(Not only) Android malware analysis

Few days ago Blue Coat published a whitepaper about so-called "The Inception Framework" : a commercial-grade malware used in some more or less targeted attacks. The paper describes the details (with some nice pictures) and outlines an Android app used in this attacks . Because AV companies seem to stick with the "CloudAtlas" name in their signatures for this malware I will use the same name. Let's dive a bit into the most interesting bits, which I haven't seen in the Android malware before. The "you can't see the log name" trick First things first: it's a commercial-grade malware and is written as any commercial software would be - one class has a single responsibility, everything is logged and the code looks clean even after the decompilation. If you're a software engineer in a big company you probably recognize the function names presented on the screenshot below (maybe you even use the same names in your project?). It ...

I think you heard about the infamous FinSpy by FinFisher. If you haven't it's basically something like a cloud one-way backup app paid by (someone's) taxes  (and there's a movie really shitty render !). Anyhow, the mobile version seems old news, as it was unveiled some time ago and even one AV vendor called it nothing new in terms of features. Well, I guess it depends on how you define a feature. But enough of this rant, let's go and see what a commercially made malware looks like. I've analyzed the newest sample that I could find and it's a couple of months old (md5:  d6a3ca6e48512890d013e922307e1593 ). It has some usual features, like SMS reading and so on, but today let's have a look at one particular feature: WhatsApp eavesdropping. WhatsApp is a very popular messaging app . Probably it was chosen by FinFisher due to its popularity or maybe just because one of the clients requested "support" for it. But before we begin let me state...