detecting-mobile-malware-behavior
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-mobile-malware-behaviorAnalyze mobile apps for malware indicators like data theft.
- Identifies data exfiltration, credential stealing, and command-and-control traffic.
- Integrates MobSF, Frida, Objection, and network capture tools.
- Activates only during malware triage or suspicious app investigation.
- Delivers findings on permission abuse and malicious behavior patterns.
SKILL.md
.github/skills/detecting-mobile-malware-behaviorView on GitHub ↗
---
name: detecting-mobile-malware-behavior
description: >
Detects and analyzes malicious behavior in mobile applications through behavioral analysis,
permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when
analyzing suspicious mobile applications for data exfiltration, command-and-control communication,
credential stealing, SMS interception, or other malware indicators. Activates for requests involving
mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.
domain: cybersecurity
subdomain: mobile-security
author: mahipal
tags: [mobile-security, android, ios, malware-analysis, owasp-mobile, penetration-testing]
version: 1.0.0
license: Apache-2.0
---
# Detecting Mobile Malware Behavior
## When to Use
Use this skill when:
- Analyzing suspicious mobile applications submitted by users or discovered during incident response
- Monitoring enterprise mobile fleet for malicious app indicators
- Performing malware triage on APK/IPA samples
- Investigating data exfiltration or unauthorized device access from mobile apps
**Do not use** this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.
## Prerequisites
- Isolated analysis environment (dedicated device or emulator, not connected to production networks)
- MobSF for automated static+dynamic analysis
- Frida/Objection for runtime behavior monitoring
- Wireshark/tcpdump for network traffic capture
- Android emulator (AVD) or Genymotion for safe execution
- VirusTotal API key for hash lookups
## Workflow
### Step 1: Static Indicator Analysis
```bash
# Hash the sample
sha256sum suspicious.apk
# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
-H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'
# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk
# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration
```
### Step 2: MobSF Automated Malware Scan
```bash
# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)
```
### Step 3: Network Behavior Monitoring
```bash
# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap
# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent
# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns
```
### Step 4: Runtime Behavior Monitoring with Frida
```javascript
// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
// Monitor SMS access
var SmsManager = Java.use("android.telephony.SmsManager");
SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
"java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
.implementation = function(dest, sc, text, sent, delivery) {
console.log("[SMS] Sending to: " + dest + " Text: " + text);
// Allow or block based on analysis needs
return this.sendTextMessage(dest, sc, text, sent, delivery);
};
// Monitor file operations
var FileOutputStream = Java.use("java.io.FileOutputStream");
FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
console.log("[FILE-WRITE] " + path);
return this.$init(path);
};
// Monitor network connections
var URL = Java.use("java.net.URL");
URL.openConnection.overload().implementation = function() {
console.log("[NET] " + this.toString());
return this.openConnection();
};
// Monitor dynamic code loading
var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
console.log("[DEX-LOAD] Loading: " + dexPath);
return this.$init(dexPath, optDir, libPath, parent);
};
// Monitor command execution
var Runtime = Java.use("java.lang.Runtime");
Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
console.log("[EXEC] " + cmd);
return this.exec(cmd);
};
// Monitor camera/audio access
var Camera = Java.use("android.hardware.Camera");
Camera.open.overload("int").implementation = function(id) {
console.log("[CAMERA] Camera opened: " + id);
return this.open(id);
};
// Monitor content provider access (contacts, call log)
var ContentResolver = Java.use("android.content.ContentResolver");
ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
"java.lang.String", "[Ljava.lang.String;", "java.lang.String")
.implementation = function(uri, proj, sel, selArgs, sort) {
console.log("[QUERY] " + uri.toString());
return this.query(uri, proj, sel, selArgs, sort);
};
console.log("[*] Malware behavior monitor active");
});
```
### Step 5: Classify Malware Type
Based on observed behaviors, classify the sample:
| Behavior Pattern | Malware Type |
|-----------------|-------------|
| SMS interception + C2 communication | Banking Trojan |
| Camera/mic access + data upload | Spyware/Stalkerware |
| File encryption + ransom note display | Mobile Ransomware |
| Ad injection + click fraud traffic | Adware |
| Root exploit + persistence | Rootkit |
| Contact harvesting + SMS spam | Worm/SMS Spammer |
| Overlay attacks + credential capture | Credential Stealer |
| Crypto mining network activity | Cryptojacker |
## Key Concepts
| Term | Definition |
|------|-----------|
| **Dynamic Code Loading** | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis |
| **C2 Beacon** | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns |
| **DGA** | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure |
| **Overlay Attack** | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission |
| **Anti-Emulator** | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior |
## Tools & Systems
- **MobSF**: Automated static and dynamic analysis for initial malware triage
- **VirusTotal**: Multi-engine malware scanning and hash reputation lookup
- **Frida**: Runtime behavior monitoring through method hooking
- **Wireshark**: Network traffic analysis for C2 communication patterns
- **Cuckoo Sandbox / CuckooDroid**: Automated malware analysis sandbox for Android samples
## Common Pitfalls
- **Anti-analysis evasion**: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
- **Time-delayed payloads**: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
- **Encrypted C2**: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
- **Multi-stage payloads**: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.