News & Changes (November)

Nikolaos Chrysaidos, Oct. 23, 2019, 1:13 p.m.

Recent changes

• Fix - Some combinations of features used on "Queries" didn't give back any result. 
• New - Re-design of the "Network Dump" page. 
  • Now contains much more contextual information for each packet.
  • Which is the activity/receiver/service this packet came from? Find relevant information in the right section of the page.
• New - On "Dynamic > Entrypoints" now there's an icon next to each activity/receiver/service that will open the "Network Dump" page and filter only the packets that came from the selected component.

Network Dump Re-design

• Filter packets by activity, receiver, service and other elements 
• Correlate samples with domains/IPs

Each activity/receiver/service in "Dynamic>Entrypoints" contains a clickable network dump symbol - only if the selected app component produced some network traffic. Clicking the symbol will open "Network Dump" filtering only the results of the selected component.

In each sample page, the analyst can now see at the "Entrypoints" (1) which app components produced network traffic (network clickable icon). Clicking on the icon will open the "Network Dump" page where the analyst can browse the network traffic originated only from the selected component.

Dump HTTPs

Pretty self-explanatory ;)

Icon SHAs & Batches

Nikolaos Chrysaidos, July 29, 2019, 1:20 p.m.

🆕 Now the analyst can add samples to batches. Better organization for your malware investigation

🆕 Some new static features (ex. FullscreenActivityInScreenReceiver)

🆕 Search by Icon SHA1. For those cases that you want to find exactly similar samples based on the app icon

Static Features - Updates

Nikolaos Chrysaidos, April 9, 2019, 9 a.m.

Receiver on boot:

The app has a receiver with permission to register

Motivation: Adware tends to show advertisements just after using this receiver or it uses this receiver to keep alive service that handles showing such applications

Register Receiver When Screen Off:

The app dynamically registers receiver that reacts to turning off the screen

Motivation: A lot of adware uses such receivers to show adverts just after the user turns on the screen

Overrides OnBackPressed method without invoking original super method or finishing an activity:

Motivation: Adware/Lockers uses this to disable closing their app (advertisements) by clicking on the back button. 

Runs Repeating Thread:

Detects standard way of setting up repeating tasks (threads) within the app

Motivation: This may be used to either keep a service alive or to repeatedly show advertisements to the user (ex. once per second) in order to effectively block any other action hoping the user will click on the ads.

Starts activity in a repeatedly run thread:

Detects if the repeating task (as detected by previous rule) is starting an activity

Motivation: There are quite a lot of reasons to start a repeating task, this rule tries to be less sensitive, so the result given by this rule may be more precise

For static feature requests, mail us at apklab@avast.com.

apklab.io Press Release

Nikolaos Chrysaidos, April 1, 2019, 1:31 p.m.

Avast Threat Labs Debuts apklab.io -  an Intelligence-driven Threat Hunting Platform for the Security Analyst Community

Mobile World Congress, Barcelona, February 26, 2019 – Avast (LSE:AVST), a leading global cybersecurity provider, today announced the launch of apklab.io, a mobile threat intelligence platform (MTIP) designed to provide real-time intelligence for Android™ security researchers.

More:

https://press.avast.com/avast-threat-labs-debuts-apklab.io-an-intelligence-driven-threat-hunting-platform-for-the-security-analyst-community