Agent skill

detecting-mobile-malware-behavior

Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/detecting-mobile-malware-behavior

SKILL.md

Detecting Mobile Malware Behavior

When to Use

Use this skill when:

  • Analyzing suspicious mobile applications submitted by users or discovered during incident response
  • Monitoring enterprise mobile fleet for malicious app indicators
  • Performing malware triage on APK/IPA samples
  • Investigating data exfiltration or unauthorized device access from mobile apps

Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.

Prerequisites

  • Isolated analysis environment (dedicated device or emulator, not connected to production networks)
  • MobSF for automated static+dynamic analysis
  • Frida/Objection for runtime behavior monitoring
  • Wireshark/tcpdump for network traffic capture
  • Android emulator (AVD) or Genymotion for safe execution
  • VirusTotal API key for hash lookups

Workflow

Step 1: Static Indicator Analysis

bash
# Hash the sample
sha256sum suspicious.apk

# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
  -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'

# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk

# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration

Step 2: MobSF Automated Malware Scan

bash
# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"

# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)

Step 3: Network Behavior Monitoring

bash
# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap

# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent

# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns

Step 4: Runtime Behavior Monitoring with Frida

javascript
// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
    // Monitor SMS access
    var SmsManager = Java.use("android.telephony.SmsManager");
    SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
        "java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
        .implementation = function(dest, sc, text, sent, delivery) {
            console.log("[SMS] Sending to: " + dest + " Text: " + text);
            // Allow or block based on analysis needs
            return this.sendTextMessage(dest, sc, text, sent, delivery);
        };

    // Monitor file operations
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
        console.log("[FILE-WRITE] " + path);
        return this.$init(path);
    };

    // Monitor network connections
    var URL = Java.use("java.net.URL");
    URL.openConnection.overload().implementation = function() {
        console.log("[NET] " + this.toString());
        return this.openConnection();
    };

    // Monitor dynamic code loading
    var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
    DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
        console.log("[DEX-LOAD] Loading: " + dexPath);
        return this.$init(dexPath, optDir, libPath, parent);
    };

    // Monitor command execution
    var Runtime = Java.use("java.lang.Runtime");
    Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
        console.log("[EXEC] " + cmd);
        return this.exec(cmd);
    };

    // Monitor camera/audio access
    var Camera = Java.use("android.hardware.Camera");
    Camera.open.overload("int").implementation = function(id) {
        console.log("[CAMERA] Camera opened: " + id);
        return this.open(id);
    };

    // Monitor content provider access (contacts, call log)
    var ContentResolver = Java.use("android.content.ContentResolver");
    ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
        "java.lang.String", "[Ljava.lang.String;", "java.lang.String")
        .implementation = function(uri, proj, sel, selArgs, sort) {
            console.log("[QUERY] " + uri.toString());
            return this.query(uri, proj, sel, selArgs, sort);
        };

    console.log("[*] Malware behavior monitor active");
});

Step 5: Classify Malware Type

Based on observed behaviors, classify the sample:

Behavior Pattern Malware Type
SMS interception + C2 communication Banking Trojan
Camera/mic access + data upload Spyware/Stalkerware
File encryption + ransom note display Mobile Ransomware
Ad injection + click fraud traffic Adware
Root exploit + persistence Rootkit
Contact harvesting + SMS spam Worm/SMS Spammer
Overlay attacks + credential capture Credential Stealer
Crypto mining network activity Cryptojacker

Key Concepts

Term Definition
Dynamic Code Loading Loading executable code at runtime from external sources, commonly used by malware to evade static analysis
C2 Beacon Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns
DGA Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure
Overlay Attack Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission
Anti-Emulator Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior

Tools & Systems

  • MobSF: Automated static and dynamic analysis for initial malware triage
  • VirusTotal: Multi-engine malware scanning and hash reputation lookup
  • Frida: Runtime behavior monitoring through method hooking
  • Wireshark: Network traffic analysis for C2 communication patterns
  • Cuckoo Sandbox / CuckooDroid: Automated malware analysis sandbox for Android samples

Common Pitfalls

  • Anti-analysis evasion: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
  • Time-delayed payloads: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
  • Encrypted C2: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
  • Multi-stage payloads: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results