"What did you do?!" -Dad
"I was just playing games" -Me
It's 2001, I am 10, and I just broken my father's work laptop, a IBM Thinkpad T20, by downloading game modifications to Star Wars: Jedi Knight.
This is my earliest memory of downloading malware. At the time, just like most people today, I didn't know it was malware. I just wanted to play games and have fun with this new thing called the internet. Turns out there are smart people on there, that want to access other people's computer on there, and they will use games with a little bit social engineering as a delivery method. I wish I could say this was a very positive and fun experience for me to start learning about malware, but it was that of shame and guilt. Stoically, my father turned his emotions and actions to the computer. He focused on fixing it, and that he did. I took a break from playing on his laptop, even when he said I could.
Malware: software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Malware itself, seems pretty clear cut-and-dry. If it's bad, it's bad. But things get a bit more complicated as you try to determine what is malicious software and not malicious software. For instance, TeamViewer and AnyDesk are legitimate remote access tools used by IT professionals to provide support and manage systems remotely. However, cybercriminals frequently abuse these same tools for illicit remote access, espionage, and system takeover, often disguising them as malware.
A real-world case: Attackers often use AnyDesk.exe as a payload in phishing campaigns, tricking users into installing it under the pretense of technical support. While AnyDesk itself is not malware, its unauthorized or deceptive use makes it effectively malicious in that context.
So, the same software can be legitimate or malicious, depending on intent and context, making malware classification more complicated than just "bad vs. good."
To determine what is malware, we look to malware researchers for help on determining what is malicious, how it's malicious, and how to prevent malicious activity from happening.
As I grew older, that early experience of accidentally infecting my father’s laptop evolved into a curiosity about how malware really worked. Instead of avoiding it out of guilt, I wanted to understand it—break it down, dissect it, and ultimately learn how to fight it. Fast forward to today, and I’ve gone from an unsuspecting kid downloading malware to a researcher actively working to prevent its spread.
In my recent webinar for Corellium’s Change What’s Possible series, I showcased how we can leverage advanced tools for dynamic malware analysis—giving security professionals and researchers deeper insight into how threats operate in real-time.
Staying ahead of malicious actors requires constant innovation. As part of Corellium's Webinar Series, I had the opportunity to showcase how we can leverage Corellium's platform for dynamic malware analysis—breaking down the tactics, behaviors, and countermeasures needed to combat modern threats.
Static analysis has its limitations. Many sophisticated malware families deploy anti-analysis techniques, obfuscation, and encryption to evade traditional reverse engineering methods. Dynamic analysis provides a real-time view of how malware behaves when executed, offering a clearer understanding of its impact.
In my demonstration, I explored:
Using Corellium's virtualized mobile environment, I walked attendees through a hands-on demonstration of real-world malware behaviors. I infected a virtual device with two different malware families to showcase their actions in a controlled setting:
Analyzing Lucy Ransomware: Lucy ransomware is designed to encrypt files and demand a ransom for their decryption.
I demonstrated how:
Fighting Back: Hooking the Malware I didn't just analyze the ransomware—I fought back. Using Frida, I developed two key agents:
agent_get_keys.js – A script that hooks the ransomware's encryption function and extracts the keys, allowing decryption of files.
stop_lucy.js – A proactive defense mechanism that intercepts and prevents Lucy ransomware from encrypting files in the first place.
By demonstrating these techniques, I showcased how security researchers can move beyond passive analysis into active countermeasures, effectively neutralizing threats in real time.
Malware continues to evolve, and so must our defenses. Corellium provides a powerful platform for security professionals to:
Future work includes enhancing Frida hooks to prevent additional ransomware behaviors, such as blocking ransom note overlays and disrupting malicious communication channels.
Malware research isn't just about understanding threats—it's about staying one step ahead. With the right tools and techniques, we can proactively disrupt cyber threats before they cause real-world damage. My talk with Corellium was just the beginning—there's much more to explore in the fight against mobile malware.
Stay tuned for more insights, and if you're interested in learning how to leverage these tools for your research, reach out at @REal0day or if you're looking for the best cybersecurity talent, my firm TopCleared Recruiting can get your organization the best talent on and off-market. And for those Founders, checkout my podcast, Hackers to Founders.
Watch the full webinar today to dive deeper into dynamic malware analysis.