detecting-mobile-malware-behavior

star 599

Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.

xalgord By xalgord schedule Updated 6/6/2026
play_arrow Run Skill in Manus View GitHub

name: detecting-mobile-malware-behavior description: 'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.

' domain: cybersecurity subdomain: mobile-security author: mahipal tags:

  • mobile-security
  • android
  • ios
  • malware-analysis
  • owasp-mobile
  • penetration-testing version: 1.0.0 license: Apache-2.0 nist_csf:
  • PR.PS-01
  • PR.AA-05
  • ID.RA-01
  • DE.CM-09

Detecting Mobile Malware Behavior

When to Use

Use this skill when:

  • Analyzing suspicious mobile applications submitted by users or discovered during incident response
  • Monitoring enterprise mobile fleet for malicious app indicators
  • Performing malware triage on APK/IPA samples
  • Investigating data exfiltration or unauthorized device access from mobile apps

Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.

Most Often Missed & How to Confirm

  • Time/trigger-delayed payloads — short dynamic runs miss logic that waits for reboot, locale, or a C2 command. Confirm by running 30+ minutes and simulating boot/SMS/connectivity triggers, then re-checking behavior logs.
  • Reflection / dynamic code loading — static permission review misses DexClassLoader and reflection. Confirm by hooking DexClassLoader.$init and Method.invoke and capturing the loaded path.
  • Encrypted C2 — a pcap shows traffic but not intent. Confirm by hooking Cipher.doFinal / TLS calls to recover plaintext before encryption.
  • Accessibility-service abuse — overlay/keylog capability is missed without checking BIND_ACCESSIBILITY_SERVICE. Confirm by listing enabled services and hooking onAccessibilityEvent.
  • Anti-emulator evasion — the sample stays dormant in an AVD. Confirm by running on a physical device and diffing behavior against the emulator run.
  • Second-stage download — the initial APK is benign. Confirm by monitoring FileOutputStream/network for a follow-on DEX/APK fetch.

Prerequisites

  • Isolated analysis environment (dedicated device or emulator, not connected to production networks)
  • MobSF for automated static+dynamic analysis
  • Frida/Objection for runtime behavior monitoring
  • Wireshark/tcpdump for network traffic capture
  • Android emulator (AVD) or Genymotion for safe execution
  • VirusTotal API key for hash lookups

Workflow

Step 1: Static Indicator Analysis

# Hash the sample
sha256sum suspicious.apk

# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
  -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'

# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk

# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration

Step 2: MobSF Automated Malware Scan

# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"

# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)

Step 3: Network Behavior Monitoring

# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap

# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent

# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns

Step 4: Runtime Behavior Monitoring with Frida

// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
    // Monitor SMS access
    var SmsManager = Java.use("android.telephony.SmsManager");
    SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
        "java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
        .implementation = function(dest, sc, text, sent, delivery) {
            console.log("[SMS] Sending to: " + dest + " Text: " + text);
            // Allow or block based on analysis needs
            return this.sendTextMessage(dest, sc, text, sent, delivery);
        };

    // Monitor file operations
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
        console.log("[FILE-WRITE] " + path);
        return this.$init(path);
    };

    // Monitor network connections
    var URL = Java.use("java.net.URL");
    URL.openConnection.overload().implementation = function() {
        console.log("[NET] " + this.toString());
        return this.openConnection();
    };

    // Monitor dynamic code loading
    var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
    DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
        console.log("[DEX-LOAD] Loading: " + dexPath);
        return this.$init(dexPath, optDir, libPath, parent);
    };

    // Monitor command execution
    var Runtime = Java.use("java.lang.Runtime");
    Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
        console.log("[EXEC] " + cmd);
        return this.exec(cmd);
    };

    // Monitor camera/audio access
    var Camera = Java.use("android.hardware.Camera");
    Camera.open.overload("int").implementation = function(id) {
        console.log("[CAMERA] Camera opened: " + id);
        return this.open(id);
    };

    // Monitor content provider access (contacts, call log)
    var ContentResolver = Java.use("android.content.ContentResolver");
    ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
        "java.lang.String", "[Ljava.lang.String;", "java.lang.String")
        .implementation = function(uri, proj, sel, selArgs, sort) {
            console.log("[QUERY] " + uri.toString());
            return this.query(uri, proj, sel, selArgs, sort);
        };

    console.log("[*] Malware behavior monitor active");
});

Step 5: Classify Malware Type

Based on observed behaviors, classify the sample:

Behavior Pattern Malware Type
SMS interception + C2 communication Banking Trojan
Camera/mic access + data upload Spyware/Stalkerware
File encryption + ransom note display Mobile Ransomware
Ad injection + click fraud traffic Adware
Root exploit + persistence Rootkit
Contact harvesting + SMS spam Worm/SMS Spammer
Overlay attacks + credential capture Credential Stealer
Crypto mining network activity Cryptojacker

Key Concepts

Term Definition
Dynamic Code Loading Loading executable code at runtime from external sources, commonly used by malware to evade static analysis
C2 Beacon Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns
DGA Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure
Overlay Attack Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission
Anti-Emulator Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior

Tools & Systems

  • MobSF: Automated static and dynamic analysis for initial malware triage
  • VirusTotal: Multi-engine malware scanning and hash reputation lookup
  • Frida: Runtime behavior monitoring through method hooking
  • Wireshark: Network traffic analysis for C2 communication patterns
  • Cuckoo Sandbox / CuckooDroid: Automated malware analysis sandbox for Android samples

Common Pitfalls

  • Anti-analysis evasion: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
  • Time-delayed payloads: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
  • Encrypted C2: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
  • Multi-stage payloads: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.
Install via CLI
npx skills add https://github.com/xalgord/xalgorix --skill detecting-mobile-malware-behavior
Repository Details
star Stars 599
call_split Forks 104
navigation Branch main
article Path SKILL.md
More from Creator
xalgord
xalgord Explore all skills →