(Practical) Android Malware Analysis
BSides London - 3rd June 2015
Paul AMAR / Etienne Stalmans
Paul [at] SensePost [.dot.] com
@PaulWebSec / GitHub: PaulSec
Etienne [at] SensePost [.dot.] com
@kamp_staaldraad
Static Analysis (Androguard, Dex2Jar, apktool, ...)
Dynamic Analysis (DroidBox using the emulator)
Need Vmware Player:
> Create a new Machine
> Linux, Ubuntu
> Import the Hard-drive with the .vmdk
Launch it, creds: student/mobile
Tools available at ~/Tools
Samples available at ~/Desktop/samples/
Disassembles/Decompiles Android apps
Different tools: androlyze, androdis, androauto, ...
Let's analyze the APK!
Get in the folder:
$ cd ~/Tools/androguard
$ python ./androlyze.py -s
In the shell, load the APK:
sample = APK('/path/to/file.apk')
sample.get_permissions()
sample.get_activities()
sample.show()
....
Retrieves classes/methods from the loaded APKd = dvm.DalvikVMFormat(a.get_dex())
for _class in d.get_classes():
print _class.get_name()for method in _class.get_methods():
print method.get_name()
$ unzip /path/to/file.apk
META-INF: meta info directory
lib: directory containing compiled code
res: resources directory
assets: application assets directory
AndroidManifest.xml: additional manifest file describing name, version, access rights and referenced library files for the app
classes.dex: the main Dalvik Executable file
resources.arsc: precompiled resources e.g. binary XML
Disassembles/rebuilds resources to JAR/APK
Disassembles the APK$ apktool d /path/to/file.apk -o out/
$ apktool b foo/Builds foo folder into foo/dist/foo.apk file
*.dex files.
DEX = Dalvik EXecutable file
code that runs in the Dalvik VM
We need to convert it to a JAR archive
A set of tool to work with Android .dex and java .class files
Read/write the Dalvik Executable (.dex) file, Disassemble .dex to smali files, Convert .dex file to .class files (zipped as jar)
$ /path/to/d2j-dex2jar.sh /path/to/file.dex
At that point, you can use any Java decompiler.
java -jar jd-gui-1.1.0.jar
$ jadx /path/to/file.apk
$jadx-gui /path/to/file.apk
Got the source code, might contain hundred of classes.
Thousand lines of code.
Where/What to look for?
Often..
Save the source files (*.java) in:
eg. /tmp/sample_test
And search for specific terms:
$ cd /tmp/sample_test
$ grep -r -i 'cipher' .
$ grep -r -i 'http://' .
$ grep -r -i 'base64' .
....
Analyze how the communication works
Retrieve encryption keys
See how the app interacts on the filesystem
In this workshop, two ways:
Stands for: Android Debug Bridge
Command line tool to communicate with
emulator or connected devices
List the devices already connected
$ adb devices
$ adb install /path/to/file.apk
$ adb push/pull <local> <remote>
.. and retrieves bunch of information:
Create a new AVD (Android Virtual Device),
Nexus 4, Android version 4.2.1
$ android
Start the emulator
And install/launch the app$ ./startemu.sh <AVD name>
$ ./droidbox.sh /path/to/file.apk
In order to monitor the HTTP(s) traffic
Configure a proxy on your phone:
And launch the app.
~/Desktop/samples/samples.txt
String obfuscation - XOR
sha256:99c4d780c0143af20191d6ffb0cc206605e397330ddd6a84185df1d112c1e963
sha256:f75500da9728d95e33e40f9a1d8bf29959d5aa89827aeabfb3aaaa02a488dd39
bot.apk - iBanking sample
Specially crafted for BSides London
Retrieve phone numbers, C&C URL
This is just an introduction.
Lot of research regarding obfuscation:
Dex Education - Practicing Safe Dex | Black Hat 2012
DEF CON 22 - Tim Strazzere and Jon Sawyer - Android Hacker Protection Level 0
VirusTotal (#android #malware)
Contagio mini-dump (+ mailing)
amtrckr.info (Android Malware Tracker)
AndroMalShare (202.117.54.231:8080)