1
00:00:00,150 --> 00:00:06,600
In this video, we will analyze a malware application called Colford Underscore Spying, Max.

2
00:00:07,050 --> 00:00:09,520
You can go to this Eurail here on gets Huub.

3
00:00:10,050 --> 00:00:17,490
Download the application, unzip it, use the password infected, as you can see on their page, and

4
00:00:17,490 --> 00:00:20,100
then decoded and decompiled it.

5
00:00:20,400 --> 00:00:26,370
So of that, as you can see, these are the resources of the application.

6
00:00:26,400 --> 00:00:28,530
And this is decompiled file.

7
00:00:29,070 --> 00:00:30,090
Now, I'll go here.

8
00:00:30,180 --> 00:00:36,690
Open Android manifest as this is the appropriate place to start the static malware analysis.

9
00:00:37,170 --> 00:00:43,800
As you can see, lots of dangerous permissions that has to do with call logs as Hamas contacts, external

10
00:00:43,800 --> 00:00:46,770
storage, audio, Internet and camera.

11
00:00:46,860 --> 00:00:50,010
A lot of those are declared by the application.

12
00:00:50,340 --> 00:00:53,070
It means that obviously this is a malicious application.

13
00:00:53,220 --> 00:01:01,140
If you scroll down, you'll see that there are three services being declared by the application.

14
00:01:01,170 --> 00:01:08,370
So the services are really a very good place for the author of malware in order to hide some malicious

15
00:01:08,370 --> 00:01:08,970
activity.

16
00:01:09,390 --> 00:01:12,360
So let's start by copying the service here.

17
00:01:12,390 --> 00:01:14,400
Let's see, what is this service doing?

18
00:01:14,790 --> 00:01:18,210
I'll minimize that and go to the jaw file.

19
00:01:18,300 --> 00:01:20,580
Let me open J.T. Gooey first.

20
00:01:23,570 --> 00:01:25,160
And then move the file here.

21
00:01:28,670 --> 00:01:34,740
I'll close that for the time and will go to the search function.

22
00:01:35,910 --> 00:01:37,200
Let me open that.

23
00:01:38,070 --> 00:01:41,550
So as you can see, this glass is cleared here.

24
00:01:41,820 --> 00:01:50,100
Obviously, these are longitude and latitude information which will get the location of the user if

25
00:01:50,100 --> 00:01:51,030
you go down.

26
00:01:51,210 --> 00:01:51,940
Yeah, exactly.

27
00:01:52,020 --> 00:01:56,670
This is getting the exact location of the user G.P.S. information.

28
00:01:59,370 --> 00:02:05,490
Let me search again for the same class to see where it is being used elsewhere.

29
00:02:06,390 --> 00:02:10,530
So this is another call for the class.

30
00:02:10,590 --> 00:02:12,090
And this is another call.

31
00:02:12,090 --> 00:02:15,510
Let me see where it is being used here.

32
00:02:17,010 --> 00:02:18,720
Nothing of any importance.

33
00:02:19,380 --> 00:02:23,970
This is being used here as well in another class and not here.

34
00:02:24,000 --> 00:02:30,420
When you declare it in a store for ground, it means that the service were run in the foreground, which

35
00:02:30,420 --> 00:02:35,940
will give priority to the service and will not be killed even if the memory is low.

36
00:02:36,270 --> 00:02:38,310
So this service will keep on running.

37
00:02:38,880 --> 00:02:42,090
Now let's go do some keyword search.

38
00:02:42,420 --> 00:02:43,910
Search for audio.

39
00:02:44,700 --> 00:02:46,080
Take the string, Constance.

40
00:02:46,680 --> 00:02:48,480
Let me see what's going on here.

41
00:02:48,540 --> 00:02:56,100
And as you can see, there is access for audio and video by the application, which obviously shouldn't

42
00:02:56,100 --> 00:02:56,610
be there.

43
00:02:58,560 --> 00:02:59,340
That's me as well.

44
00:02:59,340 --> 00:03:00,720
Search for stream.

45
00:03:01,920 --> 00:03:02,400
No, maybe.

46
00:03:02,410 --> 00:03:05,970
S upper case and nothing as well.

47
00:03:06,520 --> 00:03:11,650
The search for sockets as socket is used here.

48
00:03:11,820 --> 00:03:17,910
So sockets are obviously an indicator that this application is connecting with an external entity,

49
00:03:18,300 --> 00:03:20,460
a socket case being declared here.

50
00:03:22,530 --> 00:03:28,830
And I suspect, like some streams of data, stream of what seems of whites are being used down there.

51
00:03:29,280 --> 00:03:29,820
Exactly.

52
00:03:29,850 --> 00:03:32,190
This is a binary output stream.

53
00:03:32,550 --> 00:03:35,880
There will be, of course, an input stream and so on, so forth.

54
00:03:36,180 --> 00:03:41,400
So obviously, this application is doing some extra activities down there.