PolySwarmPolySwarmPolySwarmPolySwarm
Go to PolySwarm
Home

Hunting Syrian Nation State Android Malware

This tutorial will focus on how to use PolySwarm to hunt for Android samples that potentially related to the Syrian Nation State.

Lookout published a blog post on COVID-19 related Android malware released by the Syrian Electronic Army.

The post discloses:

  • Where the command and control (C2) addresses are stored within the malicious applications (within res/values/strings.xml)
  • A list of SHA1 hashes of applications known to belong to this family of malware

First, we look up Lookout's first SHA1 hash on PolySwarm:

  • via the CLI (hash search): polyswarm search hash 1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08
  • via the CLI (metadata search using the hash): polyswarm search metadata 'hash.sha1:"1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08"'
  • via the Python library:
query = 'hash.sha1:"1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08"'

results = api.search_by_metadata(query)

for result in results:
    print(f"Artifact Attributes: {result.artifact}")

Next, we download the Artifact (using your choice of Web UI, CLI or Python) and use apktool with the d flag to extract res/values/strings.xml:

<?xml version="1.0" encoding="utf-8"?>
<resources>
    ...
    <string name="MT_Bin_dup_0x7f0c0020">Android Telegram</string>
    <string name="MT_Bin_dup_0x7f0c0021">10000</string>
    <string name="MT_Bin_dup_0x7f0c0022">82.137.218.185</string>
    ...
</resources>

It appears as though the C2 address is 82.137.218.185. This information was not published in Lookout's blog post.

We can use Metadata Search to "pivot" using this IP(v4) address:

  • via the CLI: polyswarm search metadata --ip 82.137.218.185
  • via the Python library:
results = api.search_by_metadata("*", ip="82.137.218.185")

for result in results:
    print(f"Artifact Attributes: {result.artifact}")

At the time of writing, we see 50 results:

  • at least 23 of which were not identified by Lookout in their blog post, and
  • at least 5 of which cannot be found on platforms similar to PolySwarm.

Using PolySwarm, researchers can quickly identify additional variants of malware and produce something that immediately expands on the public knowledge of the threat.

Articles in This Section

PolySwarm Customer New Features

List of new features in polyswarm...

PolySwarm Customer New Features

List of new features in polyswarm...

Engines

The Engines page of PolySwarm UI displays the list of engines that have operated on the PolySwarm marketplace...

Help

2025 © PolySwarm Pte. Ltd.