Forensic Challenge 9 - Mobile Malware
31 Oct 2011
Challenge 9 - Mobile Malware
(provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter)
Skill Level: Intermediate
With the number of smartphone users growing exponentially (1.6 billion mobile devices units sold in 2010, 19% were smartphones) mobile devices are becoming an attractive platform for cybercriminals. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.
This challenge offers the exploration of a real smartphone, based on a popular OS, after a security incident.
You will have to analyze the image of a portion of the file system, extract all that may look suspicious, analyze the threat and finally submit your forensic analysis. From File System recovery to Malware reverse-engineering and PCAP analysis, this challenge will take you to the world of Mobile Malwares.
- Write an executive summary of this incident (3 pts)
- Provide the phone brand, model, OS name and version (1 pts)
- Extract any suspicious application (if any). Detail your extraction method. Please provide name and SHA1 for each suspicious app.(4 pts)
- What permissions are requested by the malware(s)? Why it is suspicious ? (1 pts)
- Please provide a solution/s to quickly identify any suspicious API (please define your suspicious API according to your understanding) (8 pts)
- What is the malware’s home server URL and where is it located? Where, in the code, is/are stored the command server(s) URL(s)(4 pts)
- What can you say about the communications model between the malware and its C&C server? (2 pts)
- If encryption was used for the communication, which encryption algorithm was used? What was the key used? Explain how you found it. (4 pts)
- Please draw a graph of the decrypted communication flow, found in the pcap, between the malware and the C&C (4 pts)
- What personnal informations were leaked during this incident? A special *secret* information was leaked, Explain how and what it was. (2 pts)
- What particular techniques are used by the malware to harden analysis or to evade detection? What unusual behavior can be noticed? (6 pts)
- Provide a detailed analysis of the malware behavior and features. (10 pts)
- Please provide a method to block (or request permission from Android (similar to UAC concept)) when any suspicious call received from Android (8 pts)
The archive contains 2 files:
- data.bin: corrupted /data partition image of the phone
- traffic.pcap: traffic capture of the malware communications.
This work by Franck Guenichot, Mahmud Ab Rahman, Ahmad Azizan Idris and Matt Erasmus is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
1. Emilien Girault (submission SHA1: f1530d225862baf9eb8c618c0a1d082e284188d2)
2. Yuhao Luo, Wenbo Yang and Juanru Li (submission SHA1: cfe2d7f6e4aeeefd0de73fd5e91e0903d666834d)
3. José Lopes Esteves (submission SHA1: 18572aba77826317f3aec45284ea76603b795e76)
|Submission Template||65.5 KB|
|Submission Template - Farsi (Persian)||41 KB|
|Submission #1: Emilien Girault||185.5 KB|
|Submission #2: Yuhao Luo, Wenbo Yang and Juanru Li||214.55 KB|
|Submission #3: José Lopes Esteves||431.99 KB|