What is DroydSeuss?

DroydSeuss is a web application that lets you analyze Android samples and shows you an analysis report which is focused on communication channels of the malware (in a nutshell: during the analysis it tries to extract all possible C&C endpoints).

Why DroydSeuss?

DroydSeuss is a pun on words inspired by Android and Odysseus (the Trojan Horse creator); since the main target of our analysis platform are mobile trojan horses, the name seems to us appropriate and funny at the same time.

What is a C&C server?

A Command and Control server is a server from which a malware receives instructions (or better, commands) on what to do with the infected device.

How can an application communicate?

An Android malware can have three different C&C endpoints:
  • an HTTP server to which it performs requests, tipically a POST request;
  • a telephone number to which sending or from which receiving text messages;
  • use Google Cloud Messaging that lets the application to use GCM service to receive commands.

How does a report look like?

DroydSeuss reports focus on showing communication channels. A complete report have up to 7 fields.
The first part is about telephone numbers which are divided into endpoint and suspicious ones. A number is labeled as endpoint when it is actively used during analysis (i.e. the sample actually send a message to that number); it is labeled as suspicious, instead, if it is found, but not used in a malicious activity or not used at all.
The second part is about URLs which are divided into C&C servers, significant and suspicious strings. Like before, a URL is labeled as C&C if it is requested during analysis (the application could have performed a POST, for example). The significant part are URLs found during the execution of the malware, but not used in any important function (it can be used in a function that manipulate strings, for example). Suspicious are strings found during static analysis. Of course, you can find the real C&C in any of the above fields (the malware didn't necessarily contact it during execution), but the reliability of this informations must be considered as follows: C&C > significant > suspicious.
The third and last part is about Google Cloud Messaging. Two things are checked here: if the sample requests the permissions required to use the service and Sender IDs. The permission is found during static analysis, but that doesn't mean that the sample actually uses GCM because it can be over-privileged. Sender ID is used to register the app in order to use the service, so in this case, the app actually uses GCM.
Last thing: if you don't see a field in the report, it means that nothing was found for it.
You can see a report example here.

Using our service? Please cite us!

If you are using our service or our data for your academic research, we would be thankful if you could cite our work.

        @inproceedings{coletta_droydseuss:2016,
            series = "Lecture Notes in Computer Science (LNCS)",
            title = "{DroydSeuss}: {A} {Mobile} {Banking} {Trojan} {Tracker} - {Short} {Paper}",
            booktitle = "Financial Cryptography and Data Security",
            publisher = "Springer Berlin Heidelberg",
            author = "Coletta, Alberto and Van Der Veen, Victor and Maggi, Federico",
            month = Feb,
            year = "2016"
        }

Curious about how DroydSeuss worked as of October 2014? Read our paper!