#Process 1 Advent
Hiya Hackers !
Android malware research is a essential facet of cybersecurity desirous about figuring out, figuring out, and mitigating malicious device in particular designed for Android working programs. As the recognition of Android gadgets continues to develop, so does the danger panorama of malware focused on those platforms. Malicious actors use more than a few tactics to compromise Android gadgets, starting from knowledge robbery and monetary fraud to unauthorized get entry to.
Lablink:-https://tryhackme.com/room/androidmalwareanalysis
#Process 2 First steps
Maximum Android malware masquerades as a typical software. The ones information are known as APKs (Android Software Package deal), and the very massive majority of your Android packages are APKs.
You’ll be able to in finding a few of the ones malware methods at the Play Retailer (even though it’s uncommon — Google normally takes them down), or, extra regularly, they’re shared via different method similar to SMS or third celebration web pages.
As a result of Google Play provides some knowledge to the APKs when they’re uploaded to the Play Retailer, it’s imaginable to test for packages that come from it. This variation is named frosting.
Our case learn about for this room will probably be a trojanized software of the safe chat software https://twine.com/en
While you in finding an APK that isn’t frosted, you’d wish to be further cautious with it. There are probabilities it’s malicious.
All the way through the following steps, we’re going to use Pithus, an open-source, on-line, static research APK software. Pithus embeds a variety of equipment you may have noticed in earlier rooms, similar to MoBSF, SSdeep, or APKiD.
You’ll paintings at the following pattern: https://beta.pithus.org/file/ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8.
1.What’s the identify of the methodology utilized by Google Play to mark the packages uploaded to the Google Play Retailer?
Ans: frosting
2.What’s the identify of the package deal?
Ans: com.twine
3.What’s the MD5 hash of the APK?
Ans: e162504122c224d4609ade9efa9af82d
4.What’s the SHA256 hash of this pattern?
Ans:ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8
5.What’s the measurement of the pattern?
Ans:40.68mb
#Process 3 Coming into the APK
1. Which model of the applying is focused?
Ans: 3.65.979
2. Test all of the actions. There may be one status out. Which one is it?
Ans:org.xmlpush.v3.StartVersion
3.What number of actions within the Manifest research are connected to the job that we have got known?
Ans: 3
4.What’s the first crime known?
Ans:Load exterior elegance
5.There’s a crime that are meant to draw in your consideration. It’s one thing that shouldn’t occur with a non-malicious chat app. What crime is it?
Ans: Disguise the present app’s icon
6.What number of categories have a TCP connection and are known as being a part of our malicious job?
Ans: 5
7.Which one of the crucial categories having a TCP connection might not be malicous?
Ans: okio/Okio.java
#Process 4 Looking
Now that we have got a common concept of the pattern, let’s proceed our analysis to look if we will be able to in finding different samples which are an identical or very similar to the primary pattern.
Looking for different samples is crucial step in malware research. Now that we have got a common concept of the pattern, let’s proceed our analysis to look if we will be able to in finding different samples which are an identical or very similar to the primary pattern.
Discovering new samples would possibly begin to provide you with an figuring out of the kind of sufferers being focused and the Ways, Tactics, and Procedures (TTPs) malicious actor/s are the use of.
1.What do you realize that may establish our pattern as having similarities with the opposite seek effects?
Ans: org.xmlpush.v3
#Process 5 Looking 2
Let’s search for the “seek function” that Pithus provides!
At the house web page of Pithus, there’s a question box to be had.
1. To find the sha256 hash of our earlier pattern and run a question the use of the hash. What’s the question you used?
Ans:SHA256:ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8
2.What question would you employ to search out the non malicious elegance that we known prior to now?
Ans: java_classes:okio/Okio
#Conclusion
Now let’s recap what we’ve explored on this room
At the start, we labored on a trojanized software of Cord this is connected to the danger actor Finspy. On the time this room was once created, little public knowledge is to be had as to the place this trojanized software has been used and what number of sufferers had been affected. Nevertheless, we’ve accumulated initial wisdom of the applying’s habits that would accelerate a long term in-depth code research. Now we have known community communique categories that would function helpful pivot issues must you proceed examining this pattern by yourself.
Then, we appeared into find out how to in finding an identical APKs in response to our research and what was once fingerprinted from the pattern. As we have been ready to look, it was once imaginable to collect different implants uploaded on Pithus that matched our first APK. Accumulating different samples is crucial step to your research. With extra samples, we could possibly higher perceive the tactics, techniques and procedures of the gang and/or the malware. This would possibly resolution questions as “Why was once that software trojanized?” or “Who’re the sufferers of this malware?”.
In spite of everything, we performed with some seek options of Pithus, which can assist you to search for extra samples in response to atomic signs of compromises.