Last fall, we acquired some cool mobile security technology that we've been feverishly working to integrate and bring to market for a few different use cases. By way of introduction, the Marvin technology gives us a way to quickly assess various characteristics of a mobile app and identify new variants of mobile malware. That's done through a combination of quick static analysis and instrumented dynamic analysis. We execute the application in a sandbox and simulate keypresses and other actions (screen touches, swipes, etc.) while monitoring network traffic, API usage, and numerous other behaviors. This is a gross oversimplification but good enough for the purposes of this blog post. As an excuse to play around with the technology, I've been collaborating with Tyler Shields (Veracode researcher turned mobile product manager) to perform some analysis of popular Android apps. In the "Free" section of the Google Play store, there are 27 different app categories. We grabbed the 100 most popular apps in each category as of December 31, 2012, and ran them all through the new system. As a peek into the speed and scalability of the technology, the analysis of 2,700 apps was completed in a matter of hours. The analysis in its current form captures a huge amount of data. It's very granular, so dumping all the reports here isn't what I want to do. Instead, we're going to look through the data using our APIs and focus on some of the things that we find interesting. We'll try to do this over a series of blog posts over the coming weeks, if time permits. One of the first things that we wanted to answer was "where are these apps connecting to?" Because we capture every inbound and outbound packet, we can aggregate all of the remote IPs and use a GeoIP library to plot them on a world map. While this single artifact doesn't tell us anything about why those connections are being made or what sort of data is being sent, it is still quite interesting to visualize at a glance. Why are the apps connecting to these places? You can explore the heatmap below, or and zoom into various geographic areas for more detail. A couple things worth noting:
- The "temperature" of the data points is based on the total number of packets to that IP address, not the number of apps that communicate with that location. The latter would be just as easy to plot, we just opted not to in this case.
- Whenever the GeoIP library can't nail down a specific city, it defaults to the geographical center of the country. That's why you see some hot spots in the middle of the Australian desert or the Canadian tundra.
So is this interesting? Relevant? Maybe, maybe not. What I care about for now is that we can perform this sort of analysis by pressing a button and running a script. If I can find time, maybe I'll generate a version of the map that slices the data by app category. That might be cool to see. If you'd like more information on our upcoming mobile offerings, please follow this link and fill out the contact form. Expect to see more in this space in the coming months.