Showing posts with label APK. Show all posts
Showing posts with label APK. Show all posts

Thursday, April 05, 2018

, , , , , , ,

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  

Wednesday, March 06, 2013

, , , ,

VirusTotal += Android execution reports

Last year we included sandbox execution reports for Portable Executable files thanks to the amazing tool developed by Claudio “nex” Guarnieri and his team, Cuckoo. We are excited to announce that as of today we are also displaying behavioural reports for Android applications (APKs).

Indeed, when informing you about Anthony's return from the Android jungle we promised there would be some further new and exciting features to come. While traversing a cascade of APK, ODEX, DEX, AXML and ARSC species he discovered that sometimes Androguard was not enough to distinguish the good from the evil, he needed something more, he needed to record how these species behaved in order to have a clearer picture in mind of their malicious or harmless intentions.

Attending to these needs he developed an in-house Android Sandbox where these fancy creatures could play around, spit their SMS, excreate their files, sing melodic HTTP conversations and perform animal matters.

These are some examples of the reports produced (Behaviour information tab):

https://www.virustotal.com/en/file/b707d23bfc22908ae8ee2f6e2d0bc9c74135af18c5eea2b3bcca7471d08985c2/analysis/

https://www.virustotal.com/en/file/6775a8711283ce4f6f1f000f3bd6d65bb1666c37175efd6b3edc2091842eeeb7/analysis/

https://www.virustotal.com/en/file/1230d64ccba3f7f5b32972308295ce90ffa7a95cb8f713c7c39ead88e4faff6d/analysis/

Please note that these reports will appear in an asynchronous fashion, they may not be generated until a couple of minutes after your file scan ends.

Those users with private API or allinfo privileges will see this information in the API responses. As to VirusTotal Intelligence, we will soon be indexing this data and the new Androguard outputs in order to enhance our search functionality, stay tuned, pay attention to the pertinent documentation.