54
android Malware and analysis
industry, analyzing new threats as they emerge, and publishing infor-
mation on a blog or public mailing lists. Over time, an individual may
present at a conference, write articles, and become further involved in
the industry leading to invitations into private mailing groups. In the
end it is all about networking to get to know and trust other individuals
within the industry. Rampart Research (http://rampartresearch.org) is
a nonprot founded by one of the authors (Dunham) of this book,
dedicated to promoting individual growth and networking within the
global cyber-response industry. Rampart Research maintains millions
of malware samples, manages private discussion groups, and more
with a specialty research group dedicated to mobile malware.
Android Malware Genome Project
http://www.malgenomeproject.org/policy.html. Dr. Xuxian Jiang and
Yajin Zhou oer up about 1,200 samples used in educational research
from a research project published in 2012. To obtain such samples one
must meet policy requirements stated in the provided link.
File Data
Looking at just an Android app there are several common le data
points that one may immediately collect: lename, size, created, mod-
ied, and accessed times, and le type. A lename, like bad.apk, may
be useful later when looking for similar samples that may have unique
names or variants that may exist on other devices when handling an
incident investigation. e more unique a lename the more useful
it may become when performing correlation or searches for similar
threats or associated threat data. File size can also help narrow a
search if one or more APKs are identied as a specic size or within
a range of likely sizes. For example, one may search a commercial ser-
vice such as VirusTotal for samples by name and size to identify other
samples that may be or are directly related.
Dates and times associated with the le may also be useful in cor-
relating a threat. For example, an incident may involve threats that
emerged on or around a specic date. In some situations searching
for threats of a certain type, such as APK/apps on devices, matching
modied, accessed, or created (MAC) times may help discover other