# RedAlert ### 01. Introduction > An Android malware sample called "RedAlert" was found in the wild. The malware is known to collect data from infected phones and turns them to a remote controlled bots. You have to find out the address of the Command & Control (CC) server of the bots. * Download the APK sample. (PW: **infected**) * Extract the APK (apktool or jadx-gui) * Analyze the resources Your goal is * to Extract the Android Package, * Check the Android Permission (Check if it can intercept and write SMS messages) * Find the CC server address (Protocol,IP, Port) in the resource files APK File: {% embed url="" %} ### 02. Analysis The permissions are stored in the manifest.xml file of the apk package. I’ll use the aapt tool to dump the permissions. ``` aapt dump permissions RedAlert.apk ``` Just a short check about the permissions looks very dangerous. The package can read and write sms messages:

Let's compare with the MobSF framework: {% embed url="" %}

Now we can open the package in jadx-gui and check for strings that looks like an URL.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FOlMmQq0xZba3Ecz95hce%2Fjadx02.png?alt=media\&token=d0a52af8-62e0-42b2-9d8c-02bc933f2c73) Maybe the CC Server URL will add a string from the list above. I’ll upload the apk file to virus total and get this graph: Note: We can see the string /stbi ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FbdeOMYhBTodHCz6rj2zC%2Fvirus_total01.png?alt=media\&token=e0c6d7cb-4b00-4e5a-bf78-ff884f1da15c) Potential CC Server: IP: 119.28.128.207 (CN)\ Protocol: http\ Port: 7878