Mobile Malware Analysis is a simple room that teaches you the basics on how to analyse malwares that might infect your Phone.
Mobile Malware Analysis Room teaches you basics of how get simple data from android Apps mainly, what to look for in apps and how to analyze information depending on what you’re looking for.
The first part test a general knowledge question can be solved by googling or observations, let’s start then.
What known as the first malware created to affect mobile devices?
Some Information and A Demo About Cabir
What technology does this worm used to multiply?
What operating system did it infect?
What message did it show on the screen of the infected mobile phone?
The next section requires us to launch an Attack Box To do the analysis of the application in the machine, So, let’s launch the machine.
After you launch the machine, you need to launch MobSF tool, which is a mobile Security Framework to do malware analysis , security testing, etc. If you didn’t find the file on the Desktop, Go to documents.
Drag The apk file into the MobSF tool and wait for it to finish the analysis then we can answer the next questions.
What is the format of the file?
Decode the name of the sample. ( Base64 Encoding )
Which is the target platform? ( Since The Format is APK )
The Next Task is based on a web service called virus total that let you scan files and hashes to see if it’s a signature for a known virus
To Start you need to get the hash of the file which is given to you within MobSF tool “566d0c5a08d1c32a8d049794a33af5dc” Then open VirusTotal.com , Choose “Search Option” And paste the hash.
Then we can answer the following questions:
What does Avast-Mobile can tell us about this software? , here you would take the result for the Avast , not avast mobile
What program was used to create the malware? (by checking the virus type from other scanners)
What is the package name? (click on Details Tab , and search for “Package Name”)
What is the SHA-1 signature? (from the same details tab)
What is the unique XML file?
to solve this question, you need to open the “Behavior” Tab , then click on “Full Report”
once the report is open, you can search for “files” and you would see the list of files included
How many permissions are there inside? , in the same previous window, search for permissions and you would see all permissions requested by the applications
Which permission allows the application to take pictures with the camera?
What is the message left by the community?
Now Let’s go back to MobSF tool and learn more about it,and this is what this section is about
What is the programming language used to create the program?
in case you didn’t know, the main language of android development is Java, while Kotlin is officially new language added.
How many signatures does the package has?
From the below image, you can find that only V1 signature is detected in the applications, so only one signature is available for the current App.
Application is signed with v1 signature scheme, what is it vulnerable to on Android <7.0?
In the same section as the previous window, you can find a list of vulnerabilities that the app is vulnerable to, and one of them is V1 Signature Scheme
What is the App name?
if you search for “name” in the page, you would get the following app_name attribute
It looks like there is a function calling for the package manager, so it can see all the installed applications. What function is that?
to solve this question, we need to open the code and check for the functions available within.
Let’s go down to de-compiled code section and click on “View Source”
It will open a new window with code viewer that will show the app structure.
Let’s Expand the tree and start with the MainActivity That usually Launches first when you open and android app
We can see that it launches the MainService file, so let’s open that file.
and we can find that Payload starts the service with Payload.start(this);
so let’s open the payload file
You Don’t need to spend too much reading the code where you see the function called to get the Package Manager
The flag “android:allowBackup” allows the user to backup application data via USB debugging. It is recommended that this be set as “False”, even if by default it is “True”.
What is the severity of this configuration?
let’s go back to the home page and search for “USB Debugging”
and you would see the severity next to the problem
Let’s takes a more in depth functions to analyze a second application in the active machine, so let’s open the link and drag and drop the app into it.
What is the SHA-256 hash of the file?
After finding the sample on VirusTotal, what does the “Avast” anti-virus engine recognizes it as?
let’s open virus total and paste the above hash into it
With what we have, try to find out the name of the sample.
You can get the name from Virus Total Details Page
This became news for spying journalists, what year was that?
If we search the name we found of the malware in MITRE ATT&CK (https://attack.mitre.org/), we can find some interesting information.
What is the ID of the MITRE ATT&CK that is associated with our sample?
All you need to do is to open the mentioned website then search for “Pegasus” and you need to take the Android Version one since we are analyzing APK
What technique has the ability to exploit OS vulnerabilities to escalate privileges?
for this question, they’re not looking for the name or the method they used to exploit the OS rather they’re looking for which ID is the OS Exploitation that you can easily get from technical details section.
There is a permission that when accepted, allows the application to access the list of accounts in the Accounts Service. What is the status shown by MobSF regarding this permission. (android.permission.GET.ACCOUNTS)
This question is a bit wrong, the permission you’re looking for is ‘android.permission.GET_ACCOUNTS’ to get this permission you need to go down to Application Permissions Section and search for it in the search box
What org.eclipse.paho.client file refers to properties of Portuguese from Brazil (pt-br)?
you can see the path of the file by searching for pt_br in the file section, then you can copy the path
The malware has a special appeal for its safety and its internal components, reducing the risk of compromise. It has a functionality for its cryptographic operations with the feature of a random bit generation service. How can it be identified?
for this answer, you can check the hints as it tells you to check for the NIAP Analysis section.
And now we’re done from room, this is a very simple analysis that can give you an idea of what the application does, if it’s a malware or not, what permission it asks for, which vulnerability is it exposed to and many more information.
Stay Tuned For more walkthrough on other malware analysis Walkthrough