ANY.RUN’s New Android OS Support Let SOC/DFIR Team Perform Android APK Malware Analysis

ANY.RUN, the interactive malware analysis platform has announced full support for Android OS in its cloud-based sandbox environment, enabling security teams to investigate Android malware with unprecedented accuracy and efficiency.

With this new feature, ANY.RUN allows Security Operations Center (SOC) teams, incident responders, and threat hunters to analyze Android threats in a real ARM-based sandbox.

This development eliminates blind spots and unreliable analysis methods, providing a controlled environment that mimics the behavior of malware on actual mobile devices.

The addition of Android OS support is designed to help businesses combat the growing threat posed by mobile malware.

Attackers increasingly target Android devices to steal credentials, infiltrate corporate networks, and compromise financial systems.

Without real-time mobile threat analysis tools, organizations face delays in detection, higher security costs, and greater exposure to cyber risks.

Key Benefits of ANY.RUN’s Android Sandbox

ANY.RUN’s interactive sandbox offers several advantages for Android malware investigation:

• Real-Time Detection: Suspicious APK files can be analyzed instantly to identify threats before they spread.
• Behavioral Insights: The platform tracks how malware abuses permissions, steals data, or initiates shady network connections.
• Streamlined Investigations: Security teams can analyze threats without slowing operations or adding extra workloads.
• Secure Environment: Data is analyzed privately within the sandbox, ensuring no third-party access.
• Enhanced Collaboration: Detailed reports facilitate knowledge sharing and escalation across teams.

How It Works

ANY.RUN’s cloud-based interface makes it simple for users to get started with Android malware analysis.

After selecting the Android OS option, users can upload APK files directly into the sandbox.

The platform then runs the file and displays its behavior in real time. Features like screen orientation adjustments further enhance the user experience by simulating mobile device displays.

Real-World Applications: Analyzing Malware Families

ANY.RUN’s Android sandbox has already proven effective against notorious malware families like Coper, a banking trojan that targets financial apps and intercepts SMS messages to bypass two-factor authentication (2FA).

Using features such as process trees and MITRE ATT&CK mapping, security teams can uncover how malware operates under the hood—tracking spawned processes, identifying suspicious connections, and pinpointing privilege escalation attempts.

Additionally, ANY.RUN generates structured reports that include Indicators of Compromise (IOCs), such as malicious URLs or IP addresses. These reports are vital for updating security rules and preventing future infections.

With ANY.RUN’s Android OS sandbox, we can break down exactly how this malware behaves in real time. 

View analysis session 

Instant Detection with Interactive Analysis

When running an analysis in ANY.RUN, the platform immediately flags suspicious activity. For instance, if an APK file performs dangerous actions, a red alert appears in the top-right corner of the interface, signaling potential threats.

Fast Detection of Malicious Activities

ANY.RUN’s fully interactive sandbox allows users to engage with apps as though they were operating on a real Android device.

This interactive approach enables security teams to:

• Open malware-infected apps and observe their behavior.
• Grant or deny permissions to see how the app reacts.
• Trigger specific functions, such as keylogging, to uncover hidden malicious actions.

Exploring the Process Tree

To understand how malware like Coper operates, users can examine the Process Tree section. This feature provides a structured breakdown of all executed processes, making it easier to:

• Identify processes spawned by the malware.
• Detect connections to suspicious services or commands.
• Uncover attempts to gain persistence or execute additional payloads.

The Process Tree is conveniently located on the right side of the analysis screen, offering a clear and visual representation of how the APK interacts with the system.

This eliminates the need for manual log tracking by presenting malicious actions in an easy-to-understand format.

Understanding Attack Tactics with MITRE ATT&CK Mapping

ANY.RUN integrates MITRE ATT&CK mapping to help users analyze the techniques and tactics employed by malware like Coper.

By navigating to the MITRE ATT&CK tab, users gain access to:

• Specific attack techniques (e.g., credential theft, SMS interception).
• Broader tactics (e.g., persistence, privilege escalation).
• Links to detailed explanations for further research.

This structured breakdown allows security teams to understand how an attack works and correlate threats more effectively. Clicking on any technique provides comprehensive descriptions, enabling better-informed defensive strategies.

Speed up Your security team the to analyze APK files and detect threats instantly with ANY.RUN Interactive Sandbox 

Collecting Indicators of Compromise (IOCs)

After completing an analysis, ANY.RUN generates detailed reports containing actionable Indicators of Compromise (IOCs).

These include:

• Malicious URLs and IP addresses.
• Dropped or modified files.
• Registry changes and system modifications.

Users can access these IOCs by clicking the “IOC” button in the top-right corner of the screen. These insights can then be exported and shared with relevant teams for further action, helping organizations strengthen their security measures and prevent future infections.

In a move that democratizes access to advanced cybersecurity tools, ANY.RUN has made Android OS support available to all users, including those on free plans. This ensures that even smaller teams can benefit from cutting-edge mobile threat analysis capabilities without incurring additional costs.

Strengthening Security Operations Worldwide

With over 500,000 cybersecurity professionals already using ANY.RUN’s services for Windows and Linux systems, this latest update solidifies the platform’s position as a leader in interactive malware analysis.

By enabling faster detection, deeper insights, and seamless collaboration on Android threats, ANY.RUN is helping organizations worldwide stay ahead of evolving cyber risks.

For businesses seeking to enhance their security operations, ANY.RUN offers a free trial of its services. Start your first Android analysis today and experience the precision of investigating mobile threats in a real ARM-based sandbox.

Free Malware Research with ANY.RUN - Start Now