(Practical) Android Malware Analysis

BSides London 2015 - 3rd June 2015

WHO?

Paul/Etienne @SensePost.com

@PaulWebSec/@kamp_staaldraad

Title Text

what?

Static analysis (dex2jar, baksmali, androguard, jadx, ...)

Dynamic analysis (Droidbox)

How to start?

APK = ZIP Archive

 

unzip /path/to/file.apk

What will you find there?

  • META-INF: meta info directory
  • lib: directory containing compiled code
  • res: resources directory
  • assets: application assets directory
  • AndroidManifest.xml: additional manifest file describing name, version, access rights and referenced library files for the app
  • classes.dex: the main Dalvik Executable file
  • resources.arsc: precompiled resources e.g. binary XML

Usually, phun is in

*.dex files

 

DEX file = Dalvik EXecutable file

Next step is to convert it to a JAR archive

dex2jar

$ /path/to/d2j-dex2jar.sh /path/to/file.dex

 

Will result in a JAR archive that you can now inspect

jd-gui

JADX

Androguard

 Disassembles/Decompiles Android apps

 

Different tools: androlyze, androdis, androauto, ...

 

https://github.com/androguard/androguard

Androlyze

$ python androlyze.py -i

Text

deck

By paul38

deck

  • 1,804