Blue Coat Labs

Labs Blog

Malicious Android Network Investigation Showcases WebPulse Analytics

Share this: 

Malicious Android Network Investigation Showcases WebPulse Analytics

Waylon Grange

[Great first post from Waylon in our internal blog earlier this week! --C.L.]

This will be my first post as a Blue Coat researcher. I joined the team after working in government, and I’m excited to finally be able to discuss my research publicly. Being able to work with the WebPulse global intelligence network was one of the many motivating factors for me when deciding to join Blue Coat’s team. WebPulse integrates input from over 75 million users worldwide. The image below shows where our data sources are in a typical 24 hour period:

world-wide webpulse

[Looks like we need to work on our user base in Antarctica... --C.L.]

Comparing that to NASA’s picture of the Earth at night, I’d say that’s stellar coverage, no pun intended. Not only is the information global, but the analytic capabilities of the system are amazing. For example, the domain popped up on my radar due to a recent spike in traffic, as shown in the graph below:

traffic flows to a shady site


As I started my investigation, I found that the traffic was focused on one URL, and always used the POST method. Furthermore, it seemed to be coming only from Android devices. Already, this wasn’t passing the sniff test, but I needed more information. Unfortunately, there were no other URLs headed to this domain and no downloads of any kind. So I had to search deeper, and that is just what WebPulse is good for.

The domain was registered back in December of 2012. Over its existence, WebPulse has observed it being hosted from 7 different IP addresses. One of those addresses, for a brief period, simultaneously hosted and a few other smaller domains. All of these domains still exist, but none of them actually have web sites now. Instead, they are file servers and callback domains for their corresponding malware. hosts just over a dozen Android apps, most of which are Trojans that pack along variants of Andorid/Skymobi. Decompiling their Java code, I found the following switch statement where the malware decides which domain to call home to:

sample java phone-home code


These domains, and several others, have earned themselves the category of Malware, and I've also passed along the complete set of APKs to Virustotal for others in the security industry to review.