# Getting into the APK

First of all, we need to understand what kind of sample this one is. For this, let's choose the APK Analysis tab.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FDjaJZXUx0z7xjd8TIKHm%2Fd9c9cbc140aaec13f78160262095a8b7.png?alt=media&#x26;token=dec6b8c0-a9a5-42f2-bdac-477b9f34e154" alt=""><figcaption></figcaption></figure>

Here you can see basic information regarding the sample. In our case, we are dealing with a specific trojanized application. This means that we need to identify which version of the application is targeted.

With some quick online research, we can find that this version was released on [1 March 2021](https://www.apkmirror.com/apk/wire-swiss-gmbh/wire/wire-3-65-979-release/wire-secure-messenger-3-65-979-android-apk-download/).

In the **Threat Intel tab**, we have a timeline of events that could tell us about the time the malware was active or is supposed to be active.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FNznaTwBBKCm0m9ELHNb4%2Ff76e44051ba209ebc14173ba904687fa.png?alt=media&#x26;token=ab248872-7822-4ec1-9351-82f247c9ae37" alt=""><figcaption></figcaption></figure>

As we can see, the [X.509 certificate](https://en.wikipedia.org/wiki/X.509) was created to work from 26 April 2021, and the oldest files from the samples were identified around that time. Two months after the release of the version of the legit APK.

In the **APK Analysis tab**, we can find the main activity for this application (if you need to refresh your memory on activities, check out the [Android developer's documentation](https://developer.android.com/guide/components/activities/intro-activities). The main activity is an important point in your analysis. Indeed, when you look into the APK, you might want to start from there, so it's important to identify it in the early stages of your work.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FeJfgLFaFYaIwDhvl0tlZ%2Fe98ba363f095bfa8e5de317cdffe96db.png?alt=media&#x26;token=ebb60d3e-a77f-49e8-9a08-4ae3250d52c4" alt=""><figcaption></figcaption></figure>

After having identified a potentially malicious activity, let's browse the [Manifest](https://developer.android.com/guide/topics/manifest/manifest-intro) and look for actions that are triggered by this activity. You will find that information in the APK Analysis tab.

Now moving on to the **Behavior Analysis tab**, where we will gather some general information on how the APK is behaving. The first part of the tab looks into the permissions that the APK will be requesting. This is a good indicator to identify what kind of resources will be used.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2F4oudyytLdMUGcSoZsepO%2F39eddf75fa9a0efb14168ad79cb760ae.png?alt=media&#x26;token=4980928e-3d83-4f8d-b2b3-7862c04ad3ba" alt=""><figcaption></figcaption></figure>

This APK is requesting an extensive amount of permissions. This might not be entirely suspicious, depending on what this application is doing. In this case, the trojanized application is supposed to act as a chat application so requesting contacts or camera access are not surprising. Nonetheless, one must be wary of what kind of requests are made.

Later on, on the same page on Pithus, we scroll to the **Threat Analysis section**. The analysis there is based on a tool called [Quark](https://github.com/quark-engine/quark-engine). With these tools, it is possible to identify a number of "crimes" (as they call them) to map the behaviour of Android malware.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2Fxu3kNH5wDPk7gQ7xYaOo%2F04373d6b7ac8d1679291868d5148c942.png?alt=media&#x26;token=be84d429-5e80-444c-b1c4-0329e69469ec" alt=""><figcaption></figcaption></figure>

For our sample, we have a number of crimes identified. Check the questions related to this theme before moving on.

Moving on to identify classes that have behaviors we would want to look at. Scroll down to the **Behavior Analysis**. Here we can see the name of the classes that have the identified behaviors, which will give us valuable pivot points when analyzing the APK.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FGMRLyFMbAmPIoVBMSTnO%2F13a2b11b9836a2a57d2296bff3b7f34c.png?alt=media&#x26;token=48462c7e-d675-4ce2-b812-84db105abe6f" alt=""><figcaption></figcaption></figure>

Now we'll check out how the **Network Analysis** tab. Here you will see a number of domains that have been identified and are queried by the APK. Here you will see a number of domains that have been identified and are queried by the APK. Considering that we work on a high-profile case here, it is less likely we'll easily discover clues. Indeed more advanced malware will obfuscate the domain or IP it communicates to avoid detection.

<figure><img src="https://2641436320-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZkW2HTL8VBVaNWfTE6Ra%2Fuploads%2FiLK9QXpoGjbINSbf9iN1%2F0c8d580bc8d2663a580040b0b3931b6f.png?alt=media&#x26;token=d83173cc-0794-4ab9-8d46-28922a1d4b16" alt=""><figcaption></figcaption></figure>

Take some time to review the network page and the clues that we have gathered so far and move on to the next section: hunting!