While it may seem as though blogs are reporting the discovery of malicious mobile apps every day, actually finding samples of these apps to assess is quite difficult.
Many malware repositories — like VirusTotal — are not open. They’re paid, or enterprise-only. VirusTotal, for example, does offer students a downloadable repo of malware samples for research purposes, but they don’t provide a full “Intelligence” plan without a hefty price tag. This “Intelligence” account is required to download malware samples.
What VirusTotal does offer is free dynamic analysis! This can be quite handy for assessing samples you find in the wild.
There are a number of open Github repos that contain mobile malware samples for researchers. In general, I’d advise you to only bother looking at repositories that have been updated in the last year. Unless you’re looking for really old families, these will be your best bet for the latest and greatest threats plaguing Android users.
The best repositories I’ve found are:
Another resource I particularly like for independent research is Hybrid Analysis. While they do require that you create an account before accessing their samples, the accounts are free and their Advanced Search feature is fantastic for quickly sourcing Android-specific malware.
You can’t really expect to find anything terribly noteworthy, here. The repository is pretty small for Android samples. However, it’s free, and they do tend to have some newer samples! This makes it a great resource for those starting out in Android reversing.
Within the Advanced Search, select Filetype > Android, Verdict > Malicious. You’ll receive a list of all flagged Android apps in the Hybrid-Analysis repository.
When you click on a sample of interest, you’ll receive a page with details on which threat the AV has detected, what capabilities the application has, stats around its upload, SHA256 and a slew of other useful information. You’ll also see a button with a “Download” icon, and the label “Sample”. Clicking this lets you download the sample to analyse for yourself.
As the popularity of mobile malware and the demand for mobile analysts continue to rise, I have no doubt we’ll see an increase in repositories stocked with malicious Android and iOS applications. For now, these have been the most reliable sources for my independent research.
Where do you look for malware samples? Do you have a nifty VT account, or do you rely on the OSS community, too?