Home 
Watch live 
Watch on demand 
Take a workshop 
Chat 
Contact us 
CTA TIPS 
QI-ANXIN 
Android stalkerware: hunting automation, analysis and detection
F5 helps find malware hiding in plain sight
https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encryptedEncrypted malware is becoming increasingly common, and daisy-chaining security devices is neither
cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with
F5’s innovative products.
Stay ahead of threats with VirusTotal
https://www.virustotal.com/Stay ahead of the next generation of threats and get relevant insights to solve
the most critical security challenges.
Looking for performance validation for your product?
https://www.virusbulletin.com/testing/Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification
programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service
offering valuable performance feedback for R&D. Email [email protected].
VirusTotal: Actionable crowdsourced threat intelligence
https://www.virustotal.com/Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.
Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions
https://www.farsightsecurity.com/get-started-guide/DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated
web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.
Calling all Hackers!
https://www.ise.io/careers/#op-470256-hacker-midseniorprincipalWe are hiring mid-senior-principal level hackers!
Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication
Amazon Information Security - come build the future with us!
https://www.amazon.jobs/en-gb/team/infosecDo you want to work on privacy and security challenges at unprecedented scale?
We have Privacy and Information Security opportunities available now across
the United States, Dublin, Ireland, and Sydney, Australia.
Ransomware prevention starts with zero
https://www.zscaler.com/solutions/security-transformation/ransomware-protectionRansomware attacks are increasing 500% year-over-year.
Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk
at every stage of a ransomware attack.
IoT security begins with your Smart TV
https://chomar.link/smarttvCHOMAR Smart TV Security.
Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.
Do you like doing work that matters to you… and really frustrates the bad guys?
https://talosintelligence.com/careersAt Talos, our mission is to make the internet a safer place and fight the good fight for our customers
and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,
we’d like to talk.
We don’t just talk about sharing. We do it every day.
https://www.cyberthreatalliance.org/about-ctaLearn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.
We are a greater team when we work together; our collective efforts magnifies our success and
ensures that we are and remain cyber resilient.
Threat Intelligence and Cyber Resilience
https://vblocalhost.com/programme/#TIPSJoin the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,
and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective
when addressing today's dynamic threat landscape.
QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity
https://ti.qianxin.com/marketing/vb2021/QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products
and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and
Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.
Downloads
Stalkerware applications have been made available to the public via Play Store, third-party app stores, and vendor websites. Google removed most of them from Play Store a couple of years back, but many app stores did not. Despite Google’s efforts, developers are finding ways to spread stalkerware applications using Play Store. We came across one such case during our research and reported it to Play Store.
Third-party app stores are widespread and highly used across different countries and languages. Stalkerware applications residing in the app stores are still freely available for the public to download. With such an app, unskilled mobile users can snoop around their partners, friends, and family members. We found that search engine operators (Google, Bing) can come in handy for hunting stalkerware applications. It is also possible to automate the hunting process using these search operators with the help of SERP APIs. We will discuss the hunting techniques here.
Stalkerware applications have grown a lot in recent times in terms of the functionalities offered: from a simple program that silently transmits SMS and location details to a complex one that exfiltrates WhatsApp messages, keystrokes, and other sensitive information. The popular stalkerware programs on the market usually collect these data and store them on a remote server, while applications on app stores provide options to transmit these sensitive data via email, SMS, or even to a configured IP address. We will show a couple of them and explore the technical details required for the next section of the talk.
Android provides a wide range of APIs, and developers use these APIs to implement features in their applications. So, APIs reflect the behaviour of the applications. Chaining API calls is one of the techniques used in detecting (static) malicious applications. A class of stalkerware applications can be detected effectively using this technique – by chaining the standard Android API method/class names, alongside the string constants (such as the content URI path) and forensic artifacts found in the application. We demonstrate detection with the help of a simple PoC written using the androguard Python library.
Towards the end of the talk, we will say a few words about the Stalkerware Threat List platform and invite researchers and organizations to contribute to our community, thereby putting an end to the growing stalkerware threats.
Key points of the talk:
- Hunting and automated hunting of stalkerware applications using search engine operators.
- Technical analysis of the implementation techniques used in the stalkerware applications.
- Static detection of stalkerware applications using the method mentioned above.
Got a question about this presentation? To get in touch with the speaker, contact Shankar on Twitter at @h1dd3ntru7h.
Shankar Raman Ravindran
NortonLifeLockShankar is a passionate security researcher. He has a dual Master's degree specialized in cyber security systems and software architecture. At Norton LifeLock, he works as a senior threat researcher. He takes part in CTF competitions and has won several contests under the team handle bi0s. He solves challenges related to forensics and binary exploitation. Before joining NortonLifeLock, he worked at SPEE labs in the home automation security field. During the period, he has reported several security bugs. His interest includes DFIR, malware analysis, and binary exploitation.