Some years ago I wrote a research paper for SANS 'Monitoring Network Traffic for Android Devices' in which I described the process to monitor the traffic produced by Android smartphones in a corporate environment. Moreover, I created some PoC and tests with some real malware in order to detect it through this proposed architecture. This research was used as part of other investigations projects to detect malware. Related to this, and while working on my current malware project I mentioned in previous post, I've analysing the traffic produced by several banking trojans and I have found that they fake the User-Agent in the HTTP header. Even, in some cases the tag 'User-Agent' is not correct (eg: User-agent instead of User-Agent like the screenshot below). For example for, emmental it is:
- User-agent: Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
- User-Agent: yasuo21
In some other cases the HTTP request is sent without a User-Agent.
As I know which it is the default User-Agent of my device where I run the malware, any other different User-Agent seen in the traffic is suspicious to me. To monitor that, I have created a simple Snort rule like this:
alert tcp any any -> any 80 (msg:"Detect Invalid User-Agent Android ----"; pcre:"/User-Agent:.*/i"; content:!"User-Agent: Mozilla/5.0 (Linux\; Android 5.1.1\; Nexus 5 Build/LMY48I"; sid:2222222; rev:2;)
With this rule I check the existence of any User-Agent which doesn't match the correct User-Agent of my device.
$ tail -f /var/log/snort/alert
***A**** Seq: 0x7B8CD7D9 Ack: 0x209D1779 Win: 0x559 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1371638 1012941375
[**] [1:2222222:2] Detect Invalid User-Agent Android ---- [**]
[Priority: 0]
09/05-18:54:39.433538 172.16.42.154:42939 -> 82.98.134.9:80
TCP TTL:64 TOS:0x0 ID:22830 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x7B8CDD81 Ack: 0x209D1779 Win: 0x559 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1371638 1012941376