[THM] Android Analysis

This is a full walkthrough with answers and explanations for the TryHackMe room "Android Analysis".

Posted May 21, 2025 Updated Apr 8, 2026

By Hubert Krauze

1 min read

[THM] Android Analysis

Link to the room: https://tryhackme.com/room/androidanalysis.

[Task 3] Android Architecture - An Overview

Android Architecture

Android Filesystem

Navigate the directories in FTK Imager. Examine the build.prop file found in the system folder. What is the device’s serial number?

ABC123456789

4th line in build.prop file located at system/build.prop

[Task 4] Android - Forensics Artifacts

Examine the artifact containing information about the device’s installed apps. What is the last package installed on this device?

com.sneakcam.capture

check the package with firstInstallTime=”1744812000000”

[Task 6] Unboxing the Artifacts

What is the flag hidden inside SMS?

FLAG{MSG_HIDDEN_INTENT}

In the call logs, which number has the longest call duration?

+14155550011

select * from calls order by duration; in calllog.db

What is the second-to-last suspicious contact name in the list?

Encrypted User

Contact nr 22

Most Chrome searches indicate that the user was looking for sites to upload data. What is the last URL found in the list for a similar purpose?

https://easyupload.io

Look for title = EasyUpload - Free Hosting

What is the name of the Bluetooth device found in the configuration?

Pixel_6_User

C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\misc\bluedroid\bt_config.conf

[Task 7] Triaging with ALEAPP

What is the name of the package found that could be used for the data exfiltration?

com.data.exfiltool

ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.

One of the MMS message indicates the website used to send the sensitive file? What is the name of that site?

MediaFire

“I’ve sent the doc via MediaFire. Delete after review.”

In the contacts, what is the email address associated with the suspicious user named “Encrypted User”?

ghost123@tutanota.com

Use the search box to find the “Encrypted User”

A sensitive PDF document was found on the device. Examine the document in the downloads folder. What is the flag hidden inside it?

FLAG{INSIDER_ACCESS_42X9}

sdcard/Download

THM, Mobile

This post is licensed under CC BY 4.0 by the author.