(Practical) Android Malware Analysis
La Nuit du Hack 2016
Paul AMAR / @PaulWebSec
# who
Paul [at] SensePost [.dot.] com
@PaulWebSec / GitHub: PaulSec
why do we care?
Android Growth - Fortinet results (2014 report)
What?
Static Analysis (Androguard, Dex2Jar, apktool, ...)
Dynamic Analysis (DroidBox, CuckooDroid, ...)
What to do? Where to look for? How to do it?
.. and moar. Lot moar.
how?
Using Kali Linux:
> Create a new Machine or use your existing one
Samples available here (Mega.nz, 5 samples)
Androguard
Disassembles/Decompiles Android apps
Different tools: androlyze, androdis, androauto, ...
Androguard 101
Let's analyze the APK!
Get in the folder:
$ cd ~/Tools/androguard
Run Androlyze using shell mode:
$ python ./androlyze.py -s
Androguard 102
In the shell, load the APK:
sample = APK('/path/to/file.apk')
And start investigating:
sample.get_permissions()
sample.get_activities()
sample.show()
....
Androguard 103
Retrieves classes/methods from the loaded APKd = dvm.DalvikVMFormat(a.get_dex())
for _class in d.get_classes():
print _class.get_name()for method in _class.get_methods():
print method.get_name()
and in action!
but.. apk, apk..
Has been signed, and compiled
Unzip it using:
$ unzip /path/to/file.apk
what's in there?
META-INF: meta info directory
lib: directory containing compiled code
res: resources directory
assets: application assets directory
AndroidManifest.xml: additional manifest file describing name, version, access rights and referenced library files for the app
classes.dex: the main Dalvik Executable file
resources.arsc: precompiled resources e.g. binary XML
APKtool
Disassembles/rebuilds resources to JAR/APK
Disassembles the APK$ apktool d /path/to/file.apk -o out/
$ apktool b foo/Builds foo folder into foo/dist/foo.apk file
https://ibotpeaches.github.io/Apktool/
usually, *phun* is in
*.dex files.
DEX = Dalvik EXecutable file
code that runs in the Dalvik VM
We need to convert it to a JAR archive
dex2jar
A set of tool to work with Android .dex and java .class files
Read/write the Dalvik Executable (.dex) file, Disassemble .dex to smali files, Convert .dex file to .class files (zipped as jar)
dex2jar 101
Convert .dex to a .jar
$ /path/to/d2j-dex2jar.sh /path/to/file.dex
JAR archive will be in d2j's folder.
JD-GUI
At that point, you can use any Java decompiler.
java -jar jd-gui-1.1.0.jar
TADAM!
feeling a bit lazy?
but wait, there's more..
jadx - tools to produce Java source code from Android Dex and Apk files
https://github.com/skylot/jadx
jadx 101 (RLY?)
$ jadx /path/to/file.apk
$ jadx-gui /path/to/file.apk
Done.
So, now...
Got the source code, might contain hundred of classes.
Thousand lines of code.
Where/What to look for?
observations
Often..
- Using HTTP to communicate (and/or SMS)
- no SSL certificate for the panels
- IMEI used as the victim's identifier
- Encrypting using AES
- Encoding data in Base64 (still..)
Low hanging fruit
Save the source files (*.java) in:
eg. /tmp/sample_test
And search for specific terms:
$ cd /tmp/sample_test
$ grep -r -i 'cipher' .
$ grep -r -i 'http://' .
$ grep -r -i 'base64' .
....
then,
Analyze how the communication works
Retrieve encryption keys
See how the app interacts on the filesystem
Dynamic analysis
Multiple ways to do it:
- Use a legitimate device (rly?)
- Use an emulator and do all of it manually
- Use something like DroidBox
- Use CuckooDroid (Android Cuckoo version ftw!)
adb
Stands for: Android Debug Bridge
Command line tool to communicate with
emulator or connected devices
adb 101
List the devices already connected
$ adb devices
Install .APK
$ adb install /path/to/file.apk
Push/Pull file from device
$ adb push/pull <local> <remote>
Droidbox
Logs everything that happens..
.. and retrieves bunch of information:
- Incoming/outgoing network data
- File read and write operations
- Sent SMS and phone calls, ...
Droidbox
Create a new AVD (Android Virtual Device),
eg. Nexus 4, Android version 4.2.1
$ android
Start the emulator
And install/launch the app$ ./startemu.sh <AVD name>
$ ./droidbox.sh /path/to/file.apk
burp suite setup
In order to monitor the HTTP(s) traffic
Configure a proxy on your phone:
- Wifi, Press <Network Name>
- Modify network
- Show advanced options
- Insert the proxy details
And launch the app.
pracs
The pracs comes up with 5 APKs.
Check the file samples.txt and start in this order
Link is here (Mega.nz)
Each prac should take around 20/30 mins.
funny samples (1/4)
Ciphered strings using AES
sha256:c0cb135eef45bb8e411d47904ce638531d53473729c7752dc43c6d55d5ed86f8
Solution
Solution Prac 1 available here
FUNNY samples (2/4)
String obfuscation - XOR
sha256:99c4d780c0143af20191d6ffb0cc206605e397330ddd6a84185df1d112c1e963
Solution
Solution Prac 2 available here
Funny samples (3/4)
Interesting persistence technique
sha256:f75500da9728d95e33e40f9a1d8bf29959d5aa89827aeabfb3aaaa02a488dd39
FUNNY SAMPLES (4/4)
recent PornDroid sample (May 2015)
sha256:d5f29750a8cb158d9b89a1e02e8addc5e410d1ddc48e660589144ade47f794c5
Last sample?
Challenge for La Nuit du Hack?
https://mega.nz/#!kYBDwbLa!N65QIwf_8vGTM1jjoJFav7-HfmtS29BBn5wjmVtsRxI
Specially crafted for La Nuit du Hack!
Goal? Retrieve the flag!
wrap-up
This is just an introduction.
Lot of research regarding obfuscation:
Dex Education - Practicing Safe Dex | Black Hat 2012
DEF CON 22 - Tim Strazzere and Jon Sawyer - Android Hacker Protection Level 0
how to keep informed?
VirusTotal (#android #malware)
koodous.com malware community
Contagio mini-dump (+ mailing)
amtrckr.info (Android Malware Tracker)
questions?
La Nuit du Hack 2016 - Android Malware Analysis
By paul38
La Nuit du Hack 2016 - Android Malware Analysis
La Nuit du Hack 2016 - Android Malware Analysis Deck
