DroydSeuss is a web application that lets you analyze Android samples and shows you an analysis report which is focused on communication channels of the malware (in a nutshell: during the analysis it tries to extract all possible C&C endpoints).
What is DroydSeuss?
DroydSeuss is a pun on words inspired by Why DroydSeuss?Android
(the Trojan Horse creator); since the main target of our analysis platform are mobile trojan horses, the name seems to us appropriate and funny at the same time.
A What is a C&C server?Command and Control
server is a server from which a malware receives instructions (or better, commands) on what to do with the infected device.
An Android malware can have three different C&C endpoints:
How can an application communicate?
- an HTTP server to which it performs requests, tipically a POST request;
- a telephone number to which sending or from which receiving text messages;
- use Google Cloud Messaging that lets the application to use GCM service to receive commands.
DroydSeuss reports focus on showing communication channels. A complete report have up to 7 fields. How does a report look like?
The first part is about telephone numbers which are divided into endpoint
ones. A number is labeled as endpoint when it is actively used during analysis (i.e. the sample actually send a message to that number); it is labeled as suspicious, instead, if it is found, but not used in a malicious activity or not used at all.
The second part is about URLs which are divided into C&C servers
strings. Like before, a URL is labeled as C&C if it is requested during analysis (the application could have performed a POST, for example). The significant part are URLs found during the execution of the malware, but not used in any important function (it can be used in a function that manipulate strings, for example). Suspicious are strings found during static analysis. Of course, you can find the real C&C in any of the above fields (the malware didn't necessarily contact it during execution), but the reliability of this informations must be considered as follows: C&C > significant > suspicious.
The third and last part is about Google Cloud Messaging. Two things are checked here: if the sample requests the permissions required to use the service and Sender IDs. The permission is found during static analysis, but that doesn't mean that the sample actually uses GCM because it can be over-privileged. Sender ID is used to register the app in order to use the service, so in this case, the app actually uses GCM.
Last thing: if you don't see a field in the report, it means that nothing was found for it.
You can see a report example here