\ninflating: res/layout/byleten.xml\r\ninflating: res/layout/dan_dmk.xml\r\nhttp://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 1 of 6\n\ninflating: res/layout/dan_meteo.xml\r\ninflating: res/layout/dan_vr_2.xml\r\ninflating: res/layout/meteo_podg_form.xml\r\ninflating: res/layout/o_avtope_form.xml\r\ninflating: res/layout/pomow_form.xml\r\ninflating: res/layout/promt.xml\r\nextracting: resources.arsc\r\nIn this form, it is not possible to install the APK, trying so results in the phone yielding the following error\r\nmessage:\r\n$ adb install 6f7523d3019fa190499f327211e01fcb.apk\r\nFailed to install 6f7523d3019fa190499f327211e01fcb.apk: Failure\r\n[INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION: Failed to parse\r\n/data/app/vmdl135131206.tmp/base.apk: AndroidManifest.xml]\r\nFrom the error messages we suspected, that an extra byte somehow ended up in the APK file.\r\nThe repair process consisted of finding and removing an extra byte from the file “warnings.png”. By changing\r\nonly this byte and getting a valid APK file, this might be the original file. After repair, we got the following file.\r\n$ sha256sum REPAIRED.apk\r\n5b6ea28333399a73475027328812fb42259c12bb24b6650e5def94f4104f385e REPAIRED.apk\r\n$ unzip -vt REPAIRED.apk\r\nArchive: REPAIRED.apk\r\ntesting: META-INF/MANIFEST.MF OK\r\ntesting: META-INF/CERT.SF OK\r\ntesting: META-INF/CERT.RSA OK\r\ntesting: AndroidManifest.xml OK\r\ntesting: classes.dex OK\r\ntesting: res/drawable-hdpi/dmk.png OK\r\ntesting: res/drawable-hdpi/ic_launcher.png OK\r\ntesting: res/drawable-mdpi/fon_1.jpg OK\r\ntesting: res/drawable-mdpi/fon_2.png OK\r\ntesting: res/drawable-mdpi/fon_3.png OK\r\ntesting: res/drawable-mdpi/ic_action_search.png OK\r\ntesting: res/drawable-mdpi/ic_launcher.png OK\r\ntesting: res/drawable-mdpi/panel_2.gif OK\r\ntesting: res/drawable-mdpi/panel_4.png OK\r\ntesting: res/drawable-mdpi/panel_5.png OK\r\ntesting: res/drawable-mdpi/panel_6.png OK\r\ntesting: res/drawable-mdpi/panel_7.png OK\r\ntesting: res/drawable-mdpi/warnings.png OK\r\ntesting: res/drawable-xhdpi/ic_launcher.png OK\r\ntesting: res/drawable-xxhdpi/ic_launcher.png OK\r\nhttp://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 2 of 6\n\ntesting: res/layout/activity_reg_form.xml OK\r\ntesting: res/layout/byleten.xml OK\r\ntesting: res/layout/dan_dmk.xml OK\r\ntesting: res/layout/dan_meteo.xml OK\r\ntesting: res/layout/dan_vr_2.xml OK\r\ntesting: res/layout/meteo_podg_form.xml OK\r\ntesting: res/layout/o_avtope_form.xml OK\r\ntesting: res/layout/pomow_form.xml OK\r\ntesting: res/layout/promt.xml OK\r\ntesting: resources.arsc OK\r\nNo errors detected in compressed data of REPAIRED.apk.\r\n$ jarsigner -verbose -verify REPAIRED.apk\r\ns 2215 Thu Feb 28 18:33:46 CET 2008 META-INF/MANIFEST.MF\r\n2268 Thu Feb 28 18:33:46 CET 2008 META-INF/CERT.SF\r\n1714 Thu Feb 28 18:33:46 CET 2008 META-INF/CERT.RSA\r\nsm 6108 Thu Feb 28 18:33:46 CET 2008 AndroidManifest.xml\r\nsm 543000 Thu Feb 28 18:33:46 CET 2008 classes.dex\r\nsm 7047 Thu Feb 28 18:33:46 CET 2008 res/drawable-hdpi/dmk.png\r\nsm 1703 Thu Feb 28 18:33:46 CET 2008 res/drawable-hdpi/ic_launcher.png\r\nsm 68364 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/fon_1.jpg\r\nsm 153893 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/fon_2.png\r\nsm 182654 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/fon_3.png\r\nsm 311 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/ic_action_search.png\r\nsm 1853 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/ic_launcher.png\r\nsm 2241 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/panel_2.gif\r\nsm 4420 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/panel_4.png\r\nsm 450 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/panel_5.png\r\nsm 1448 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/panel_6.png\r\nsm 551 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/panel_7.png\r\nsm 25089 Thu Feb 28 18:33:46 CET 2008 res/drawable-mdpi/warnings.png\r\nsm 2545 Thu Feb 28 18:33:46 CET 2008 res/drawable-xhdpi/ic_launcher.png\r\nsm 4845 Thu Feb 28 18:33:46 CET 2008 res/drawable-xxhdpi/ic_launcher.png\r\nsm 4356 Thu Feb 28 18:33:46 CET 2008 res/layout/activity_reg_form.xml\r\nsm 20332 Thu Feb 28 18:33:46 CET 2008 res/layout/byleten.xml\r\nsm 10584 Thu Feb 28 18:33:46 CET 2008 res/layout/dan_dmk.xml\r\nsm 20852 Thu Feb 28 18:33:46 CET 2008 res/layout/dan_meteo.xml\r\nsm 10208 Thu Feb 28 18:33:46 CET 2008 res/layout/dan_vr_2.xml\r\nsm 2772 Thu Feb 28 18:33:46 CET 2008 res/layout/meteo_podg_form.xml\r\nsm 2076 Thu Feb 28 18:33:46 CET 2008 res/layout/o_avtope_form.xml\r\nsm 2944 Thu Feb 28 18:33:46 CET 2008 res/layout/pomow_form.xml\r\nhttp://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 3 of 6\n\nsm 952 Thu Feb 28 18:33:46 CET 2008 res/layout/promt.xml\r\nsm 13296 Thu Feb 28 18:33:46 CET 2008 resources.arsc\r\ns = signature was verified\r\nm = entry is listed in manifest\r\nk = at least one certificate was found in keystore\r\ni = at least one certificate was found in identity scope\r\nSigned by “EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android,\r\nL=Mountain View, ST=California, C=US”\r\nDigest algorithm: SHA1\r\nSignature algorithm: SHA1withRSA, 2048-bit key\r\njar verified.\r\nWarning:\r\nThis jar contains entries whose certificate chain is not validated.\r\nThis jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to\r\nvalidate this jar after the signer certificate’s expiration date (2035-07-17) or after any future revocation date.\r\nRe-run with the -verbose and -certs options for more details.\r\nAbout the RC4/encryption key:\r\nBy decompiling and manually “refactoring” the encryption algorithm, we discovered a “textbook” RC4\r\nimplementation as the encryption routine, which uses the hard-coded key as a first-part to the encryption key, with\r\nthe second-part coming as a parameter from the function call:\r\nAnalyzing the XAgent linux sample, which also contained this RC4 key, we did not found an RC4\r\nimplementation, but a simple XOR based encryption routine:\r\nhttp://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 4 of 6\n\nWe found one function call, which used the encryption key from the APK as input, but surprisingly, it was not\r\nused as key parameter, but input parameter.\r\nFor checking HTTP GET and POST messages a different XOR based check routine can be found, and a Base64-\r\nlike encoding. After decoding, the XOR based routine checks the http result’s body. It xors the 4-11 bytes with the\r\nfirst 4 bytes as a key. It then should be equal to a hardcoded value (7 bytes) which the sample uses to check\r\nwhether the recv succeeded or not.\r\nThese XAgent linux samples are very similar to a Windows version that has been found in november, 2013\r\n(5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1).\r\nRecommended yara for the linux versions:\r\nrule sofacy_xagent { meta: author = \"AKG\" description = \"Sofacy - XAgent\" strings: service =\r\n\"ksysdefd\"x1 = \"AgentKernel\" x2 = \"Cryptor\"x3 = \"AgentModule\" x4 = \"ChannelController\"x5 =\r\nhttp://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 5 of 6\n\n\"RemoteKeylogger\" a1 = \"UNCORRECT DISPLAY NAME\"a2 = \"Keylogger started\" a3 = \"Keylog thread exit\"a4 =\r\n\"Keylogger yet started\" condition: service or (2 of (x)) or (2 of ($a)) }\r\nSource: http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nhttp://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" ], "report_names": [ "update-on-the-fancy-bear-android-malware-poprd30-apk" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434751, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d16133f168a1d59e95e07f9c8c94e00459183058.pdf", "text": "https://archive.orkl.eu/d16133f168a1d59e95e07f9c8c94e00459183058.txt", "img": "https://archive.orkl.eu/d16133f168a1d59e95e07f9c8c94e00459183058.jpg" } }