(Practical) Android Malware Analysis
Réseau App Defenders!
Paul AMAR / @PaulWebSec
@PaulWebSec / GitHub: PaulSec
Static Analysis (Androguard, Dex2Jar, apktool, ...)
Dynamic Analysis (DroidBox, CuckooDroid, ...)
What to do? Where to look for? How to do it?
Using Kali Linux:
> Create a new Machine or use your existing one
Samples available here (Mega.nz, 5 samples)
Disassembles/Decompiles Android apps
Different tools: androlyze, androdis, androauto, ...
Let's analyze the APK!
Get in the folder:
$ cd ~/Tools/androguard
$ python ./androlyze.py -s
In the shell, load the APK:
sample = APK('/path/to/file.apk')
sample.get_permissions()
sample.get_activities()
sample.show()
....
Retrieves classes/methods from the loaded APKd = dvm.DalvikVMFormat(a.get_dex())
for _class in d.get_classes():
print _class.get_name()for method in _class.get_methods():
print method.get_name()
$ unzip /path/to/file.apk
META-INF: meta info directory
lib: directory containing compiled code
res: resources directory
assets: application assets directory
AndroidManifest.xml: additional manifest file describing name, version, access rights and referenced library files for the app
classes.dex: the main Dalvik Executable file
resources.arsc: precompiled resources e.g. binary XML
Disassembles/rebuilds resources to JAR/APK
Disassembles the APK$ apktool d /path/to/file.apk -o out/
$ apktool b foo/Builds foo folder into foo/dist/foo.apk file
*.dex files.
DEX = Dalvik EXecutable file
code that runs in the Dalvik VM
We need to convert it to a JAR archive
A set of tool to work with Android .dex and java .class files
Read/write the Dalvik Executable (.dex) file, Disassemble .dex to smali files, Convert .dex file to .class files (zipped as jar)
$ /path/to/d2j-dex2jar.sh /path/to/file.dex
At that point, you can use any Java decompiler.
java -jar jd-gui-1.1.0.jar
$ jadx /path/to/file.apk
$ jadx-gui /path/to/file.apk
Got the source code, might contain hundred of classes.
Thousand lines of code.
Where/What to look for?
Often..
Save the source files (*.java) in:
eg. /tmp/sample_test
And search for specific terms:
$ cd /tmp/sample_test
$ grep -r -i 'cipher' .
$ grep -r -i 'http://' .
$ grep -r -i 'base64' .
....
Analyze how the communication works
Retrieve encryption keys
See how the app interacts on the filesystem
Stands for: Android Debug Bridge
Command line tool to communicate with
emulator or connected devices
List the devices already connected
$ adb devices
$ adb install /path/to/file.apk
$ adb push/pull <local> <remote>
.. and retrieves bunch of information:
Create a new AVD (Android Virtual Device),
eg. Nexus 4, Android version 4.2.1
$ android
Start the emulator
And install/launch the app$ ./startemu.sh <AVD name>
$ ./droidbox.sh /path/to/file.apk
In order to monitor the HTTP(s) traffic
Configure a proxy on your phone:
And launch the app.
Link is here (Mega.nz)
String obfuscation - XOR
sha256:99c4d780c0143af20191d6ffb0cc206605e397330ddd6a84185df1d112c1e963
sha256:f75500da9728d95e33e40f9a1d8bf29959d5aa89827aeabfb3aaaa02a488dd39
Challenge for La Nuit du Hack?
https://mega.nz/#!kYBDwbLa!N65QIwf_8vGTM1jjoJFav7-HfmtS29BBn5wjmVtsRxI
Specially crafted for La Nuit du Hack!
Goal? Retrieve the flag!
This is just an introduction.
Lot of research regarding obfuscation:
Dex Education - Practicing Safe Dex | Black Hat 2012
DEF CON 22 - Tim Strazzere and Jon Sawyer - Android Hacker Protection Level 0
VirusTotal (#android #malware)
koodous.com malware community
Contagio mini-dump (+ mailing)
amtrckr.info (Android Malware Tracker)