(Practical) Android Malware Analysis

Réseau App Defenders!

Paul AMAR / @PaulWebSec

# who

@PaulWebSec / GitHub: PaulSec

why do we care?

Android Growth - Fortinet results  (2014 report)


Static Analysis (Androguard, Dex2Jar, apktool, ...)    

Dynamic Analysis (DroidBox, CuckooDroid, ...)  

What to do? Where to look for? How to do it?   

5 pracs to practice what we covered in the slides...
.. and moar. Lot moar.


Using Kali Linux:                                                                              

> Create a new Machine  or use your existing one

Samples available here (Mega.nz, 5 samples)                


Disassembles/Decompiles Android apps                     

Different tools: androlyze, androdis, androauto, ...


Androguard 101

Let's analyze the APK!

Get in the folder:

$ cd ~/Tools/androguard

Run Androlyze using shell mode:
$ python ./androlyze.py -s

Androguard 102

In the shell, load the APK:

sample = APK('/path/to/file.apk')

And start investigating:

Androguard 103

d = dvm.DalvikVMFormat(a.get_dex())               

for _class in d.get_classes():                                         
    print _class.get_name()                               

for method in _class.get_methods():

print method.get_name()

Retrieves classes/methods from the loaded APK

and in action!

but.. apk, apk..

an .APK is basically a ZIP archive.
Has been signed, and compiled     

Unzip it using:

$ unzip /path/to/file.apk

what's in there?

META-INF: meta info directory
lib: directory containing compiled code
res: resources directory
assets: application assets directory
AndroidManifest.xml: additional manifest file describing name, version, access rights and referenced library files for the app
classes.dex: the main Dalvik Executable file
resources.arsc: precompiled resources e.g. binary XML


Disassembles/rebuilds resources to JAR/APK

$ apktool d /path/to/file.apk -o out/

Disassembles the APK

$ apktool b foo/
Builds foo folder into foo/dist/foo.apk file


usually, *phun* is in

*.dex files. 

DEX = Dalvik EXecutable file         

code that runs in the Dalvik VM

We need to convert it to a JAR archive


A set of tool to work with Android .dex and java .class files

Read/write the Dalvik Executable (.dex) file, Disassemble .dex to smali files, Convert .dex file to .class files (zipped as jar)


dex2jar 101

Convert .dex to a .jar
$ /path/to/d2j-dex2jar.sh /path/to/file.dex

JAR archive will be in d2j's folder.


At that point, you can use any Java decompiler.

java -jar jd-gui-1.1.0.jar




feeling a bit lazy?


but wait, there's more..

jadx -  tools to produce Java source code from Android Dex and Apk files

jadx 101 (RLY?)

$ jadx /path/to/file.apk          

$ jadx-gui /path/to/file.apk


So, now...

Got the source code, might contain hundred of classes.

Thousand lines of code.                                                                         

Where/What to look for?



  • Using HTTP to communicate (and/or SMS)
  • no SSL certificate for the panels
  • IMEI used as the victim's identifier
  • Encrypting using AES
  • Encoding data in Base64 (still..)

Low hanging fruit

Save the source files (*.java) in:

eg. /tmp/sample_test

And search for specific terms:

$ cd /tmp/sample_test
$ grep -r -i 'cipher' .        
$ grep -r -i 'http://' .        
$ grep -r -i 'base64' .     


Analyze how the communication  works                

Retrieve encryption keys                                                    

See how the app interacts on the filesystem        

Dynamic analysis

Basically, testing/evaluating the application by running it

Multiple ways to do it: 

- Use a legitimate device (rly?)                                                 
- Use an emulator and do all of it manually                    
- Use something like DroidBox                                               
- Use CuckooDroid (Android Cuckoo version ftw!)


Stands for: Android Debug Bridge

Command line tool to communicate with

emulator or connected devices



adb 101

List the devices already connected

$ adb devices

Install .APK
$ adb install /path/to/file.apk

Push/Pull file from device
$ adb push/pull <local> <remote>


Runs app in the emulator            
 Logs everything that happens..

.. and retrieves bunch of information:

  • Incoming/outgoing network data
  • File read and write operations
  • Sent SMS and phone calls, ...


Create a new AVD (Android Virtual Device),

eg. Nexus 4, Android version 4.2.1

$ android

Start the emulator

$ ./startemu.sh <AVD name>

And install/launch the app
$ ./droidbox.sh /path/to/file.apk

burp suite setup

In order to monitor the HTTP(s) traffic

Configure a proxy on your phone:            

  • Wifi, Press <Network  Name>
  • Modify network
  • Show advanced options
  • Insert the proxy details

And launch the app.                                   


The pracs comes up with 5 APKs.                                    
Check the file samples.txt and start in this order    

Link is here (Mega.nz)

Each prac should take around 20/30 mins.          

funny samples (1/4)

Ciphered strings using AES


FUNNY samples (2/4)

String obfuscation - XOR


Funny samples (3/4)

Interesting persistence technique



recent PornDroid sample (May 2015)


Last sample?

Challenge for La Nuit du Hack? 


Specially crafted for La Nuit du Hack!

Goal? Retrieve the flag!


This is just an introduction.                            

Lot of research regarding obfuscation:

Dex Education - Practicing Safe Dex | Black Hat 2012

DEF CON 22 - Tim Strazzere and Jon Sawyer - Android Hacker Protection Level 0

Android 'Awesome Security'

Red Naga Training materials (highly recommended)

how to keep informed?

VirusTotal (#android #malware)                    

koodous.com malware community               

Contagio mini-dump (+ mailing)                      

amtrckr.info (Android Malware Tracker)       


Copy of La Nuit du Hack 2016 - Android Malware Analysis

By paul38

Copy of La Nuit du Hack 2016 - Android Malware Analysis

La Nuit du Hack 2016 - Android Malware Analysis Deck

  • 1,790