Millions of malicious applets (.jar files) and apps exist out there. Where do they come from? From which country? At least, from what time zone? It can be useful to know whether they come from Russia, Brazil, China, India, or the US. Let’s see how.

ZIP files
APKs (Android apps) and applets (and Java programs) all come in the same format: a ZIP file. This means that they share a good portion of the PKzip specifications. When a ZIP file is created, the “date” attribute of each file is stored inside the ZIP file. This can be checked simply opening a ZIP file with any tool.

Attackers and certificates
Attackers hate certificates signed by CAs, but love self-signed certificates. They are free and disposable. They can create an ad-hoc self-signed certificate for an app and never use it again. For instance, Eclipse helps in this task of creating ad-hoc certificates when the time comes to compile APK files, as a last step before sending it to Google Play.

Files signed and certified
Some applets are signed so that they can escape the Java sandbox and attack users. APKs are always signed because Google Play and Android say that it must be so. When they are signed, a certificate is added inside the ZIP files. This certificate is in the PKCS structure, which is a file with (among others), the RSA or DSA extension, in the META-INF directory. Certificates may be self-signed. This is free and attackers do not have to demonstrate to anyone who they really are.

We have created a tool that makes the calculation. It reads a JAR or APK file and, if it is signed:

- Attempts to extract the UTC file from a certificate.

- Attempts to read the time of the last file created in the compilation (normally the .sf file in the META-INF directory).

- It will make calculations and state in which zone the developer lives, assuming that the creation of the certificate and the compilation have occurred at the same moment (give or take one minute).

You may also be interested in

  • security-status-report-h2

    Security Status Report 2022 H2

  • Security Status Report 2022 H1

    Security Status Report 2022 H1

  • Marvinpac

    Marvinpac: advanced managed Cyber Security services