First things first; I’m not a software engineer. I’m a mediocre security guy with delusions of software engineering.
I got interested in Go after looking for a complied cross-platform language. While it proved to not be as good as I had hoped in the area of mobile development, I still found that I loved it for the simplicity and speed.
I recently had to install an app that I assumed would come from a safe vendor. My antivirus alerted on it though, and after getting nowhere with the vendor, I decided to do some more research on my own.
The first step was to capture the network traffic from the app. This was accomplished with PCAPdroid, a packet-capture tool for Android.
Once I had the PCAP file for the app I was able to run it through my tool, Packethunt.
Packethunt found threat intelligence for one IP address that was owned by Google, and was related to a past spear phishing campaign.
It’s important to note that IP addresses are some of the least reliable indicators of compromise you can use. One IP can be related to multiple domains, or cloud infrastructure that could be hosting threats the cloud provider is not aware of. This one piece of information returned by Packethunt does not prove much about the suspected malware, but it certainly added extra information to support the case that the app was unsafe to use.