Beia is happy to announce its new innovative project Tor-SIM: Integrated Software Platform for Mobile Malware Analysis.

The main objective of the project is to develop a software platform that integrates, in a unitary manner, the malware analysis procedures for most of the existing mobile terminals, with the purpose of strengthening the security of mobile terminals and networks. The specific objectives consist of identifying the operational requirements and capabilities necessary for developing and securing solutions for mobile applications and terminals that ensure the increase of cyber protection solutions efficiency by a partnership between government, academia, and industry.

Considering the recent advancement in smartphone devices, the increasing speed, power and storage space on mobile devices has led to an exponential increase of users. More and more people use their devices in numerous places for online shopping, managing their finances and other types of payments. Unfortunately, the technology progress carried an equivalent increase of security issues, thus mobile becomes a preferred target for cyber criminals.

Tor-SIM plans to research and find solutions for some of the major vulnerabilities:

  • Growth in the popularity of malicious programs using super-user rights, primarily advertising Trojans.
  • Distribution of malware via Google Play and advertising services.
  • The emergence of new ways to bypass Android protection mechanisms.
  • Growth in the volume of mobile ransomware.
  • Active development of mobile banking Trojans.





Stage I dealt with the evaluation and documentation of technologies, offers, and malware analysis solutions of mobile terminals, as well as the definition of the technologies and methods used, and the formulation of requirements for the solutions identified.

The leading cybersecurity technologies used in the market, as well as several open-source solutions, have been reviewed. In particular, the Kali Linux distribution has been treated with a suite of useful tools for various security purposes.

The main security reports published by reputable companies were analyzed. At the same time, various taxonomies of cybersecurity identified. By aggregating this, a final taxonomy of different categories of cybersecurity (attack source, attack objective, attack vector, etc.) proposed

The usual and less common ways of spreading malware to mobile platforms evaluated. The most well-known malware for mobile devices has been briefly described, starting from the first appearance, from 2004 to the present, finally presenting the main types of malware present on mobile platforms briefly. The standard spread methods, such as installing applications from unverified sources or exploiting known vulnerabilities in the TM software, were then reviewed. Finally, some information provided about less standard methods of spreading, such as malware installed in the distribution chain or the operation of cellular mobile communications protocols.

The most popular and high-performance forensic software tools on the market, both commercial and open-source, were evaluated. The result is a comparative table comprising the most critical judicial means, assessed in terms of the most important functionalities that such tools should have. Based on the table, two products from both commercial and open-source suite recommended.

The most important studies and research projects on detecting TM’s suspicious behavior were summarized and critically reviewed. Various approaches to static and dynamic analysis in identifying malicious application behavior and different algorithms and frameworks used for this purpose presented. It has concluded that there are multiple solutions, especially for the Android system. Still, none of them offer 100% guaranteed protection, and the action history of a mobile device is challenging to verify, with malware analysis addressing only the present moment.

Studies and research projects on behavioral analysis of applications installed on TM have treated. The primary artifacts/features required in analyzing application behavior on TM and conventional ways of interpreting the behavior of applications installed on TM examined.

Studies and research projects on the development of custom firmware for securing TM against malicious programs have analyzed. Known studies and projects on the vulnerabilities of custom Android operating systems have reviewed, concluding that the customization process introduces new vulnerabilities and associated security risks in the vast majority of cases.

The technical achievement of the project website presented, as well as the various measures, are taken to secure its content and allow the secure exchange of files between consortium partners.

The ToR-SIM architecture, both functional and technical, was established, describing functional modules, business processes, and technical specifications.

Forensic tools to use in the ToR-SIM solution have established, and cases of use for forensic analyses have established.

Solutions for monitoring and behavioral analysis of TM applications and indicators to be followed have defined. Finally, the Monitoring Agent TM’s functional architecture was established, as well as ways of installing it.

Functional requirements and methods of online analysis have defined, establishing specific use cases for the Online Behavioral Analysis Module of TM.

The full software package utilities have selected to provide advanced reverse engineering analysis functionality, specifying the application analysis procedure for the Android mobile platform, the automated analysis mode via a sandbox system, and the manual analysis of the application code. Simultaneously, the application analysis procedure for the iOS mobile platform was specified, both automatically and manually. Finally, use cases established for reverse engineering analysis.

Steps have taken to develop a technical firmware concept for TM that optimizes malware security, presenting the most suitable alternatives that can use to build custom firmware.

A functional architecture has proposed for TM’s integrated malware analysis software platform, based on many usage cases and the platform’s technical architecture.

Finally, a dissemination report was presented, including presentation activities, the establishment of potential collaborations with other institutions, and the publication of scientific articles.

                    The common method for malicious code infection

                                       of mobile applications

        Functional architecture Integrated   

                  software platform





Stage II dealt with the development and preliminary testing of the ToR-SIM platform, based on the technologies, offers, and malware analysis solutions of mobile terminals, as well as the definition of the techniques and methods used, and the formulation of requirements for the identified solutions carried out in Stage I.

Thus, the technical architecture of the integrated software platform was detailed, highlighting the software packages used in the test environment, as well as the technical flows between them and the forensic analysis, reverse engineering, and online behavioral analysis modules.

Specific activities carried out to test forensic applications carried out to develop a laboratory testing environment, practical analysis of the capabilities of forensic applications for TM, and their demonstration and validation.

Specific activities carried out to test reverse engineering applications to develop a laboratory-controlled testing environment, analyze the capabilities of reverse engineering applications for TM, and demonstrate and validate them.

Specific activities have carried out to validate the online TM testing software and hardware platform carried out to develop a laboratory testing environment, practical analysis of the capabilities of the TM online testing software and hardware platform, and their demonstration and validation.

For all three validation activities (forensic, reverse engineering, and online testing) 4 test level-specific reports have developed as follows:

  • Test status report
  • Fault status report
  • Status report of planned test coverage
  • Analysis and conclusions on testing

Procedures for optimizing forensic activities for TM have defined using the tools identified in the analysis process in the project, taking into account the use of the best tools for each of the specific forensic activities with the aim of compatibility with as many types of mobile devices as possible.

A preliminary malicious behavior detection software application for mobile devices has developed on the Android platform.

Validated solutions have integrated. The preliminary hardware and software platform has developed in the laboratory phase, which determines and identifies the suspicious behavior of the TM in operation over a test period.

Finally, a dissemination report was presented, including presentation activities, the establishment of potential collaborations with other institutions, and the publication of scientific articles.

The detailed technical architecture of a ToR-SIM platform

Example of adding investigation case in ToR-SIM platform



Stages 5 and 6  carried out in 2019. These steps included:

  • Real-world implementation of the procedure for the use of forensic tools for various mobile platforms, validation, and efficiency

Below you can see a screenshot of forensic functionalities – the list of applications installed on a mobile terminal and the source of their installation, which translates into a risk score:

  • Testing the preliminary malicious behavior detection software application for mobile devices and tracking performance and efficiency during testing

Two applications have developed, one for the Android operating system and one for iOS. The purpose of these applications is to monitor suspicious activities on mobile terminals and report them to the central platform.

Below you can see the screenshot with the Android app, respectively iOS:

Here is a screenshot from the central platform, which shows the data received from the mobile application of Android:

  • Testing the hardware and software platform to detect suspicious mobile equipment from suspicious behavior using real samples of malware installed on mobile device-specific platforms.


In this respect, real samples of malware programs installed on Android devices, and the results obtained in all the platform modules studied.


Here, for example, is a screenshot of the Reverse Engineering module:

  • Work procedures have carried out for forensic and reverse engineering activities.
  • A prototype was made, which was tested by the partners; the results obtained validated; the reported bugs repaired.
  • The platform has also tested in a real-world environment.