Advanced APK Investigation | Android Malware

Cyber criminals have started moving towards android malwares to steal OTPs, user information etc. When a victim reports such APK, it needs a reverse engineering to catch the criminal. Here are the steps for the same.

1. APK Download and upload on VirusTotal

• Upload the downloaded APK on virustotal.com

VirusTotal

2. Use Behavior Tab and click on “Full Reports”

3. Click on Zenbox for seeing the advanced report.

4. Sample link while clicking on Zenbox

https://vtbehaviour.commondatastorage.googleapis.com/a36a6e332f5e3ff0ab4b9d38add0ad6924702d14307ad325e7b825b3033d981b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1696924810&Signature=n9zc%2B0%2F2JVVX7A1fLX2WBY%2B2Q4CZ5lBGQYg9ZMV3afoD820Bb%2Fxu0HzvaB8g%2Fm7%2FGWKsqGBStmkw%0ADgLG%2BBB836ZfdTXqebHzNz2XbSO6pvA9UlAK490N%2BSMpDrmeFuH0eTHZYgfodDpALhEwvpK30EI9%0A0PKR5HWZ5i03Fqrvre5cHbklIfGMuSxI7b0j%2FYQ2yUKBQW3zja%2FGfMCIWzrZdMM9boyZOAc5XB6K%0AZTAeo7Si9Qhyzy1kP9XLar26fhugETav0V2wINXW%2F1btIwlomLF2NW4uf5cGc9R2tCCfpaVMbkcv%0AXVzkAsqhOvwU0i1y2nsBwU7e%2FxBXpeiPXFHhlw%3D%3D&response-content-type=text%2Fhtml;

5. Network Traffic Information

Investigation Steps:

• Network traffic is seen to be hitting the URL https://kycgigi-22d4c-default-rtdb.firebaseio.com

Firebase is a product of Google, next step would be to seek information through Google LERS portal for above URL seeking details like:

• Google Cloud Project Information
• Google Cloud Customer Information
• Email Address
• Login History
• Payment Mode

This can be further used to get information and exact information of cyber criminal.