Clicky

Explore Joe Security Cloud Basic Accounts Subscribe to our Newsletters Contact Us
top title background image

Joe Sandbox Mobile

Deep Malware Analysis for Malware targeting Mobile platforms

Joe Sandbox Mobile Joe Sandbox Mobile analyzes APKs in a controlled Android environment and monitors the runtime behavior of the APK for suspicious activities. All activities are compiled into comprehensive and detailed analysis reports.

Analysis reports, which contain key information about potential threats, enable cyber-security professionals to deploy, implement and develop appropriate defense and protections.

Joe Sandbox Mobile enables you to install and use Joe Sandbox in your lab. Currently Joe Sandbox Mobile analyzes any malware targeting Android-based operating systems.

Joe Sandbox Mobile Explained

Joe Sandbox Mobile Explained

Joe Sandbox Mobile's architecture is modular. It consists of at least one controller machine running Linux and multiple connected analysis machines (with Android installed) hosted by virtualization products such as VMware or VirtualBox. APKs are submitted from a user or submission scripts and sent via the Joe Sandbox Mobile Web Interface to the controller's server. The Joe Sandbox Mobile server then stores the submissions in a local file database and forwards them to the connected analysis machines / phone, where the APK is installed and launched.

Joe Sandbox Mobile's configurable and efficient instrumentation engine analyzes any activities during the APK execution and reports back behavior data instantly to the controller. Click to read more about Joe Security's unique technologies to analyze APKs.

Static and dynamic data is evaluated, and results, statistics, activities and code functions are compiled into a detailed and well structured report.


Explore Joe Sandbox Mobile

Have a look at the behavior analysis reports generated by Joe Sandbox Mobile or contact Joe Security to schedule a technical presentation.

Powerful Instrumentation Engine

Joe Sandbox Mobile's instrumentation engine enables monitoring of any Java/Android API call within an APK, local function or even data structure field access. The entire instrumentation behavior is highly configurable and relies on a transparent and open interface, making it extremely flexible and extendable. The engine resolves reflective API calls, which are often used to obfuscate Java code. In addition, the engine supports a sophisticated set of tricks to prevent emulator, VM and instrumentation detection.

Powerful Instrumentation Engine

Interaction and Intent Simulation

In order to trigger even more malicious payload, Joe Sandbox Mobile automatically understands the view hierarchy of the running APK and clicks buttons in an intelligent manner to progress beyond dummy "I agree" windows or other GUI masks. APK's implementing receiver functionality such as SMS_RECEIVED or BOOT_COMPLETED are fed manually based on cookbooks or fully automated with simulated intents to trigger malicious behavior.

Interaction and Intent Simulation

Comprehensive Reports

Joe Sandbox Mobile generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.

Comprehensive Reports

425+ Generic and Open Behavior Signatures

Joe Sandbox Mobile uses a growing set of over 425+ generic Behavior Signatures to detect and classify malicious behavior, determined by an APK. Behavior Signatures are based on the extensive information Joe Sandbox captures during dynamic analysis.

425+ Generic and Open Behavior Signatures

Yara

Joe Sandbox Mobile allows to use Yara Rules for advanced malware detection. Joe Sandbox Mobile forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox Mobile features a nice web based Yara Rule editor.

Yara

Virtual and Physical Analysis Systems

Joe Sandbox Mobile enables to use a mix of virtual and physical analysis machines for analysis. Physical phones are very helpful in order to deal with evasive malware which may not run on virtual systems.

Virtual and Physical Analysis Systems

Seamless Integration

Joe Sandbox Mobile allows for seamless integration into existing threat intelligence systems. A SDK, serving interfaces for automated file submissions and processors for handling generated analysis data is included. For bulk file submissions, Joe Sandbox Mobile provides a queuing system with load-balancing and prioritization mechanisms. Supporting tools such as Yara and Virustotal can be enabled.

Seamless Integration

Simplified Management and Control

Joe Sandbox Mobile includes an intuitive web interface with features such as file and URL uploads, cookbook editor, user management and bulk upload/download and mail/syslog notifications.

Simplified Management and Control

Flexibility and Customization

Joe Sandbox Mobile is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox Mobile supports multiple analysis machines with different applications/versions installed.

Flexibility and Customization

Additional Support, Maintenance and Consulting

Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox Mobile.

Additional Support, Maintenance and Consulting

Learn more about Joe Sandbox Mobile

Analyze APK's at http://www.apk-analyzer.net to explore the power of Joe Sandbox Mobile and contact Joe Security to schedule a technical presentation.

What files does Joe Sandbox Mobile analyze?

Joe Sandbox Mobile analyzes APK (Android Application Package) files.

What report and forensic data does Joe Sandbox Mobile generate?

Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, strings, PCAP and screenshot.

Which analysis technology does Joe Sandbox use?

Joe Sandbox Mobile uses a wide range of analysis technologies including dynamic, static as well as hybrid. Due to the use of several analysis techniques Joe Sandbox Mobile discovers more behavior than other solutions.

What are behavior signature?

Behavior signatures are tiny scripts to rate data Joe Sandbox Mobile captures from the malware. Joe Sandbox Mobile extracts any API call executed by the malware. Joe Sandbox Mobile includes a steady raising number of 425+ signatures.

Which virtualization products run with Joe Sandbox Mobile?

Joe Sandbox Mobile supports all virtualization products, including VirtualBox and VMware ESX.

Does Joe Sandbox Mobile analyze malware on native phones?

Yes, Joe Sandbox Mobile enalbes to analyze malware on native phones.

Which Android versions are supported?

All Android versions in English language.

What hardware and operating systems do I need to install Joe Sandbox Mobile?

Joe Sandbox Mobile runs on standard hardware with Linux as operating system (e.g. Ubuntu Server). For installation a single server is required.

Is Joe Sandbox Mobile a standalone application?

Yes, Joe Sandbox Mobile can be run without any connection to the Internet or our Cloud.

What types of license do you offer?

We offer perpetual licenses with a site, country or world-wide scope. Services such as support and upgrades are availabe as an annual renewing license.