Checking Suspicious Links in Corellium

Phishing scam alert? Learn how to inspect suspicious SMS links using Corellium's Network Monitor on your Android or jailbroken iOS device. This post covers inspecting the link directly, with a follow-up on using virtual devices with proxy tools.
Suspicious Link - Blog Thumbnail

Imagine being on vacation and receiving this SMS shortly before your flight home:

Screenshot of a potential phishing scam with a suspicious URL for a Southwest Airlines boarding pass.

But you didn’t check in online… You’re not flying Southwest… And what’s up with that URL? We can inspect the link using an Android or a jailbroken iOS device, along with some of Corellium's built-in tools.

We’ll start by using the built-in Network Monitor. Using a virtual device with a proxy, such as Burp or Charles, will be covered in a later post.

You will need a virtual device. If you haven't already, check out our Quickstart for Android article.

Part 1: Start the Network Monitor

Before loading the browser, make sure you enable the Network Monitor to capture the traffic.

  • Click “Network” to the right of your virtual device.
  • Click “Start Monitoring.”

Captured HTTP and HTTPS traffic will appear in the Overview panel next to the device. Click on any of the captured packets to view more information, including the request and the response.

Part 2: Load the Suspicious URL

  • Open the browser, type in the suspicious URL, and hit enter.
  • The URL sends you to accounts.google.com, what’s going on?
  • Let’s use the Network Monitor to investigate!

Screenshot an Android Google sign-in and Corelliun's Network monitor.

Part 3: Review Captured Packets

The Network Monitor captures two packets when loading the URL. (Note: starting the browser resulted in the Monitor capturing a handful of packets before we entered our URL. We cleared the log first to create the screenshot below.)

Corellium's The Network Monitor captures two packets when loading the URL

Entry #1 looks pretty interesting! Click on the packet to view the request.

Corellium's Network Monitor's headers and request section

The request goes to “wallet-api.urbanairship.com” and takes us to a Google sign-in page. The response includes “pay.google.com”, which belongs to Google’s digital wallet platform.

Searching a link to Airship's Wallet API; Airship confirmed on Twitter that the airsp.co link is legitimate

If we Google “wallet-api.urbanairship.com”, we find a link to Airship's Wallet API. There’s also a Reddit post stating Southwest Airlines uses a third party to deliver mobile boarding passes. And Airship confirmed on Twitter that the airsp.co link is legitimate.

Google search of wallet-api.urbanairship.com

If we load the URL on a jailbroken iOS device (just to compare), Safari says it “cannot download this file.” Here’s the response:

The loaded URL on a jailbroken iOS device, Safari says it “cannot download this file.” Here’s the response

If we Google vnd.apple.pkpass, we find a link to Apple’s Wallet Developer Guide.

All these different breadcrumbs point to the SMS and link containing a legitimate Southwest boarding pass… It’s not ours, but probably the result of someone mistyping their phone number. At least it wasn’t something nefarious!

Note about Virtual iOS Devices

Certain applications, including Apple Wallet, aren’t supported on our virtual iOS devices. This is why Safari could not “download this file.” On a physical iOS device, clicking the link causes Apple Wallet to load the boarding pass.

Explore the power of safe link investigation with Corellium. Book a meeting now and learn how to enhance your app security efforts!

Advance Your Mobile Security Research with Corellium

Experience Corellium’s groundbreaking virtualization technology for mobile devices and discover never-before-possible mobile vulnerability and threat research for iOS and Android phones. Book a meeting today to explore how our platform can optimize mobile security research and malware analysis.