--- name: detecting-mobile-malware-behavior description: 'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation. ' domain: cybersecurity subdomain: mobile-security author: mahipal tags: - mobile-security - android - ios - malware-analysis - owasp-mobile - penetration-testing version: 1.0.0 license: Apache-2.0 nist_csf: - PR.PS-01 - PR.AA-05 - ID.RA-01 - DE.CM-09 --- # Detecting Mobile Malware Behavior ## When to Use Use this skill when: - Analyzing suspicious mobile applications submitted by users or discovered during incident response - Monitoring enterprise mobile fleet for malicious app indicators - Performing malware triage on APK/IPA samples - Investigating data exfiltration or unauthorized device access from mobile apps **Do not use** this skill to create, enhance, or distribute malware. This skill is for defensive analysis only. ## Prerequisites - Isolated analysis environment (dedicated device or emulator, not connected to production networks) - MobSF for automated static+dynamic analysis - Frida/Objection for runtime behavior monitoring - Wireshark/tcpdump for network traffic capture - Android emulator (AVD) or Genymotion for safe execution - VirusTotal API key for hash lookups ## Workflow ### Step 1: Static Indicator Analysis ```bash # Hash the sample sha256sum suspicious.apk # Check VirusTotal curl -s "https://www.virustotal.com/api/v3/files/" \ -H "x-apikey: " | jq '.data.attributes.last_analysis_stats' # Extract permissions from AndroidManifest.xml aapt dump permissions suspicious.apk # High-risk permission combinations: # READ_SMS + INTERNET = SMS stealer # RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan # ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability # CAMERA + RECORD_AUDIO + INTERNET = spyware # DEVICE_ADMIN + INTERNET = ransomware capability # READ_CONTACTS + INTERNET = contact exfiltration ``` ### Step 2: MobSF Automated Malware Scan ```bash # Upload to MobSF curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \ -H "Authorization: " # Review malware indicators in report: # - Hardcoded C2 server addresses # - Dynamic code loading (DexClassLoader) # - Reflection-based API calls (to evade static analysis) # - Encrypted/obfuscated payloads # - Root detection (malware often checks for root) # - Anti-emulator checks (malware evades sandbox) ``` ### Step 3: Network Behavior Monitoring ```bash # Start packet capture on emulator tcpdump -i any -w malware_traffic.pcap # Or use mitmproxy for HTTP/HTTPS mitmproxy --mode transparent # Monitor for: # - DNS lookups to suspicious/newly registered domains # - Connections to known C2 infrastructure # - Data exfiltration patterns (large POST requests) # - Beaconing behavior (regular interval connections) # - Non-standard ports and protocols # - Domain Generation Algorithm (DGA) patterns ``` ### Step 4: Runtime Behavior Monitoring with Frida ```javascript // monitor_malware.js - Comprehensive behavior monitoring Java.perform(function() { // Monitor SMS access var SmsManager = Java.use("android.telephony.SmsManager"); SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String", "java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent") .implementation = function(dest, sc, text, sent, delivery) { console.log("[SMS] Sending to: " + dest + " Text: " + text); // Allow or block based on analysis needs return this.sendTextMessage(dest, sc, text, sent, delivery); }; // Monitor file operations var FileOutputStream = Java.use("java.io.FileOutputStream"); FileOutputStream.$init.overload("java.lang.String").implementation = function(path) { console.log("[FILE-WRITE] " + path); return this.$init(path); }; // Monitor network connections var URL = Java.use("java.net.URL"); URL.openConnection.overload().implementation = function() { console.log("[NET] " + this.toString()); return this.openConnection(); }; // Monitor dynamic code loading var DexClassLoader = Java.use("dalvik.system.DexClassLoader"); DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) { console.log("[DEX-LOAD] Loading: " + dexPath); return this.$init(dexPath, optDir, libPath, parent); }; // Monitor command execution var Runtime = Java.use("java.lang.Runtime"); Runtime.exec.overload("java.lang.String").implementation = function(cmd) { console.log("[EXEC] " + cmd); return this.exec(cmd); }; // Monitor camera/audio access var Camera = Java.use("android.hardware.Camera"); Camera.open.overload("int").implementation = function(id) { console.log("[CAMERA] Camera opened: " + id); return this.open(id); }; // Monitor content provider access (contacts, call log) var ContentResolver = Java.use("android.content.ContentResolver"); ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;", "java.lang.String", "[Ljava.lang.String;", "java.lang.String") .implementation = function(uri, proj, sel, selArgs, sort) { console.log("[QUERY] " + uri.toString()); return this.query(uri, proj, sel, selArgs, sort); }; console.log("[*] Malware behavior monitor active"); }); ``` ### Step 5: Classify Malware Type Based on observed behaviors, classify the sample: | Behavior Pattern | Malware Type | |-----------------|-------------| | SMS interception + C2 communication | Banking Trojan | | Camera/mic access + data upload | Spyware/Stalkerware | | File encryption + ransom note display | Mobile Ransomware | | Ad injection + click fraud traffic | Adware | | Root exploit + persistence | Rootkit | | Contact harvesting + SMS spam | Worm/SMS Spammer | | Overlay attacks + credential capture | Credential Stealer | | Crypto mining network activity | Cryptojacker | ## Key Concepts | Term | Definition | |------|-----------| | **Dynamic Code Loading** | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis | | **C2 Beacon** | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns | | **DGA** | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure | | **Overlay Attack** | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission | | **Anti-Emulator** | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior | ## Tools & Systems - **MobSF**: Automated static and dynamic analysis for initial malware triage - **VirusTotal**: Multi-engine malware scanning and hash reputation lookup - **Frida**: Runtime behavior monitoring through method hooking - **Wireshark**: Network traffic analysis for C2 communication patterns - **Cuckoo Sandbox / CuckooDroid**: Automated malware analysis sandbox for Android samples ## Common Pitfalls - **Anti-analysis evasion**: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis. - **Time-delayed payloads**: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions. - **Encrypted C2**: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content. - **Multi-stage payloads**: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.