Droydseuss: Android Malware Tracking and Intelligence

Feb 5, 2016 2 min read

We wanted to create a malware tracker similar to ZeusTracker, but for mobile bankers. So we built a tool, DroydSeuss, which uses static analysis to extract relevant C&C endpoints (e.g., phone number, web URLs) and monitors them by running each sample in a sandbox on a daily basis.

On top of this, DroydSeuss attaches meta data to both C&C endpoints and malware samples (e.g., country, code feature) that are used to mine association rules. These rules are automatically extracted and can tell useful information such as “there is a group of malware samples that seem to be coming from the same author spreading in a certain country”.

We made the tool public and immediately attracted other researcher’s attention. Thanks to the data feed produced by DroydSeuss we were able to find (and confirm) one malware campaign spreading against Chinese and Korean bank customers and to discover a strange, rare sample that was using Baidu as a C&C.

(Update: Jun 6th, 2020) We decided not to maintain the web service anymore. We only keep the URL here for hystorical reasons: http://droydseuss.necst.it

References

Alberto Coletta, Victor Van der Veen, Federico Maggi (2016). DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper. Financial Cryptography and Data Security.

PDF

Federico Maggi (2015). A walk through the construction of the first mobile malware tracker.