seikaikyo/detecting-mobile-malware-behavior

Detecting Mobile Malware Behavior

When to Use

Use this skill when:

• Analyzing suspicious mobile applications submitted by users or discovered during incident response
• Monitoring enterprise mobile fleet for malicious app indicators
• Performing malware triage on APK/IPA samples
• Investigating data exfiltration or unauthorized device access from mobile apps

Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.

Prerequisites

• Isolated analysis environment (dedicated device or emulator, not connected to production networks)
• MobSF for automated static+dynamic analysis
• Frida/Objection for runtime behavior monitoring
• Wireshark/tcpdump for network traffic capture
• Android emulator (AVD) or Genymotion for safe execution
• VirusTotal API key for hash lookups

Workflow

Step 1: Static Indicator Analysis

# Hash the sample
sha256sum suspicious.apk

# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
  -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'

# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk

# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration

Step 2: MobSF Automated Malware Scan

# Upload to MobSF
curl -F "[email protected]" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"

# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)

Step 3: Network Behavior Monitoring

# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap

# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent

# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns

Step 4: Runtime Behavior Monitoring with Frida

// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
    // Monitor SMS access
    var SmsManager = Java.use("android.telephony.SmsManager");
    SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
        "java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
        .implementation = function(dest, sc, text, sent, delivery) {
            console.log("[SMS] Sending to: " + dest + " Text: " + text);
            // Allow or block based on analysis needs
            return this.sendTextMessage(dest, sc, text, sent, delivery);
        };

    // Monitor file operations
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
        console.log("[FILE-WRITE] " + path);
        return this.$init(path);
    };

    // Monitor network connections
    var URL = Java.use("java.net.URL");
    URL.openConnection.overload().implementation = function() {
        console.log("[NET] " + this.toString());
        return this.openConnection();
    };

    // Monitor dynamic code loading
    var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
    DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
        console.log("[DEX-LOAD] Loading: " + dexPath);
        return this.$init(dexPath, optDir, libPath, parent);
    };

    // Monitor command execution
    var Runtime = Java.use("java.lang.Runtime");
    Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
        console.log("[EXEC] " + cmd);
        return this.exec(cmd);
    };

    // Monitor camera/audio access
    var Camera = Java.use("android.hardware.Camera");
    Camera.open.overload("int").implementation = function(id) {
        console.log("[CAMERA] Camera opened: " + id);
        return this.open(id);
    };

    // Monitor content provider access (contacts, call log)
    var ContentResolver = Java.use("android.content.ContentResolver");
    ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
        "java.lang.String", "[Ljava.lang.String;", "java.lang.String")
        .implementation = function(uri, proj, sel, selArgs, sort) {
            console.log("[QUERY] " + uri.toString());
            return this.query(uri, proj, sel, selArgs, sort);
        };

    console.log("[*] Malware behavior monitor active");
});

Step 5: Classify Malware Type

Based on observed behaviors, classify the sample:

| Behavior Pattern | Malware Type | |-----------------|-------------| | SMS interception + C2 communication | Banking Trojan | | Camera/mic access + data upload | Spyware/Stalkerware | | File encryption + ransom note display | Mobile Ransomware | | Ad injection + click fraud traffic | Adware | | Root exploit + persistence | Rootkit | | Contact harvesting + SMS spam | Worm/SMS Spammer | | Overlay attacks + credential capture | Credential Stealer | | Crypto mining network activity | Cryptojacker |

Key Concepts

| Term | Definition | |------|-----------| | Dynamic Code Loading | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis | | C2 Beacon | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns | | DGA | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure | | Overlay Attack | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission | | Anti-Emulator | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior |

Tools & Systems

• MobSF: Automated static and dynamic analysis for initial malware triage
• VirusTotal: Multi-engine malware scanning and hash reputation lookup
• Frida: Runtime behavior monitoring through method hooking
• Wireshark: Network traffic analysis for C2 communication patterns
• Cuckoo Sandbox / CuckooDroid: Automated malware analysis sandbox for Android samples

Common Pitfalls

• Anti-analysis evasion: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
• Time-delayed payloads: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
• Encrypted C2: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
• Multi-stage payloads: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.