Thursday, April 10, 2014

[infosecinstitute] Overview of Android Malware Analysis

Malware is software used to disrupt gather sensitive information, or gain access to private systems. Any program or piece of software that affects the working of a device can be called malware.
Nowadays, Mobile phones have become the victim of malware attacks. Among the mobile phone malware attacks, the Android smart phones are largely targeted by the hackers. This is mainly due to the reason that the Android applications market provides an open platform for the applications. Another major factor is that over fifty mobile phone companies manufacture smartphones with the Android operating system.

Mobile malware detected in 2013 by platform and category
This massive user base of android has caught the attention of cybercriminals, who have begun to double down on their efforts to obtain illegally personal information from Android owners. Mobile malware can allow cybercriminals to intercept messages, monitor calls, steal personal information, and even listen in with the device’s microphone.
The fake BBM app is a great example, and it managed to secure more than 100,000 downloads before being removed.

Android Fundamentals

Android architecture layers are as follows:
A Linux Kernel that supports multi-processes and multi-threads. Every application has its own Linux ID and runs in a separate process. Two applications with the same ID can exchange data between them.
  • Some Open source libraries.
  • Android run-time environment, wherein a Dalvik Virtual Machine runs an application in the dex binary format.
  • An application framework that possesses a Java interface. This layer consists of the Android NDK and SDK.
  • Some pre-installed core applications
Most Android applications are written in the Java programming language. The compiled Java code, along with any data and resource files required by the application, is bundled into an Android package.
Each Android application is composed of several components that can communicate between each other using Intent messages. Here is a list of those components and a short description of each one:
  • Activity: An activity represents a single screen with a user interface. One application might be composed of several activities.
  • Service: A service doesn’t have a visual user interface, but rather runs in the background for an indefinite period.
  • Broadcast Receiver: A broadcast receiver listens to special messages being broadcast by the system or by individual applications. For example, when the phone receives an SMS, a broadcast message is sent by the system to inform that a message is available.
  • Content Provider: A content provider is a kind of database where an application makes data available to other applications. You can store the data in the file system, a SQLite database, on the web, or any other persistent storage location your app can access.
Malware Analysis
For malware analysis of Android, I use Santoku, made by viaForensics, has three purposes, which are Mobile Forensics, Mobile Forensics and Mobile Security.
Santoku has the best-known tools to examining mobile malware and contains mobile device emulators, Utilities to simulate network services for dynamic analysis and decompilation and disassembly tools. There are two approaches forandroid malware analysis, static and dynamic.
AndApp.apk application was a malicious Android application for demonstration purpose.
Static Analysis
Static analysis can yield a lot of useful information about an APK such as permissions requested, which API’s are called etc. For Static analysis, we use disassembler, which is used to convert the code into a format that is easily understandable. We need to start with the Code Analysis to understand the working properly. For this, we have to use the following approach.
When a user installs apk on the device, the apk file is extracted and when that application is initialized, it triggers an activity. These activities are mentioned in the Android Manifest file.
Apktool can decode the malicious code to its original code. Apktool used to convert the AndroidManifest binary XML file to a readable xml in order to have information about application components and permissions requested by this application during its install.
Open the command prompt window and navigate to the root directory of ApkTool. We decompile AndApp.apk file using the following command as shown:
The AndroidManifest.xml file shows suspicious file permission granted to the application. 
Following are the permission used by this application.
  • INTERNET: Allows an application to create network sockets.
  • READ_PHONE_STATE: Allows read only access to phone state.(ex. phone number)
  • ACCESS_COARSE_LOCATION: Location based on WIFI
  • ACCESS_FINE_LOCATION:  Location based on GPS
  • SEND_SMS: Send SMS
  • READ_SMS: Read SMS
Unzip the compressed contents of the AndApp.apk file for analysis.
  • Meta INF Folder: This folder consists of information that allows users to make sure of the security of the system and integrity of the APK application.
  • Res folder: This folder contains XMLs defining the layout, attributes etc.
  • Android Manifest File: It is one of the most important XML file, which contains information about the permissions that the application needs or accesses, the package name, version etc.
  • Classes.dex: This file contains all the Java source code that is compiled. This file is run on the Dalvik Machine. This file consists of the complete byte code that the Dalvik Machine will interpret.
  • Resources.arsc: This file is binary resource file that is obtained after compilation.
We need java code for better clarity for that we need to convert the classes.dex file to .jar file. Dex2Jar is a tool, which is used to convert the dex code into *.jar Java file. To open Dex2Jar we have to go to Santoku menu->Reverse Engineering-> Dex2Jar.
Conversion of classes.dex file to .jar file can be done by the command given below:
Once the jar file is generated, we require a tool named JD-GUI that will load the jar and list out the packages and its corresponding java files. JD-GUI is tool, which is used to view classes_dex2jar.jar files. It provides a GUI that can load all the packages embedded in the jar file and lists the classes_dex2jar.jar code.
To open JD-GUI we have to go to Santoku menu->Reverse Engineering-> JD-GUI.
Using this tool, we can browse the reconstructed source code for instant access to methods and fields.
MyActivity.class file sets an alarm for Location based on WIFI, GPS, Send SMS, Read SMS etc. and alarm will triggered/broadcasts signal after particular time.
The original activity gets started on the device and the user can’t notice the suspicious activity, which is running in the background.
Package contains all Broadcast listener classes, which listen broadcast messages. When a broadcast message is triggered, the register class starts listening the event and start working in background.
GetGPSReciver set alarm (see localGregorianCalander.add(12,15)) from MainActivity.class. When the alarm triggered the onReceive method is called and the network information with Google account is sent to the server.
SMSReciver.class registers itself with SMS broadcast service when app is installed in our device. When device receive SMS, all listener classes will be called and onReceive method copies SMS and send it to the server.
SmsReceiver.class uploads the user data into the remote server using HTTP calls.
By seeing the source code of SmsReceiver.class, it was observed that the class file named SmsReceiver.class seemed suspicious as this was a simple display text application and therefore SmsReceiver was not required.
Dynamic Analysis
A set of techniques, which involve running an application in a controlled environment and monitoring its behavior, are known as dynamic analysis.
The first step involved in dynamic analysis of the malware is installing the android SDK in order to create a virtual device. To create the virtual device we have to go to Santoku menu -> Development Tools ->Android SDK Manager
Click on Tools and then select Manage AVDs in order to create a virtual Android device.
Once we click in Manage AVDs, we select New, and fill out the necessary fields as shown below and select ok.
Once the new AVD is created, we then select that AVD and click on Start to run the virtual device/emulator.
To check whether Santoku is properly communicating with our emulator device or not we will use adb i.e. Android Debug Bridge.
We will use command adb devices and it should return with a serial number and device. If it can’t then it will shows the couple of error massages means it’s not communicating properly.
When the connection is established successfully then we have to install the malicious application i.e. AndApk.apk by the command given below. Once the output of this command is Success, the application is successfully installed on the emulator.
When the malware is successfully installed, it can be viewed in the menu screen of the emulator.
Tcpdump is used for capturing network traffic. It allows us to intercept and display TCP/IP and other packets being transmitted or received over a network. To open tcpdump we have to go to Santoku menu -> Wireless analyzers ->tcpdump.
To start capturing packets we can use the command mentioned below:
-i option, allows you to filter on a particular ethernet interface.
-w option writes the packets into a given file. The file extension should be .pcap, which can be read by wireshark.
Once all things are done, we are ready to start our malicious application.
Front hand of the application contains only two letter “hello world” rests of the services are executed in the backhand. To load my emulator with test user details such as SMS, I use the following approach:
Open a terminal, then Type “telnet localhost 5554″ where 5554 is the port number of android emulator (you can find the portnumber in the title of the emulator).then type, “sms send sender_Phone_Number test_message” and then press enter.
When everything is goes right you will get a response: OK
Then we open the .pacp file for analyzing which is created by tcpdump using wireshark.
While analyzing the captured file we noticed that there are a tremendous number of requests arising from the source host machine ( to the destination server, which looks suspicious.
To locate the region where this domain is hosted we just go to and search the IP of the server:
We checked the TCP stream of the mentioned requests we found that malicious application sends the data to that server where the source is the host machine.
After the analysis, we came to understand that AndApk.apk is a malicious application that extracts user information such as location, messages and upload the extracted user data into a remote web server, which is located in the US, North Carolina.
Protect Your Android Phone from Malwares
Mobile malware is on the rise and mobile devices could be at risk. Following are steps you can take against mobile software threats
  • Install applications only from the official Google Play Store, or from legitimate app stores.
  • Protect your phone with Passwords
  • Look carefully at any program before you install it to make sure it’s legitimate and it only asks for necessary permissions
  • Avoid enabling the USB debugging option on your device
  • Features such as Wi-Fi, Bluetooth, etc. that is not in use needs to be disabled.
  • Upgrade, if possible, to the latest version of Android.
In the past few years, smartphone users have increased exponentially. We see a constant growth in the presence of security risks among Android applications and attackers are constantly discovering newer methods to crack into the devices.
The challenges and issue of analysis of such malwares is that attackers use different programming languages, packers to hide the code more over use encryption and obfuscation techniques to prevent from getting the source code.
Android applications can be assessed for malicious activity in two ways: through static and dynamic analysis. In static, we do Code Analysis by decompiling the application file and in dynamic; we do behavioral analysis by executing the application in the emulator.

No comments:

Post a Comment