How would you detec...
 
Notifications
Clear all

How would you detect an installed trojan in Android?

6 Posts
5 Users
0 Likes
454 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

For example, a trojan is installed in an Android mobile phone and it gathers some information (keylogging, records calls, etc.), and then sends the information outside. How would you detect it? Which free tools would you use?

Scanning ports in order to check which information is being sent would be a possibility?

That is the question.

 
Posted : 22/10/2015 8:45 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Turn off all radio, except WiFi.
Connect to WiFi.
Sniff traffic.

 
Posted : 22/10/2015 11:41 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I can detect it.

 
Posted : 22/10/2015 11:52 pm
(@droopy)
Posts: 136
Estimable Member
 

There is a topsecret tool for that. Called antivirus

 
Posted : 23/10/2015 2:09 am
(@the_m3chan1c)
Posts: 7
Active Member
 

I've done this before actually. I set up a test wireless environment in one of our RF Shielded labs so that nothing could call home.

There are many free tools you can use to do this. Sniffing the traffic on your test network is the first thing that I would do. Wireshark is a great tool that is free and is extremely powerful once you learn how to use it.

That being said, I have ran into malware on PCs that were advanced enough to check for DNS before trying to call home. Thats where a free tool called DNS Chef comes in handy. It basically sets up a fake DNS server that has no WAN connection and it makes the malware think it is connected and will try to call home. You can log the traffic from there.

As far as scanning ports and services fire up Nmap and go to town on it. You'll have to do some research on how to tailor your scans to specifically target mobile devices as sometimes you may need to limit your packet rate or change other flags in order for Nmap to play nicely.

I also like to do a physical acquisition of the device in order to look through the file system to determine where the malware might be hiding. If it is found to be a malicious .apk then that's awesome. Take the .apk file and decompile it in order to see exactly what its doing. For doing those things I typically use a Linux distribution called Santoku as it is a prebuilt environment that has everything you need for reverse engineering an .apk file. If the malware developer is smart then they will obfuscate the code in some way. I won't go into that subject here as it is a whole other animal that you will have to research on your own.

If you have any questions feel free to PM me and we can discuss it further. Good luck!

 
Posted : 23/10/2015 9:55 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

There is a topsecret tool for that. Called antivirus

Facepalm.

😯

 
Posted : 26/10/2015 3:12 pm
Share: