The missing link in the chain? Android network analysis

Wednesday 3 October 14:30 - 15:00, Red room

Rowland Yu (Sophos)



Modern Android malware takes full advantage of the internet to execute remote tasks received from command & control servers, to click fraudulent clicks, and even generate cryptocurrency by downloading and running crypto-mining code within the victim's web browser. Existing well-known analysis tools like JEB, Apktool and Radare2 are widely used to analyse malicious Android apps. However, dealing with packed or obfuscated Android apps still remains a very challenging task. Analysis of the network activity can help enormously to understand an obfuscated app's logic. The main challenge here is being able to quickly establish a relationship between decompiled code and network traffic.

Using a packet sniffer in an Android environment is not as straightforward as it seems. To support the man-in-the-middle technique, a certificate has to be configured for SSL decryption on a test device or with a packet analyser such as Wireshark. Android-based packet analysers have the capability of linking packet data with each app on the device but provide clumsy features to download or analyse packets, while computer-based packet analysers are the exact opposite.

In this paper, we will present:

  • An overview of the latest Google Play and non-Google Play Android threats, such as drive-by Cryptominer, Fraudclicker and Dropper, which download remote malicious payloads from a remote server.
  • Demonstrations of the several existing packet analysing tools based on either Android or computer, then show why they fail to achieve the tasks required in threat research.
  • Our practical tools that allow researchers to capture all packets for each app, deeply inspect hundreds of network packets, and highlight potentially suspicious packet lists like HTML, JavaScript, or PHP for a quick and intuitive analysis.


Other VB2018 papers

Lazarus Group: one mahjong game played with different sets of tiles

Peter Kalnai (ESET)
Michal Poslusny (ESET)

Tracking Mirai variants

Ya Liu (Qihoo)
Hui Wang (Qihoo)

Uncovering the wholesale industry of social media fraud: from botnet to bulk reseller panels

Masarah Paquet-Clouston (GoSecure)