🔗 Link to the Room

📚 Study Notes

First steps

• Android malware usually pretends to be a normal app.
• These apps are called APKs, just like most regular Android apps.
• Sometimes malware appears on the Play Store, but that’s rare because Google removes it quickly.
• Most malicious apps come from SMS links or shady third-party websites.
• Apps from the Play Store get a special modification called “frosting”.
• Frosted APK = likely from Play Store

• Not frosted APK = be suspicious (higher chance it’s malware)

• In this room, the malware is a fake (trojanized) version of the Wire chat app.
• To analyze it, we use Pithus, an online tool that checks APKs without running them.
• Pithus combines other tools you may already know, like MobSF, SSdeep, and APKiD.

 

Pithus is a static analysis platform. It doesn’t run the app, it just looks inside the APK. It automatically checks for too many dangerous permissions, certificates, frosting, code similarities (SSdeep) to see if the APK is similar to known malware families, checks for packers (APKiD), embedded URLs and IPs, and so on.

 

---

❓What is the name of the technique used by Google Play to mark the applications uploaded to the Google Play Store?

frosting

---

❓What is the name of the package?

com.wire

---

❓What is the MD5 hash of the APK?

e162504122c224d4609ade9efa9af82d

---

❓What is the SHA256 hash of this sample?

ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8

---

❓What is the size of the smaple?

40.68MB

---

Getting into the APK

 

1. Start by identifying the APK
   • Open the APK Analysis tab to see basic information about the app.
   • In this case, the app is trojanized (a legit app with malware added).
   • You need to find which version of the original app was targeted.
   • Quick research shows this version was released on 1 March 2021.

 

 

1. Check the timeline (Threat Intel)
   • The Threat Intel tab shows when the malware was likely active.
   • The certificate used by the malware was created on 26 April 2021.
   • This is about 2 months after the legit app version was released.
   • This timing helps confirm when the malicious version appeared.

 

1. Find the main activity
   • Back in APK Analysis, identify the app’s main activity.
   • The main activity is where the app starts running.
   • This is a very important starting point for deeper analysis.

 

1. Inspect the Manifest
   • Look in the Manifest to see what actions the main activity can trigger as this helps you understand what the app is capable of doing.

 

1. Look at permissions (Behavior Analysis)
   • Go to the Behavior Analysis tab.
   • Check the permissions the app requests.
   • The app asks for many permissions.
   • Since it’s a chat app, some (contacts, camera) make sense.
   • Still, you should always be cautious and question them.

 

 

1. Review suspicious behavior (Threat Analysis)
   • Scroll to the Threat Analysis section.
   • This uses a tool called Quark.
   • Quark flags suspicious behaviors called “crimes”.
   • Multiple crimes suggest malicious intent.

 

 

1. Identify suspicious classes
   • Still in Behavior Analysis, look for class names linked to bad behavior.
   • These classes are important clues.
   • They tell you where to look in the code later.

 

 

1. Check network activity
   • Open the Network Analysis tab.
   • You’ll see domains the app tries to contact.
   • Advanced malware often hides or obfuscates these domains.
   • Even limited clues are still useful.

 

 

---

❓Which version of the application is targeted?

3.65.979

---

❓Check all the activities. There is one standing out. Which one is it?

org.xmlpush.v3.StartVersion

---

❓How many activities in the Manifest analysis are linked to the activity that we hae identified?

3

---

❓What is the first crime identified?

load external class

---

❓There is a crime that should attract your attention. It is something that shouldn't happen with a non-malicious chat app. What crime is it?

Hide the current app's icon

---

❓How many classes have a TCP connection and are identified as being part of our malicious activity?

5

---

❓Which one of the classes having a TCP connection is probably not malicous?

okio/Okio.java

---

 

Hunting

• Hunting means looking for other malware samples that are the same as, or similar to, the one you’re analyzing. - This is important because it helps you understan who the victims might be, the attacker’s Tactics, Techniques, and Procedures (TTPs).

Pithus provides several ways to hunt for related samples:

1. Search by similarity
   • Go to Fingerprints tab, scroll down to the SSdeep and Dexofuzzy results.
   • Use the magnifying glass to search for similar APKs.
   • In this case, no similar samples were found.

 

 

1. Search by malware names
   • Open Threat Intel, scroll down to Most Popular AV Detections.
   • Antivirus vendors sometimes give malware recognizable names, you can then search for other samples using these names.
   • Threat names can also hint at who the threat actor is.
   • Example: researching FinSpy helps understand the attacker and malware type.

 

 

1. Search using Yara rules
   • Requires a registered Pithus account (GitHub login works).
   • Available under “My Hunting”.
   • You can add your own Yara rules, search older samples (retroactive search) or create private or public rules

 

 

Pithus only supports basic (vanilla) Yara — no modules.

• Some Yara matches are already visible in the Threat Intelligence section.
• The rules used are public and available on GitHub.
• When writing Yara for APKs, you can limit the rule to APK files using uint32(0) == 0x04034b50 (more useful on platforms like VirusTotal than in Pithus.)

Hunting helps you move from one sample to understanding a whole campaign — who’s behind it, how they operate, and who they target.

 

---

❓What do you notice that will identify our sample as having similarities with the other search results?

org.xmlpush.v3

---

 

Hunting 2

• Let’s look for the “search feature” that Pithus offers!
• On the home page of Pithus, there is a query field available.

• Clicking the ? icon brings up more information for some features described below.
• You can list all samples available in Pithus with this search: * (Note that not all samples will be shown at once.)
• You can combine searches and look for all files that have a rating on VirusTotal with: * and vt > 0
• Sometimes, searches will yield a low amount of results. You can expand the search with * — For example: threat_name:*finspy*

 

---

❓Find the sha256 hash of our previous sample and run a query using the hash. What is the query you used?

SHA256:ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8

---

❓What query would you use to find the non malicious class that we identified previously?

java_classes: "okio/Okio"

---