First steps

Most Android malware masquerades as a normal application. Those files are called APKs (Android Application Package), and the very large majority of your Android applications are APKs.

You can find some of those malware programs on the Play Store (although it's rare -- Google usually takes them down), or, more often, they are shared through other means such as SMS or 3rd party websites.

Because Google Play adds some information to the APKs when they are uploaded to the Play Store, it is possible to check for applications that come from it. This modification is called frosting.

When you find an APK that is not frosted, you'd need to be extra careful with it. There are chances it is malicious.

Our case study for this room will be a trojanized application of the secure chat application Wire.

During the next steps, we are going to use Pithus, an open-source, online, static analysis APK tool. Pithus embeds a number of tools you might have seen in previous rooms, such as MoBSF, SSdeep, or APKiD.

You will work on the following sample: https://beta.pithus.org/report/ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8.

Check the report page on Pithus and answer the following questions to check you have the correct sample: