Forensic Challenge 9 - "Mobile Malware"

Challenge 9 - Mobile Malware (provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter)

Please submit your solution using the submission template below by September 30th 2011 at http://www.honeynet.org/challenge2010.

Results will be announced mid October. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org.

Skill Level: Intermediate

With the number of smartphone users growing exponentially (1.6 billion mobile devices units sold in 2010, 19% were smartphones) mobile devices are becoming an attractive platform for cybercriminals. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.

This challenge offers the exploration of a real smartphone, based on a popular OS, after a security incident.
You will have to analyze the image of a portion of the file system, extract all that may look suspicious, analyze the threat and finally submit your forensic analysis. From File System recovery to Malware reverse-engineering and PCAP analysis, this challenge will take you to the world of Mobile Malwares.

Questions:
1. Write an executive summary of this incident (3 pts)
2. Provide the phone brand, model, OS name and version (1 pts)
3. Extract any suspicious application (if any). Detail your extraction method. Please provide name and SHA1 for each suspicious app.(4 pts)
4. What permissions are requested by the malware(s)? Why it is suspicious ? (1 pts)
5. Please provide a solution/s to quickly identify any suspicious API (please define your suspicious API according to your understanding) (8 pts)
6. What is the malware's home server URL and where is it located? Where, in the code, is/are stored the command server(s) URL(s)(4 pts)
7. What can you say about the communications model between the malware and its C&C server? (2 pts)
8. If encryption was used for the communication, which encryption algorithm was used? What was the key used? Explain how you found it. (4 pts)
9. Please draw a graph of the decrypted communication flow, found in the pcap, between the malware and the C&C (4 pts)
10. What personnal informations were leaked during this incident? A special *secret* information was leaked, Explain how and what it was. (2 pts)
11. What particular techniques are used by the malware to harden analysis or to evade detection? What unusual behavior can be noticed? (6 pts)
12. Provide a detailled analysis of the malware behavior and features. (10 pts)
13. Please provide a method to block (or request permission from Android (similar to UAC concept)) when any suspicious call received from Android (8 pts)

Download:

fc9files-final.tar.gz
SHA1: dbc378ce1807a4a2459f882b13b4224d0db8fbc7

The archive contains 2 files:
- data.bin: corrupted /data partition image of the phone
- traffic.pcap: traffic capture of the malware communications.

This work by Franck Guenichot, Mahmud Ab Rahman, Ahmad Azizan Idris and Matt Erasmus is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:
1. Emilien Girault (submission SHA1: f1530d225862baf9eb8c618c0a1d082e284188d2)
2. Yuhao Luo, Wenbo Yang and Juanru Li (submission SHA1: cfe2d7f6e4aeeefd0de73fd5e91e0903d666834d)
3. José Lopes Esteves (submission SHA1: 18572aba77826317f3aec45284ea76603b795e76)

AttachmentSize
Submission Template65.5 KB
Submission Template - Farsi (Persian)41 KB
Submission #1: Emilien Girault185.5 KB
Submission #2: Yuhao Luo, Wenbo Yang and Juanru Li214.55 KB
Submission #3: José Lopes Esteves431.99 KB