For this malware analysis, we will be performing static analysis on an android malware using a docker version of MobSF in the REMnuxVM. Installing the needed tool is very easy, using the following commands.

After running the docker, using the second command, open the link to the [localhost](<http://localhost>) given from MobSF and upload the malware sample.

Right off the bat, there are some hashes (MD5, SHA1, SHA256) that can be used on virustotal to check if the malware sample has been seen before in the wild. Also, another really interesting finding is the package name, com.metasploit.stage, indicating that it can be a malicious package. 

Looking a bit further down the page, there is actually a function in this tool that allows us to view the original source code of the packaged apk. This is because java is not compiled all the way down to machine code. So it can be easily decompiled.

Looking around a bit in the java files, its pretty clear that there is some short of meterpreter payload and some kind of encryption routine running with the sample. Looking more into the analyzed apk we can find a list of permissions that the apk has access to which, like the windows API calls for PE malwares, can be a sign of malicious activity. 

Also, like mentioned with windows executables, android apks also perform API calls but of course, not from the Windows API but the android API. In MobSF we also have access to these findings but it also shows in which java file the Android API call has taken place.