Showing posts with label Android. Show all posts
Showing posts with label Android. Show all posts

Monday, February 25, 2019

, , , , , ,

Multisandbox update to Dr.Web vxCube 1.2 brings Android analysis

The multi-sandbox project is under continual improvement. In June 2018, we announced our integration with Dr.Web vxCube. Today we are happy to announce an update to Dr.Web vxCube that adds support for Android. With more than 2 billion active android devices, having visibility into android is a very welcome feature. Note that this adds to other multi-sandbox Android setups such as Tencent HABO for Android and VirusTotal Droidy.

In their own words:
We are proud to introduce our newest malware analyzer that now supports Android platform - Dr.Web vxCube 1.2. It maintains the same fast and versatile functionality when working with the Android files. Dr.Web vxCube 1.2 conducts a thorough analysis of APK files and provides in-depth reports on their behavior in the sandbox environment, including information about SMS and calls they could try to make. Moreover, each report includes manifest information with a full list of app’s permissions, activities, broadcast receivers and services.
To view the details generated by Dr.Web vxCube make sure to click on the behavior tab:


To demonstrate some of the features, lets take a look at a few malware samples:

https://www.virustotal.com/gui/file/beb7eefb2008aaf28e75d6ec24eb055c57473c4fd91c4ed70c15e352c0c825f8/behavior/Dr.Web%20vxCube

https://www.virustotal.com/gui/file/a8bf520bcc7336ec447d58794be22715f65ccd0f1c020b5cb7fd6a3599d79e44/behavior/Dr.Web%20vxCube

Detection summary

At the top of the detailed report we can clearly see a detection summary for this APK file. Note that it display a verdict based on execution behavior, this verdict may complement  Doctor Web's antivirus engine running in VirusTotal.


 

Malicious functions

We can see the app is sending SMS spam with malicious URLs:





 

Network activity

The network activity map, visually shows where the traffic goes, along with protocol and address information.


 

Connect the dots

With VT Graph you can see all the relationships above in a single nodes and arcs graph enriched with the historical knowledge of the VirusTotal dataset. Forget about having dozens of open tabs to investigate a single incident, one canvas is all you need.



Moreover, as you can see above, you can easily generate an embeddable graph object in order to display your investigation in sites other than VT Graph.

 

Digging deeper

VT Enterprise users can try some more advanced searches using search modifiers in order to identify interesting samples based on behavioral observations and other structural and in-the-wild metadata.

For example you can search for filenames within the behavior data:
behavior_files:"com.adobe.flash/files/BotPrefix"



Similarly, the behavior-scoped modifiers can be combined with any other facets in order to pinpoint not only malware families but also their command and command-and-control servers, drop-zones, additional infrastructure, etc.

type:apk androguard:"android.permission.READ_PHONE_STATE" behavior_network:http positives:10+


 

More insights and giving back to Doctor Web and the community

If you are as grateful as we are for this new insights into Android apps, you can give back to Doctor  Web and the community by helping them receive more APKs so that they can continue to improve their defenses. The easiest way to do this is through a community-developed VirusTotal App that will make the task of uploading new APKs to VirusTotal a no-brainer:

https://play.google.com/store/apps/details?id=com.funnycat.virustotal

We look forward to keep working close with Doctor Web, meanwhile we continue to encourage other sandbox setups to join the multisandbox project.
Read More

Monday, April 16, 2018

, , , , , , ,

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.
These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.
Read More

Thursday, April 05, 2018

, , , , , , ,

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  

Read More

Thursday, January 15, 2015

, , ,

VirusTotal += Alibaba

We welcome Alibaba engine to VirusTotal. This Chinese antivirus is focused in Android malware. In the words of the company:

"Alibaba anti-virus engine is an ultrafast and accurate anti-virus engine based on cloud computing, big data technologies and a database with massive confirmed malwares and safe files. This anti-virus engine consists of multiple subsystems such as preprocessing, static analysis, dynamic analysis, and counterfeit software detection. These subsystems collaboratively and automatically analyze an unknown software to determine whether it is a malware or not.

Specifically, our anti-virus engine focuses on detecting malwares that threatening the safety of mobile shopping or payment. We aim to protect the privacy information and assets of the clients of Alibaba, as well as maintain a secure mobile cyberspace."

Read More

Wednesday, February 27, 2013

, , , , , ,

Pimping up the characterization of Android files

Our resident Android expert, Anthony Desnos, is back from the Android jungle once again. In this new trip he has encountered and documented many new wild specimens, fought a couple of battles against nasty creatures such as Smsilence and worked hard to polish his main weapon when confronting and recognizing the evil: Androguard.

VirusTotal's private Androguard version has been noticeably improved and the information it dumps is far more extensive than it used to be, including a risk summary, permissions, permission-related api calls, activities, services, receivers, application certificate information and a very long etcetera. This new information appears under a new tab named file details, just as you can observe in the following screenshot.


This is just the very beginning of a series of new features that will hopefully improve your understanding of Android-related files, not only APKs but also DEX, ODEX and AXML formats, stay tuned! Meanwhile, you can take a look at a couple of reports with the new details:

https://www.virustotal.com/en/file/18c0da675416bd9ba06f30ad9f5a608e1ab011e71d79ee60b22d55f98f189356/analysis/

https://www.virustotal.com/en/file/d6f789450613fc8073c67d6c4374963fbf1ca675d8b3fc6221213af4a93de94c/analysis/

https://www.virustotal.com/en/file/b867e8afc9d1a25014496371bdfba2ab4ab133ff83cc1fbfcec83c11817f4d73/analysis/

As usual, suggestions and feature requests are more than welcome!
Read More
Subscribe to: Posts (Atom)