Thursday 25 September 09:30 - 10:00, Red room
JunWei Song (Recorded Future)
Identifying command-and-control (C2) commands in Android malware is crucial for understanding its intent and enhancing threat mitigation strategies. Traditional dynamic analysis methods, which rely on network traffic analysis, often struggle against encryption, obfuscation, or unavailable C2 servers. Additionally, advanced anti-analysis techniques further hinder dynamic approaches. To address these challenges, we propose a static analysis method to efficiently locate functions that may contain C2 commands, significantly accelerating malware reverse engineering and increasing the likelihood of discovering previously unknown malware containing C2 commands.
Our approach detects structured patterns in malware code, particularly multiple string comparisons within if-else and switch statements, and HashMap-based C2 command mappings that associate command strings with specific functions. Even when C2 commands are encrypted or obfuscated, these structures remain identifiable through Smali opcode analysis. By analysing the frequency and distribution of specific opcode patterns (e.g. const-string, invoke-virtual, if-eqz) and Android API calls (e.g. equals, contains), we establish detection thresholds to identify suspicious functions. This method lets analysts quickly pinpoint areas of interest, reducing the time spent on manual code inspection and improving overall analysis efficiency.
We implement our approach using Python and the Androguard package, analysing Smali instructions and API calls. Our tool flags function when predefined thresholds are exceeded and extract potential C2 commands from string comparison patterns, streamlining the malware analysis process. In our research, we identified a new version of the TgToxic Android banking trojan, demonstrating the effectiveness of our methodology in real-world scenarios. Additionally, we validate our approach across various malware families such as Octo, Ermac, Cerberus, Xloader, and more, further confirming its effectiveness.
Our technique significantly narrows the investigation scope, making it a valuable tool for threat hunting and malware classification in Android malware analysis. Although our approach does not ensure that every flagged function contains C2 commands due to the varying number of C2 commands across malware families, it provides a strong basis for further research. We will share the tool implementation and comprehensive data on C2 command occurrences across malware families to support the designating detection thresholds.
Looking ahead, we will refine these thresholds and enhance our automated analysis to extend our methodology across diverse malware families. It will strengthen our ability to hunt for previously unknown malware with C2 command structures.
![]() |
JunWei Song JunWei is a malware researcher at Recorded Future Triage Sandbox, interested in the field of reverse engineering, malware analysis, threat intelligence, and developing tools to aid in malware analysis. He has been very involved in the security community, previously leading Quark-Engine and mentoring GSoC under the Honeynet Project. His research has been presented at various security conferences, including Black Hat Asia, DEFCON BTV, HITB, and ROOTCON. |
Back to VB2025 conference page