mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
886658219f
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
243 lines
8.6 KiB
Markdown
243 lines
8.6 KiB
Markdown
---
|
|
name: detecting-mobile-malware-behavior
|
|
description: 'Detects and analyzes malicious behavior in mobile applications through
|
|
behavioral analysis, permission abuse detection, network traffic monitoring, and
|
|
dynamic instrumentation. Use when analyzing suspicious mobile applications for data
|
|
exfiltration, command-and-control communication, credential stealing, SMS interception,
|
|
or other malware indicators. Activates for requests involving mobile malware analysis,
|
|
app behavior monitoring, trojan detection, or suspicious app investigation.
|
|
|
|
'
|
|
domain: cybersecurity
|
|
subdomain: mobile-security
|
|
author: mahipal
|
|
tags:
|
|
- mobile-security
|
|
- android
|
|
- ios
|
|
- malware-analysis
|
|
- owasp-mobile
|
|
- penetration-testing
|
|
version: 1.0.0
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.PS-01
|
|
- PR.AA-05
|
|
- ID.RA-01
|
|
- DE.CM-09
|
|
mitre_attack:
|
|
- T1059
|
|
- T1056
|
|
- T1036
|
|
- T1078
|
|
- T1003
|
|
mitre_f3:
|
|
version: '1.1'
|
|
tactics:
|
|
- positioning
|
|
- execution
|
|
- initial-access
|
|
techniques:
|
|
- id: T1453
|
|
name: Abuse Accessibility Features
|
|
tactic: positioning
|
|
source: attack
|
|
- id: F1003
|
|
name: Abuse SMS verification
|
|
tactic: execution
|
|
source: f3
|
|
- id: T1113
|
|
name: Screen Capture
|
|
tactic: positioning
|
|
source: attack
|
|
- id: T1219
|
|
name: Remote Access Tools
|
|
tactic: positioning
|
|
source: attack
|
|
- id: F1002.001
|
|
name: 'Abuse of Public-Facing API: Mobile API Abuse'
|
|
tactic: positioning
|
|
source: f3
|
|
---
|
|
# Detecting Mobile Malware Behavior
|
|
|
|
## When to Use
|
|
|
|
Use this skill when:
|
|
- Analyzing suspicious mobile applications submitted by users or discovered during incident response
|
|
- Monitoring enterprise mobile fleet for malicious app indicators
|
|
- Performing malware triage on APK/IPA samples
|
|
- Investigating data exfiltration or unauthorized device access from mobile apps
|
|
|
|
**Do not use** this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.
|
|
|
|
## Prerequisites
|
|
|
|
- Isolated analysis environment (dedicated device or emulator, not connected to production networks)
|
|
- MobSF for automated static+dynamic analysis
|
|
- Frida/Objection for runtime behavior monitoring
|
|
- Wireshark/tcpdump for network traffic capture
|
|
- Android emulator (AVD) or Genymotion for safe execution
|
|
- VirusTotal API key for hash lookups
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Static Indicator Analysis
|
|
|
|
```bash
|
|
# Hash the sample
|
|
sha256sum suspicious.apk
|
|
|
|
# Check VirusTotal
|
|
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
|
|
-H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'
|
|
|
|
# Extract permissions from AndroidManifest.xml
|
|
aapt dump permissions suspicious.apk
|
|
|
|
# High-risk permission combinations:
|
|
# READ_SMS + INTERNET = SMS stealer
|
|
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
|
|
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
|
|
# CAMERA + RECORD_AUDIO + INTERNET = spyware
|
|
# DEVICE_ADMIN + INTERNET = ransomware capability
|
|
# READ_CONTACTS + INTERNET = contact exfiltration
|
|
```
|
|
|
|
### Step 2: MobSF Automated Malware Scan
|
|
|
|
```bash
|
|
# Upload to MobSF
|
|
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
|
|
-H "Authorization: <API_KEY>"
|
|
|
|
# Review malware indicators in report:
|
|
# - Hardcoded C2 server addresses
|
|
# - Dynamic code loading (DexClassLoader)
|
|
# - Reflection-based API calls (to evade static analysis)
|
|
# - Encrypted/obfuscated payloads
|
|
# - Root detection (malware often checks for root)
|
|
# - Anti-emulator checks (malware evades sandbox)
|
|
```
|
|
|
|
### Step 3: Network Behavior Monitoring
|
|
|
|
```bash
|
|
# Start packet capture on emulator
|
|
tcpdump -i any -w malware_traffic.pcap
|
|
|
|
# Or use mitmproxy for HTTP/HTTPS
|
|
mitmproxy --mode transparent
|
|
|
|
# Monitor for:
|
|
# - DNS lookups to suspicious/newly registered domains
|
|
# - Connections to known C2 infrastructure
|
|
# - Data exfiltration patterns (large POST requests)
|
|
# - Beaconing behavior (regular interval connections)
|
|
# - Non-standard ports and protocols
|
|
# - Domain Generation Algorithm (DGA) patterns
|
|
```
|
|
|
|
### Step 4: Runtime Behavior Monitoring with Frida
|
|
|
|
```javascript
|
|
// monitor_malware.js - Comprehensive behavior monitoring
|
|
Java.perform(function() {
|
|
// Monitor SMS access
|
|
var SmsManager = Java.use("android.telephony.SmsManager");
|
|
SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
|
|
"java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
|
|
.implementation = function(dest, sc, text, sent, delivery) {
|
|
console.log("[SMS] Sending to: " + dest + " Text: " + text);
|
|
// Allow or block based on analysis needs
|
|
return this.sendTextMessage(dest, sc, text, sent, delivery);
|
|
};
|
|
|
|
// Monitor file operations
|
|
var FileOutputStream = Java.use("java.io.FileOutputStream");
|
|
FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
|
|
console.log("[FILE-WRITE] " + path);
|
|
return this.$init(path);
|
|
};
|
|
|
|
// Monitor network connections
|
|
var URL = Java.use("java.net.URL");
|
|
URL.openConnection.overload().implementation = function() {
|
|
console.log("[NET] " + this.toString());
|
|
return this.openConnection();
|
|
};
|
|
|
|
// Monitor dynamic code loading
|
|
var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
|
|
DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
|
|
console.log("[DEX-LOAD] Loading: " + dexPath);
|
|
return this.$init(dexPath, optDir, libPath, parent);
|
|
};
|
|
|
|
// Monitor command execution
|
|
var Runtime = Java.use("java.lang.Runtime");
|
|
Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
|
|
console.log("[EXEC] " + cmd);
|
|
return this.exec(cmd);
|
|
};
|
|
|
|
// Monitor camera/audio access
|
|
var Camera = Java.use("android.hardware.Camera");
|
|
Camera.open.overload("int").implementation = function(id) {
|
|
console.log("[CAMERA] Camera opened: " + id);
|
|
return this.open(id);
|
|
};
|
|
|
|
// Monitor content provider access (contacts, call log)
|
|
var ContentResolver = Java.use("android.content.ContentResolver");
|
|
ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
|
|
"java.lang.String", "[Ljava.lang.String;", "java.lang.String")
|
|
.implementation = function(uri, proj, sel, selArgs, sort) {
|
|
console.log("[QUERY] " + uri.toString());
|
|
return this.query(uri, proj, sel, selArgs, sort);
|
|
};
|
|
|
|
console.log("[*] Malware behavior monitor active");
|
|
});
|
|
```
|
|
|
|
### Step 5: Classify Malware Type
|
|
|
|
Based on observed behaviors, classify the sample:
|
|
|
|
| Behavior Pattern | Malware Type |
|
|
|-----------------|-------------|
|
|
| SMS interception + C2 communication | Banking Trojan |
|
|
| Camera/mic access + data upload | Spyware/Stalkerware |
|
|
| File encryption + ransom note display | Mobile Ransomware |
|
|
| Ad injection + click fraud traffic | Adware |
|
|
| Root exploit + persistence | Rootkit |
|
|
| Contact harvesting + SMS spam | Worm/SMS Spammer |
|
|
| Overlay attacks + credential capture | Credential Stealer |
|
|
| Crypto mining network activity | Cryptojacker |
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|-----------|
|
|
| **Dynamic Code Loading** | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis |
|
|
| **C2 Beacon** | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns |
|
|
| **DGA** | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure |
|
|
| **Overlay Attack** | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission |
|
|
| **Anti-Emulator** | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior |
|
|
|
|
## Tools & Systems
|
|
|
|
- **MobSF**: Automated static and dynamic analysis for initial malware triage
|
|
- **VirusTotal**: Multi-engine malware scanning and hash reputation lookup
|
|
- **Frida**: Runtime behavior monitoring through method hooking
|
|
- **Wireshark**: Network traffic analysis for C2 communication patterns
|
|
- **Cuckoo Sandbox / CuckooDroid**: Automated malware analysis sandbox for Android samples
|
|
|
|
## Common Pitfalls
|
|
|
|
- **Anti-analysis evasion**: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
|
|
- **Time-delayed payloads**: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
|
|
- **Encrypted C2**: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
|
|
- **Multi-stage payloads**: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.
|