m3 framework

This article was published on the 10th of November 2021.

The Mobile Malware Mimicking framework, or m3 in short, is built to easily and scalable emulate Android malware whilst using very few resources. One can create fake bots via the command-line interface. The fake bots can then be loaded into the emulator, which will then schedule all fake bots. Each bot will handle the incoming commands from the C2 server based upon the family’s implementation. The traffic of each bot can be routed through a predefined proxy server. Currently, m3 supports the emulation of two malware families: Anubis and Cerberus. The logging is written to the standard output, and to the respective bot’s log file.

m3 is free and fully open-source, one can find the code on Github, along with the latest pre-built release.

An analyst can track campaigns, actors, or general statistics related to commands that bots receive. Due to m3’s scalability, this can be done on a massive scale. Since m3 uses a command-line interface, one can automate this process. Loading bots can be done automatically, without worrying too much if old bots are included in the list, since deactivated bots are automatically removed by the scheduler. Files are stored in a separate folder per bot, as is the configuration file of each bot.

Table of contents

• Disclaimer
• m3’s internals
• Extending the framework
• Installation
• Usage
• Special thanks
• Change log

Disclaimer

The creation of fake bots will require details that are normally only present in phones, such as a phone number, fake contacts, or an IMEI number. As such, it is critical that one only uses details that are possessed by the operator of that specific instance of m3. Using details that are not owned by the operator, might lead to the re-use of existing details of a random third party that end up at a malware operator. This might lead to uncomfortable, if not worse, situations for whoever owns the re-used details. Additionally, this might be a legal issue, depending on the jurisdiction in your area.

Be warned, and take good care of your operational security, for the sake of everybody involved.

m3’s internals

m3’s purpose is to allow researchers to easily emulate Android malware on scale. The families within the framework are built upon a pure Java representation of commonly used Android features. As such, one Java Virtual Machine suffices to emulate dozens and dozens of Android bots, without the need for the Android operating system.

There is no direct limit for the amount of bots that can be emulated at the same time, as the built-in scheduler takes care of this. The incoming commands from the C2 server are handled by the implementation of the supported malware families in m3.

Logging is done on a per bot basis, into a log file for each of the emulated bots. Additionally, the logs of all the handled bots during the runtime are also printed to the standard output, in a sequential order. The scheduler logs its output solemnly to the standard output.

Extending the framework

The framework’s source code is extensively documented, meaning that JavaDoc is present for all classes, fields, and functions in the project. A detailed guide on how to extend the framework can be found here.

At this moment, the framework supports the following families:

• Anubis
• Cerberus

This means that one can create any amount of bots for these two families. More information about the implementation of these two families can be found here.

Installation

To install m3, one can use the precompiled Java archive from the latest release. Alternatively, one can compile the Maven project using the command that is given below.

mvn clean compile assembly:single

All code has been written on a machine that has OpenJRE 8 and OpenJDK 8 installed. The code is written to be version agnostic for Java 8 or later, although this has not been tested thoroughly.

Once a compiled binary is present on the system, one needs a bit of available RAM, and some available disk space. The amount of RAM and disk space depends on the amount of bots that one wishes to emulate, and how long the emulation will run for. A few hundred megabytes of RAM will suffice under normal circumstances, and a few megabytes of disk space per emulated bot will suffice in the same conditions.

Usage

One can use from the command-line on any system that has Java 8 or later installed. Each bot that is created, requires its own configuration file, within its own folder. m3 will create the configuration file in the given folder during the bot creation process. This folder will also be used to store the logging file, as well as other files that are downloaded during the bot’s emulation process.

There are two ways to create a new bot object. Both are done via the command-line interface, as there is no graphical user interface for m3. One can provide all arguments via the command-line at once, or one can use the guided mode, where one answers all questions that the listed, and a bot is created based upon the answers.

Special thanks

In this section, I would like to express my gratitude to several companies and individuals. First and foremost, I’d like to thank ThreatFabric (Gaetan van Diemen, bozman, and Cengiz Han Sahin in particular) for the swift responses, and their detection figures. Additionally, I’d like to thank Avast (Ondřej David and Nikolaos Chrysaidos in particular) for their detection figures. Lastly, I’d like to thank Fred HK for providing me with a copy of the leaked Cerberus source code.

Change log

The release notes for each update are given below, together with the release date of each version.

1.0-stable [10th of November 2021]

List of features

• Initial release at BlackHat Europe 2021
• Emulation support for Anubis and Cerberus

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on Twitter @Libranalysis.