We're hiring! Join us and help create the future of ARM virtualization.

Checking Suspicious Links with Corellium

Technical WriteupsOctober 2021

Ever received a suspicious SMS with a link? In this post, we look at how you can use Corellium to determine whether the link is just spam or something more nefarious. We’ll start by using the built-in Network Monitor. We’ll cover using a virtual device with a proxy, such as Burp or Charles, in a later post. 

Imagine being on vacation and receiving this SMS shortly before your flight home:

But you didn’t check in online… You’re not flying Southwest… And what’s up with that URL? We can inspect the link using Android or a jailbroken iOS device, along with the Network Monitor.

Step 1: Create your virtual device

  • Log into your Corellium account and click “Create Device.” 
  • Navigate to the last device in the list, or search for “Android.”
  • Select the Android device and click “Next.”
  • The default OS version is the latest one, click “Select.”
  • The default device name is “Android,” but you’re welcome to change it.
  • When you’re ready, click “Create Device.”

Corellium will take about a minute to set up your virtual Android device.

Step 2: Start the Network Monitor

Before loading the browser, make sure you enable the Network Monitor to capture the traffic.

  • Click “Network” to the right of your virtual device.
  • Click “Start Monitoring.”

Captured HTTP and HTTPS traffic will appear in the Overview panel next to the device. Click on any of the captured packets to view more information, including the request and the response.

Step 3: Load the suspicious URL

  • Open the browser, type in the suspicious URL and hit enter.
  • The URL sends you to accounts.google.com, what’s going on?
  • Let’s use the Network Monitor to investigate!

Step 4: Review captured packets

The Network Monitor captures two packets when loading the URL. (Note: starting the browser resulted in the Monitor capturing a handful of packets before we entered our URL. We cleared the log first to create the screenshot below.)

Entry #1 looks pretty interesting! Click on the packet to view the request.

The request goes to “wallet-api.urbanairship.com” and takes us to a Google sign-in page. The response includes “pay.google.com”, which belongs to Google’s digital wallet platform. 

If we Google “wallet-api.urbanairship.com”, we find a link to Airship's Wallet API. There’s also a Reddit post stating Southwest Airlines uses a third-party to deliver mobile boarding passes. And Airship confirmed on Twitter that the “airsp.co” link is legitimate. 

If we load the URL on a jailbroken iOS device (just to compare), Safari says it “cannot download this file.” Here’s the response:

If we Google “vnd.apple.pkpass”, we find a link to Apple’s Wallet Developer Guide

All these different breadcrumbs point to the SMS and link containing a legitimate Southwest boarding pass… It’s not ours, but probably the result of someone mistyping their phone number. At least it wasn’t something nefarious! 

A note about virtual iOS devices

Certain applications, including Apple Wallet, aren’t supported on our virtual iOS devices. You can read more about this here. This is why Safari could not “download this file.” On a physical iOS device, clicking the link causes Apple Wallet to load the boarding pass.

Latest NewsChecking Suspicious Links with Corellium

© Corellium 2021