DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper

After analyzing several Android mobile banking trojans, weobserved the presence of repetitive artifacts that describe valuable informationabout the distribution of this class of malicious apps. Motivatedby the high threat level posed by mobile banking trojans and by thelack of publicly available analysis and intelligence tools, we automatedthe extraction of such artifacts and created a malware tracker namedDroydSeuss. DroydSeuss first processes applications both statically anddynamically, extracting relevant strings that contain traces of communicationendpoints. Second, it prioritizes the extracted strings based onthe APIs that manipulate them. Finally, DroydSeuss correlates the endpointswith descriptive metadata from the samples, providing aggregatedstatistics, raw data, and cross-sample information that allow researchersto pinpoint relevant groups of applications.We connected DroydSeuss to the VirusTotal daily feed, consuming Androidsamples that perform banking-trojan activity. We manually analyzedits output and found supporting evidence to confirm its correctness.Remarkably, the most frequent itemset unveiled a campaign currentlyspreading against Chinese and Korean bank customers.Although motivated by mobile banking trojans, DroydSeuss can be usedto analyze the communication behavior of any suspicious application.