Hummingbad: Tools & Techniques To Use When Inspecting Android Applications

  • Webcast Aired Friday, 09 Dec 2016 1:00PM EST (09 Dec 2016 18:00 UTC)
  • Speakers: Cindy Murphy, Chris Crowley

This presentation explores methodology for performing malware analysis. We use the specific case of the Hummingbad family of malware since it is a substantial collection of variants, has substantial functionality, and represents the ongoing trend of organized, revenue producing malware that is also used to steal information. Android malware is substantially more common that iOS malware.

Android users can choose to disable the 'Unknown sources ' Allow installation of apps from unknown sources ' and install applications from anywhere. Malware uses social engineering tricks to dupe victims into installing the malware. These tricks include: appearing to be a different application; sending text messages from a compromised phone to another person compelling him to install the application for some reason; threats of an infected phone, and suggestion to install anti-virus software which is actually malware. Incidentally, Hummingbad's creators are attributed as also creating an iOS malware called YiSpecter.

The Hummingbad family of malware had hundreds of variants discovered. Estimates of infected phones is in the millions and monthly fraudulent ad revenue is about $300,000 USD. The malicious behavior included: persistent root, installation of ad revenue producing apps, and key logger collection of credentials to steal information within protected containers. It's spreading vectors includes drive by downloads, and fraudulent applications purporting to be pornography. It also tries to trick users into installing software, claiming to be an update, in order to root the phone.

In this webcast, Cindy Murphy and Christopher Crowley will show tools and techniques you can use to inspect Android applications to determine if they exhibit malicious behavior, using the Hummingbad family of malware as example specimens. This methodology can be employed as forensic analysis and can also be used in application assessments to determine if an application is suitable for use within an organization.

SANS CYBER DEFENSE INTIATIVE Washington, DC | Dec 10-17
FOR585 Advanced Smartphone Forensics Course Instructor: Cindy Murphy
SEC575 Mobile Device Security and Ethical Hacking Instructor: Chris Crowley
For more information or to register visit: https://www.sans.org/u/mDb

The topic cover in this webcast is just a sample of the many important subjects covered in both FOR585 Advanced Smartphone Forensics and SEC575 Mobile Device Security and Ethical Hacking. To learn more about these courses or to find training near you, visit sans.org/FOR585 or sans.org/SEC575.