detecting-mobile-malware-behavior

# Detecting Mobile Malware Behavior ## When to Use Use this skill when: - Analyzing suspicious mobile applications submitted by users or discovered during incident response - Monitoring enterprise mobile fleet for malicious app indicators - Performing malware triage on APK/IPA samples - Investigating data exfiltration or unauthorized device access from mobile apps **Do not use** this skill to create, enhance, or distribute malware. This skill is for defensive analysis only. ## Prerequisites - Isolated analysis environment (dedicated device or emulator, not connected to production networks) - MobSF for automated static+dynamic analysis - Frida/Objection for runtime behavior monitoring - Wireshark/tcpdump for network traffic capture - Android emulator (AVD) or Genymotion for safe execution - VirusTotal API key for hash lookups ## Workflow ### Step 1: Static Indicator Analysis ```bash # Hash the sample sha256sum suspicious.apk # Check VirusTotal curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \ -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats' # Extract permissions from AndroidManifest.xml aapt dump permissions suspicious.apk # High-risk permission combinations: # READ_SMS + INTERNET = SMS stealer # RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan # ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability # CAMERA + RECORD_AUDIO + INTERNET = spyware # DEVICE_ADMIN + INTERNET = ransomware capability # READ_CONTACTS + INTERNE...