Free Trial

The Dark Arts of Malware Research: Dynamic Malware Analysis with Corellium

Malware research isn't just about understanding threats—it's about staying one step ahead. With the right tools and techniques, we can proactively disrupt cyber threats before they cause real-world damage. See how Corellium empowers researchers to stay ahead.
The Dark Arts of Malware Research: Dynamic Malware Analysis with Corellium

The Phantom Software

"What did you do?!" -Dad

"I was just playing games" -Me

It's 2001, I am 10, and I just broken my father's work laptop, a IBM Thinkpad T20, by downloading game modifications to Star Wars: Jedi Knight.

This is my earliest memory of downloading malware. At the time, just like most people today, I didn't know it was malware. I just wanted to play games and have fun with this new thing called the internet. Turns out there are smart people on there, that want to access other people's computer on there, and they will use games with a little bit social engineering as a delivery method. I wish I could say this was a very positive and fun experience for me to start learning about malware, but it was that of shame and guilt. Stoically, my father turned his emotions and actions to the computer. He focused on fixing it, and that he did. I took a break from playing on his laptop, even when he said I could.

Malware: software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

Malware itself, seems pretty clear cut-and-dry. If it's bad, it's bad. But things get a bit more complicated as you try to determine what is malicious software and not malicious software. For instance, TeamViewer and AnyDesk are legitimate remote access tools used by IT professionals to provide support and manage systems remotely. However, cybercriminals frequently abuse these same tools for illicit remote access, espionage, and system takeover, often disguising them as malware.

A real-world case: Attackers often use AnyDesk.exe as a payload in phishing campaigns, tricking users into installing it under the pretense of technical support. While AnyDesk itself is not malware, its unauthorized or deceptive use makes it effectively malicious in that context.

So, the same software can be legitimate or malicious, depending on intent and context, making malware classification more complicated than just "bad vs. good."

To determine what is malware, we look to malware researchers for help on determining what is malicious, how it's malicious, and how to prevent malicious activity from happening.

The Attack of the Worms

As I grew older, that early experience of accidentally infecting my father’s laptop evolved into a curiosity about how malware really worked. Instead of avoiding it out of guilt, I wanted to understand it—break it down, dissect it, and ultimately learn how to fight it. Fast forward to today, and I’ve gone from an unsuspecting kid downloading malware to a researcher actively working to prevent its spread.

Revenge of the Researchers

In my recent webinar for Corellium’s Change What’s Possible series, I showcased how we can leverage advanced tools for dynamic malware analysis—giving security professionals and researchers deeper insight into how threats operate in real-time.

A Deep Dive into Modern Threat Analysis

Staying ahead of malicious actors requires constant innovation. As part of Corellium's Webinar Series, I had the opportunity to showcase how we can leverage Corellium's platform for dynamic malware analysis—breaking down the tactics, behaviors, and countermeasures needed to combat modern threats.

Why Dynamic Malware Analysis Matters

Static analysis has its limitations. Many sophisticated malware families deploy anti-analysis techniques, obfuscation, and encryption to evade traditional reverse engineering methods. Dynamic analysis provides a real-time view of how malware behaves when executed, offering a clearer understanding of its impact.

In my demonstration, I explored:

  • How malicious applications request and exploit permissions to gain deeper system access.
  • The ways malware abuses Android's Accessibility Service to overlay ransom notes and encrypt files.
  • Techniques for monitoring outbound traffic, spotting HTTP POST requests to malicious domains.

The Live Demonstration: Corellium in Action

Using Corellium's virtualized mobile environment, I walked attendees through a hands-on demonstration of real-world malware behaviors. I infected a virtual device with two different malware families to showcase their actions in a controlled setting:

  1. Analyzing Lucy Ransomware: Lucy ransomware is designed to encrypt files and demand a ransom for their decryption.

    I demonstrated how:

    • Files uploaded to the infected device were encrypted immediately upon execution.
    • Dynamic monitoring tools revealed outbound communication to command-and-control servers.
    • Frida scripting allowed us to extract the encryption keys in real-time—enabling decryption without paying the ransom.

  2. Fighting Back: Hooking the Malware I didn't just analyze the ransomware—I fought back. Using Frida, I developed two key agents:

    agent_get_keys.js – A script that hooks the ransomware's encryption function and extracts the keys, allowing decryption of files.

    stop_lucy.js – A proactive defense mechanism that intercepts and prevents Lucy ransomware from encrypting files in the first place.

By demonstrating these techniques, I showcased how security researchers can move beyond passive analysis into active countermeasures, effectively neutralizing threats in real time.

The Future of Mobile Malware Research

Malware continues to evolve, and so must our defenses. Corellium provides a powerful platform for security professionals to: 

  • Automate behavioral analysis.
  • Detect malicious patterns at runtime.
  • Develop real-time response mechanisms using dynamic hooking.

Future work includes enhancing Frida hooks to prevent additional ransomware behaviors, such as blocking ransom note overlays and disrupting malicious communication channels.

Conclusion

Malware research isn't just about understanding threats—it's about staying one step ahead. With the right tools and techniques, we can proactively disrupt cyber threats before they cause real-world damage. My talk with Corellium was just the beginning—there's much more to explore in the fight against mobile malware.

Stay tuned for more insights, and if you're interested in learning how to leverage these tools for your research, reach out at @REal0day or if you're looking for the best cybersecurity talent, my firm TopCleared Recruiting can get your organization the best talent on and off-market. And for those Founders, checkout my podcast, Hackers to Founders.

Watch the full webinar today to dive deeper into dynamic malware analysis. 

 
Posted
April 29, 2025
Tags
Mobile
Author
Chris Magistrado
Corellium Contributor
Share

Keep reading

See more
Speed Instead of Security Drives Behavior for Mobile Application Development
Beth Barach • Apr 24, 2025

Speed Instead of Security  Drives Behavior for Mobile Application Development

Leverage automated testing on a virtualized hardware platform for speed and reduced risk.
Appium and Corellium Improve DevSecOps Efficiencies for Mobile App Development and While Accelerating Time to Market
Beth Barach • Apr 23, 2025

Appium and Corellium Improve DevSecOps Efficiencies for Mobile App Development and While Accelerating Time to Market

Leverage a virtual hardware platform and open-source automation to build and test more securely.
The Anatomy of a Mobile Security Pentest
Steven Smiley • Apr 22, 2025

The Anatomy of a Mobile Security Pentest

The mobile app pentesting process ensures apps are secure. The complex, multi-day procedure requires intricate strategies to safeguard your apps. Discover why pentesting takes time and how automation can help.
Blog Dynamic Malware Analysis with Corellium | Malware Behavior & Real-Time Detection