Skip to content
All Skills

Detecting Mobile Malware Behavior

Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "detecting-mobile-malware-behavior-6f2b5ff9" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Detecting Mobile Malware Behavior

## When to Use

Use this skill when:
- Analyzing suspicious mobile applications submitted by users or discovered during incident response
- Monitoring enterprise mobile fleet for malicious app indicators
- Performing malware triage on APK/IPA samples
- Investigating data exfiltration or unauthorized device access from mobile apps

**Do not use** this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.

## Prerequisites

- Isolated analysis environment (dedicated device or emulator, not connected to production networks)
- MobSF for automated static+dynamic analysis
- Frida/Objection for runtime behavior monitoring
- Wireshark/tcpdump for network traffic capture
- Android emulator (AVD) or Genymotion for safe execution
- VirusTotal API key for hash lookups

## Workflow

### Step 1: Static Indicator Analysis

```bash
# Hash the sample
sha256sum suspicious.apk

# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
  -H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'

# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk

# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration
```

### Step 2: MobSF Automated Malware Scan

```bash
# Upload to MobSF
curl -F "[email protected]" http://localhost:8000/api/v1/upload \

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#malware#analysiscurljqmobsffridaobjectiontcpdumpmitmproxyandroid-emulatorvirustotalaapt
Detecting Mobile Malware Behavior - AgentArmory Skill — AgentArmory