Anthropic-Cybersecurity-Skills detecting-mobile-malware-behavior

'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse

install

source · Clone the upstream repo

git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/detecting-mobile-malware-behavior" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-detecting-mobile-malware-behavior && rm -rf "$T"

manifest: skills/detecting-mobile-malware-behavior/SKILL.md

source content

Detecting Mobile Malware Behavior

When to Use

Use this skill when:

Analyzing suspicious mobile applications submitted by users or discovered during incident response
Monitoring enterprise mobile fleet for malicious app indicators
Performing malware triage on APK/IPA samples
Investigating data exfiltration or unauthorized device access from mobile apps

Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.

Prerequisites

Isolated analysis environment (dedicated device or emulator, not connected to production networks)
MobSF for automated static+dynamic analysis
Frida/Objection for runtime behavior monitoring
Wireshark/tcpdump for network traffic capture
Android emulator (AVD) or Genymotion for safe execution
VirusTotal API key for hash lookups

Workflow

Step 1: Static Indicator Analysis

# Hash the sample
sha256sum suspicious.apk

# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
  -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'

# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk

# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration

Step 2: MobSF Automated Malware Scan

# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"

# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)

Step 3: Network Behavior Monitoring

# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap

# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent

# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns

Step 4: Runtime Behavior Monitoring with Frida

// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
    // Monitor SMS access
    var SmsManager = Java.use("android.telephony.SmsManager");
    SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
        "java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
        .implementation = function(dest, sc, text, sent, delivery) {
            console.log("[SMS] Sending to: " + dest + " Text: " + text);
            // Allow or block based on analysis needs
            return this.sendTextMessage(dest, sc, text, sent, delivery);
        };

    // Monitor file operations
    var FileOutputStream = Java.use("java.io.FileOutputStream");
    FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
        console.log("[FILE-WRITE] " + path);
        return this.$init(path);
    };

    // Monitor network connections
    var URL = Java.use("java.net.URL");
    URL.openConnection.overload().implementation = function() {
        console.log("[NET] " + this.toString());
        return this.openConnection();
    };

    // Monitor dynamic code loading
    var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
    DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
        console.log("[DEX-LOAD] Loading: " + dexPath);
        return this.$init(dexPath, optDir, libPath, parent);
    };

    // Monitor command execution
    var Runtime = Java.use("java.lang.Runtime");
    Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
        console.log("[EXEC] " + cmd);
        return this.exec(cmd);
    };

    // Monitor camera/audio access
    var Camera = Java.use("android.hardware.Camera");
    Camera.open.overload("int").implementation = function(id) {
        console.log("[CAMERA] Camera opened: " + id);
        return this.open(id);
    };

    // Monitor content provider access (contacts, call log)
    var ContentResolver = Java.use("android.content.ContentResolver");
    ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
        "java.lang.String", "[Ljava.lang.String;", "java.lang.String")
        .implementation = function(uri, proj, sel, selArgs, sort) {
            console.log("[QUERY] " + uri.toString());
            return this.query(uri, proj, sel, selArgs, sort);
        };

    console.log("[*] Malware behavior monitor active");
});

Step 5: Classify Malware Type

Based on observed behaviors, classify the sample:

Behavior Pattern	Malware Type
SMS interception + C2 communication	Banking Trojan
Camera/mic access + data upload	Spyware/Stalkerware
File encryption + ransom note display	Mobile Ransomware
Ad injection + click fraud traffic	Adware
Root exploit + persistence	Rootkit
Contact harvesting + SMS spam	Worm/SMS Spammer
Overlay attacks + credential capture	Credential Stealer
Crypto mining network activity	Cryptojacker

Key Concepts

Term	Definition
Dynamic Code Loading	Loading executable code at runtime from external sources, commonly used by malware to evade static analysis
C2 Beacon	Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns
DGA	Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure
Overlay Attack	Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission
Anti-Emulator	Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior

Tools & Systems

MobSF: Automated static and dynamic analysis for initial malware triage
VirusTotal: Multi-engine malware scanning and hash reputation lookup
Frida: Runtime behavior monitoring through method hooking
Wireshark: Network traffic analysis for C2 communication patterns
Cuckoo Sandbox / CuckooDroid: Automated malware analysis sandbox for Android samples

Common Pitfalls

Anti-analysis evasion: Sophisticated malware detects emulators, debuggers, and Frida. Use hardware devices and stealthy Frida configurations for accurate analysis.
Time-delayed payloads: Some malware activates only after a delay or specific trigger. Monitor for extended periods and simulate various conditions.
Encrypted C2: Malware using encrypted communications requires TLS interception or memory inspection to observe payload content.
Multi-stage payloads: Initial APK may be benign; malicious payload downloads later. Monitor for dynamic code loading and file downloads.