Mobile Malware Mimicking Framework: simple and scalable Android bot emulation framework

Mobile Malware Mimicking Framework

Mobile Malware Mimicking Framework

The Mobile Malware Mimicking framework, or m3 in short, is built to easily and scalable emulate Android malware whilst using very few resources. One can create fake bots via the command-line interface. The fake bots can then be loaded into the emulator, which will then schedule all fake bots. Each bot will handle the incoming commands from the C2 server based upon the family’s implementation. The traffic of each bot can be routed through a predefined proxy server. Currently, m3 supports the emulation of two malware families: Anubis and Cerberus. The logging is written to the standard output, and to the respective bot’s log file.

An analyst can track campaigns, actors, or general statistics related to commands that bots receive. Due to m3’s scalability, this can be done on a massive scale. Since m3 uses a command-line interface, one can automate this process. Loading bots can be done automatically, without worrying too much if old bots are included in the list since deactivated bots are automatically removed by the scheduler. Files are stored in a separate folder per bot, as is the configuration file of each bot.

m3’s internals

m3’s purpose is to allow researchers to easily emulate Android malware on the scale. The families within the framework are built upon a pure Java representation of commonly used Android features. As such, one Java Virtual Machine suffices to emulate dozens and dozens of Android bots, without the need for the Android operating system.

There is no direct limit for the amount of bots that can be emulated at the same time, as the built-in scheduler takes care of this. The incoming commands from the C2 server are handled by the implementation of the supported malware families in m3.

Logging is done on a per bot basis, into a log file for each of the emulated bots. Additionally, the logs of all the handled bots during the runtime are also printed to the standard output, in sequential order. The scheduler logs its output solemnly to the standard output.

Mobile Malware Mimicking Framework

Download & Use

Copyright (C) 2021 ThisIsLibra