Androscope

  • Main links
  • How to submit a sample: check admissibility, upload or insert
  • Search or Refine your search
  • FAQ: when will my sample get reviewed, I am trustworthy, can my sample be automatically accepted please?, I submitted an entry, and after pending review my submission was erased, why?, can I modify an entry? I can’t find this feature, my new sample doesn’t show in Search Results, Where can I download the samples? This sample has this reprehensible features. Why have you deleted it? Feature details

Last edition: August 26, 2022.

Motivation

Has anyone ever asked you: “could you find me a malicious sample which records videos of the infected smartphone?”. You know there are tons, you’ve analyzed some yourself… but how to find one again? And you spend ages finding what was the hash of that sample you investigated 3 weeks ago…

Or you’re preparing a paper for a conference and need to find a malicious sample packed with Jiagu. Same: although there are many, when it comes to finding a precise sample with this property, you are going to spend hours in the search.

This is what Androscope is for. Searching malware by properties.

Disclaimer: this web site is a research tool for malware analysts. It is not an official tool or product.

Home page of https://androscope.fortinet-cse.com

Main Links

How to submit a sample

  • Check your sample is admissible for Androscope
  • Upload or Insert the sample.

Check your sample is [admissibility conditions]

  • A valid Android application. Do not submit incomplete applications, DEX or just resources.
  • Malicious. Do not submit legitimate apps (even if they use sometimes borderline 3rd party kits).

Upload your sample

Select Upload
Answer the captcha to be authorized to upload your sample
Select your sample (Choose File) and press Upload button

When you press the Upload button, your sample is uploaded to the server and analyzed. If you do not wish to upload your sample, use the Insert menu. Note however that with Upload, your sample is not kept on the server after analysis and is deleted.

The analysis consists in 3 phases:

  1. Check if the sample is known to Virus Total, Malware Bazaar, Koodous or Pithus, and retrieve malware name. If the sample is not known to these services, it may still be added to Androscope, but you’ll get an extra warning.
  2. Automatic search for potential malicious features in the sample to help you classify your sample.
You get an extra warning if nobody knows your sample yet. This is fine, but please make sure you are uploading a malicious sample.

Once the automatic analysis is completed, you get a page such as this one:

The automatic search automatically filled several fields for you. Check they are correct or modify, and if there are more to add, add new features you noticed for the sample.

There are many potential features. They are grouped by category.

Malicious features categories. Click on a category to deploy features.

Edit features you like. For instance, you can fix the sample’s name (as much as possible, also include aliases), or add a reference to a malware analysis.

For this particular sample, we specified 3 known names, a link to a malware analysis, and clicked on several features.

Click on Close to close the category.

Click close to un-deploy a category. This does not submit the sample.

Select other categories, and check any other feature which applies. If some pre-selected features seem wrong to you, de-select them.

The automatic search had selected “calls phone numbers”, but for this sample, I believe it is only “calls a USSD code”. So, I de-selected the first property, and selected the last one.

When you are happy with all entries, press “Finished — Submit”.

Press Finished — Submit when you have finished and want to add the sample to Androscope’s database

Insert a sample

Inserting a sample creates a new entry in Androscope’s database, but you don’t provide a sample only its hash.

Insert a sample to Androscope by its SHA256

As the sample is not uploaded, Androscope is unable to perform any analysis. You’ll have to select all features which apply manually.

This sample was inserted by SHA256. No sample, so no pre-analysis. You need to select features which apply in each category, and finally click on Finished-Submit.

See in “Upload a sample” how to deploy categories and select features. In the end, when you are happy with the result, click on “Finished-Submit”.

Searching for a sample

You can search for sample with given properties. Click on Search, you’ll get this page:

Main page for searching samples in Androscope

Features are grouped in categories. Click on a category to deploy that category, then select the feature you want to search for.

In this case, I want to search for packed samples. So first I select the Packing category to deploy it. Then, I select the “Yes, it is packed” feature. If I want to search for a specific type of packer I can select it in the drop-down list, but by default, it will search for any packer. Then optionally click Close to undeploy the category and click “Finished-Submit” to search.

When you click on “Finished — Submit”, it searches in the Androscope database.

Two important remarks:

  1. The search does not include samples under review. The sample needs to be reviewed first. This is done so as not to include junk submissions in the search.
Example of search results

Refine your search

You want to refine your search? Click on Search Again. This brings you back to the selection page. Beware, your previous search remains selected.

Your previous filters are memorized. If you don’t want this, click on the button “Clear search form”.

FAQ

When will my sample get reviewed?

By default, all entries need to be reviewed. Indeed, Androscope is useful only if the correct features are selected. This requires a review.

This sample hasn’t been reviewed yet. Consequently it appears in gray and won’t be selected in Search.

Your sample will be reviewed as soon as possible… but that depends on the amount of submissions and the number of reviewers 😁 If your sample is urgent, or if you feel like it has been forgotten, send me a message on Twitter (@cryptax).

I am trustworthy, can my sample be automatically accepted please?

Yes, once you are used to the Androscope interface, I can create a special account for you, and your submissions will be automatically accepted. Please contact me on Twitter (@cryptax).

I submitted an entry, and after pending review my submission was erased. Why?

There are 2 solutions: either I erased it on purpose or it’s a mistake. You can contact me on Twitter if you wish.

Basically, if your sample is not detected by an AV for several days on VirusTotal, not found on Malware Bazaar, there are chances your sample is not a malware.

The app you submitted may be unethical. I’m not questioning that. But Androscope focuses on malware. Not “unethical apps”. If you believe your app is truly malicious, send me a message on Twitter, I’ll look into it.

Can I modify a given entry?

If you are a default/anonymous user, no, you can’t. But you can ask me for a user account, or if it’s just a small fix, I can do it for you. Please contact me on Twitter (@cryptax).

As soon as you have shown me you can be trusted to select correct features for a sample, I’ll be more than happy to create a user account for you.

What’s a property or a feature?

I call feature, or property, something the malware does. For example:

  • call a phone number
  • use the Accessibility Services API
  • use a packer to harden reverse engineering
  • etc

The complete list of features can be seen through the Search page, by clicking on each category.

I can’t find this XXX feature…

In several categories, there are “Other” fields, which are to be used when nothing fits. If absolutely nothing feels right, use the field “Anything Else?” in Common Features.

If nothing else fits, use this field to specify a feature. You can also use that to drop a comment.

If you feel this is an important feature I should add, we can discuss it, contact me on Twitter.

Hey, my new sample doesn’t show in Search results!

Mmm. Has your sample been reviewed? If it’s not reviewed yet, it won’t show. It needs to be reviewed.

If it’s reviewed, the property is selected but it doesn’t show: are you sure your search form doesn’t include another property in addition? Try again but Clear the search form first. If you still can’t find it, it’s a bug. Contact me.

Where can I download the samples?

Androscope does not store the samples (we don’t have disk space for that!). We suggest you download the samples from Malware Bazaar for example.

This sample has this reprehensible features. Why have you deleted it?

Everything is about intent. Is your sample malicious or not? If it is malicious, then drop me a message and we’ll fix that. If it is not malicious, Androscope is not the right place for it (note: you can host your own instance and use it for non malicious samples).

Let me explain about intent. A legitimate app may access contacts to help you call a contact. A malicious may access contacts to leak them. The code is similar, but the intent is different. Another example: a legitimate app may protect its IP with a packer. A malicious one will protect a malicious payload with a packer. Both use a packer, but the intent is different. Finally, many legitimate applications expose a few border line features, such as leaking IMEI. While this is not how things should be done, believe me we have already enough really malicious samples without dealing with borderline ones.

So, when I mean malicious, I mean malware. Something created by a malware author intentionally to do nasty things against the victim.

Feature details

  • Common/ Asks for a ransom: use this feature only when the malware specifically asks for a ransom, not when it locks the smartphone.

— Cryptax

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.