- Motivation
- Main links
- How to submit a sample: check admissibility, upload or insert
- Search or Refine your search
- FAQ: when will my sample get reviewed, I am trustworthy, can my sample be automatically accepted please?, I submitted an entry, and after pending review my submission was erased, why?, can I modify an entry? I can’t find this feature, my new sample doesn’t show in Search Results, Where can I download the samples? This sample has this reprehensible features. Why have you deleted it? Feature details
Last edition: August 26, 2022.
Motivation
Has anyone ever asked you: “could you find me a malicious sample which records videos of the infected smartphone?”. You know there are tons, you’ve analyzed some yourself… but how to find one again? And you spend ages finding what was the hash of that sample you investigated 3 weeks ago…
Or you’re preparing a paper for a conference and need to find a malicious sample packed with Jiagu. Same: although there are many, when it comes to finding a precise sample with this property, you are going to spend hours in the search.
This is what Androscope is for. Searching malware by properties.
Disclaimer: this web site is a research tool for malware analysts. It is not an official tool or product.
Main Links
- Online beta instance: https://androscope.fortinet-cse.com
- GitHub repository: https://github.com/cryptax/androscope
How to submit a sample
- Check your sample is admissible for Androscope
- Upload or Insert the sample.
Check your sample is [admissibility conditions]
- A valid Android application. Do not submit incomplete applications, DEX or just resources.
- Malicious. Do not submit legitimate apps (even if they use sometimes borderline 3rd party kits).
Upload your sample
When you press the Upload button, your sample is uploaded to the server and analyzed. If you do not wish to upload your sample, use the Insert menu. Note however that with Upload, your sample is not kept on the server after analysis and is deleted.
The analysis consists in 3 phases:
- Check this is an APK
- Check if the sample is known to Virus Total, Malware Bazaar, Koodous or Pithus, and retrieve malware name. If the sample is not known to these services, it may still be added to Androscope, but you’ll get an extra warning.
- Automatic search for potential malicious features in the sample to help you classify your sample.
Once the automatic analysis is completed, you get a page such as this one:
There are many potential features. They are grouped by category.
Edit features you like. For instance, you can fix the sample’s name (as much as possible, also include aliases), or add a reference to a malware analysis.
Click on Close to close the category.
Select other categories, and check any other feature which applies. If some pre-selected features seem wrong to you, de-select them.
When you are happy with all entries, press “Finished — Submit”.
Insert a sample
Inserting a sample creates a new entry in Androscope’s database, but you don’t provide a sample only its hash.
As the sample is not uploaded, Androscope is unable to perform any analysis. You’ll have to select all features which apply manually.
See in “Upload a sample” how to deploy categories and select features. In the end, when you are happy with the result, click on “Finished-Submit”.
Searching for a sample
You can search for sample with given properties. Click on Search, you’ll get this page:
Features are grouped in categories. Click on a category to deploy that category, then select the feature you want to search for.
When you click on “Finished — Submit”, it searches in the Androscope database.
Two important remarks:
- If you selected several features, it searches for feature1 AND feature2 AND … Example: if you selected “it is packed” and “Records audio” it will only output samples with both features.
- The search does not include samples under review. The sample needs to be reviewed first. This is done so as not to include junk submissions in the search.
Refine your search
You want to refine your search? Click on Search Again. This brings you back to the selection page. Beware, your previous search remains selected.
FAQ
When will my sample get reviewed?
By default, all entries need to be reviewed. Indeed, Androscope is useful only if the correct features are selected. This requires a review.
Your sample will be reviewed as soon as possible… but that depends on the amount of submissions and the number of reviewers 😁 If your sample is urgent, or if you feel like it has been forgotten, send me a message on Twitter (@cryptax).
I am trustworthy, can my sample be automatically accepted please?
Yes, once you are used to the Androscope interface, I can create a special account for you, and your submissions will be automatically accepted. Please contact me on Twitter (
).I submitted an entry, and after pending review my submission was erased. Why?
There are 2 solutions: either I erased it on purpose or it’s a mistake. You can contact me on Twitter if you wish.
Basically, if your sample is not detected by an AV for several days on VirusTotal, not found on Malware Bazaar, there are chances your sample is not a malware.
The app you submitted may be unethical. I’m not questioning that. But Androscope focuses on malware. Not “unethical apps”. If you believe your app is truly malicious, send me a message on Twitter, I’ll look into it.
Can I modify a given entry?
If you are a default/anonymous user, no, you can’t. But you can ask me for a user account, or if it’s just a small fix, I can do it for you. Please contact me on Twitter (
).As soon as you have shown me you can be trusted to select correct features for a sample, I’ll be more than happy to create a user account for you.
What’s a property or a feature?
I call feature, or property, something the malware does. For example:
- intercept SMS
- call a phone number
- use the Accessibility Services API
- use a packer to harden reverse engineering
- etc
The complete list of features can be seen through the Search page, by clicking on each category.
I can’t find this XXX feature…
In several categories, there are “Other” fields, which are to be used when nothing fits. If absolutely nothing feels right, use the field “Anything Else?” in Common Features.
If you feel this is an important feature I should add, we can discuss it, contact me on Twitter.
Hey, my new sample doesn’t show in Search results!
Mmm. Has your sample been reviewed? If it’s not reviewed yet, it won’t show. It needs to be reviewed.
If it’s reviewed, the property is selected but it doesn’t show: are you sure your search form doesn’t include another property in addition? Try again but Clear the search form first. If you still can’t find it, it’s a bug. Contact me.
Where can I download the samples?
Androscope does not store the samples (we don’t have disk space for that!). We suggest you download the samples from Malware Bazaar for example.
This sample has this reprehensible features. Why have you deleted it?
Everything is about intent. Is your sample malicious or not? If it is malicious, then drop me a message and we’ll fix that. If it is not malicious, Androscope is not the right place for it (note: you can host your own instance and use it for non malicious samples).
Let me explain about intent. A legitimate app may access contacts to help you call a contact. A malicious may access contacts to leak them. The code is similar, but the intent is different. Another example: a legitimate app may protect its IP with a packer. A malicious one will protect a malicious payload with a packer. Both use a packer, but the intent is different. Finally, many legitimate applications expose a few border line features, such as leaking IMEI. While this is not how things should be done, believe me we have already enough really malicious samples without dealing with borderline ones.
So, when I mean malicious, I mean malware. Something created by a malware author intentionally to do nasty things against the victim.
Feature details
- Common/ Asks for a ransom: use this feature only when the malware specifically asks for a ransom, not when it locks the smartphone.
— Cryptax
