(Practical) Android Malware Analysis
BSides London 2015 - 3rd June 2015
WHO?
Paul/Etienne @SensePost.com
@PaulWebSec/@kamp_staaldraad
Title Text
what?
Static analysis (dex2jar, baksmali, androguard, jadx, ...)
Dynamic analysis (Droidbox)
How to start?
APK = ZIP Archive
unzip /path/to/file.apk
What will you find there?
- META-INF: meta info directory
- lib: directory containing compiled code
- res: resources directory
- assets: application assets directory
- AndroidManifest.xml: additional manifest file describing name, version, access rights and referenced library files for the app
- classes.dex: the main Dalvik Executable file
- resources.arsc: precompiled resources e.g. binary XML
Usually, phun is in
*.dex files
DEX file = Dalvik EXecutable file
Next step is to convert it to a JAR archive
dex2jar
$ /path/to/d2j-dex2jar.sh /path/to/file.dex
Will result in a JAR archive that you can now inspect
jd-gui
JADX
Androguard
Disassembles/Decompiles Android apps
Different tools: androlyze, androdis, androauto, ...
Androlyze
$ python androlyze.py -i
Text
(Practical) Android Malware Analysis BSides London 2015 - 3rd June 2015