Thursday, August 04, 2011

Forensic Challenge 9 - "Mobile Malware"

We did it again, this time, we published a new challenge on Mobile Malware. This is really an awesome challenge for us to work on since we're working with different chapters. This time, Azizan and me, team up with Franck Guenichot from French Chapter and Matt Erasmus from South Africa Chapter.

Enjoy the challenge!. :)

Here is the description of the challenge posted by the Honeynet Project:

Forensic Challenge 9 - "Mobile Malware"

Challenge 9 - Mobile Malware (provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter)
Please submit your solution using the submission template below by September 30th 2011 at
Results will be announced mid October. For any questions and inquiries, please contact
Skill Level: Intermediate
With the number of smartphone users growing exponentially (1.6 billion mobile device units sold in 2010, 19% were smartphones) mobile devices are becoming an attractive platform for cybercriminals. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.
This challenge offers the exploration of a real smartphone, based on a popular OS, after a security incident.
You will have to analyze the image of a portion of the file system, extract all that may look suspicious, analyze the threat and finally submit your forensic analysis. From File System recovery to Malware reverse-engineering and PCAP analysis, this challenge will take you to the world of Mobile Malwares.
1. Write an executive summary of this incident (3 pts)
2. Provide the phone brand, model, OS name and version (1 pts)
3. Extract any suspicious application (if any). Detail your extraction method. Please provide name and SHA1 for each suspicious app.(4 pts)
4. What permissions are requested by the malware(s)? Why it is suspicious ? (1 pts)
5. Please provide a solution/s to quickly identify any suspicious API (please define your suspicious API according to your understanding) (8 pts)
6. What is the malware's home server URL and where is it located? Where, in the code, is/are stored the command server(s) URL(s)(4 pts)
7. What can you say about the communications model between the malware and its C&C server? (2 pts)
8. If encryption was used for the communication, which encryption algorithm was used? What was the key used? Explain how you found it. (4 pts)
9. Please draw a graph of the decrypted communication flow, found in the pcap, between the malware and the C&C (4 pts)
10. What personnal informations were leaked during this incident? A special *secret* information was leaked, Explain how and what it was. (2 pts)
11. What particular techniques are used by the malware to harden analysis or to evade detection? What unusual behavior can be noticed? (6 pts)
12. Provide a detailled analysis of the malware behavior and features. (10 pts)
13. Please provide a method to block (or request permission from Android (similar to UAC concept)) when any suspicious call received from Android (8 pts)
SHA1: dbc378ce1807a4a2459f882b13b4224d0db8fbc7
The archive contains 2 files:
- data.bin: corrupted /data partition image of the phone
- traffic.pcap: traffic capture of the malware communications.
This work by Franck Guenichot, Mahmud Ab Rahman, Ahmad Azizan Idris and Matt Erasmus is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.