Android malware analysis

jason ross

android malware analysis

about me

• senior consultant @intrepidusgroup

• member of @dragonresearch

• contribute to OWASP mobile project

• point-of-contact for defcon group 585

agenda

• why mobile / android / malware

• tools

• analysis

why mobile?

• eBay announced that it expects over$7 billion USD via mobile in 2011

• 41% of smartphone users have made a purchase using their mobile devices

why android?

why malware analysis?

a) ‘bring your own device’ policies

b) lack of effective/enforceable security

c) mobile devices access corp. resources

a + b + c = ZOMG!

current state

• android malware increasing

• payloads getting more interesting

• infection routines becoming complex

• infected apps in official & 3rd party markets

what is malware doing?

How can I get samples?

• open mobile malware repositories• official android market place• third party markets

challenges

• it’s not a PC

• antivirus won’t protect you

it’s not a PC

• got root?

• less control over the environment

• not necessarily able to intercept traffic

antivirus won’t protect you

process

• network• runtime• static

tools

• generally fall into 3 categories:– “i can show you the network traffic”– “i can unpack your APK for you”– “i can turn dex back into java classes”

• fourth category starting to emerge:– “i can tell you what’s happening on the device”

network based

• pptpd• native sdk tools• mallory

pptpd

• setting up pptpd for VPN– pptp config– ppp config– chap-secrets

mallory

• what is mallory?• how is it helpful?

setting up mallory

• grab ubuntu

• run the installer script

• start intercepting traffic

mallory configuration

• new and improved

runtime

• emulator– installing malicious APK– using a proxy to monitor application traffic– reverting to clean image state

static

• SDK– DDMS

• andbug• androguard• apktool• ded• dexid• dex2jar

packages

• APKs are stored in several places:– /data/app– /data/app-private– /system/app

• You may need to have a rooted device toaccess some of these locations.

• APK =~ /ZIP/

directories

• assets:images and stuff

• META-INF:various items (MANIFEST.MF, certs, etc.)

• res:layout and screen information

• classes.dex:the compiled smali classes

• AndroidManifest.xml:android manifest (application perms, etc.)

droidbox

taintdroid

android live CD

• there really is one

• i’ve run it in virtualbox

• it’s exactly as clumsy to use as it sounds

android livecd (screenshot)

Super Mario Brosincluded for great

justice?

malware analysis live CDs

• REMnux, by Lenny Zeltser(http://zeltser.com/remnux/)– Ubuntu based live CD, preloaded with many

malware analysis tools

• A.R.E (http://www.honeynet.org/node/783)– Virtualbox image preloaded with Android

analysis tools. One of the best ways to get Androguard working.

devices

• installing malicious APK• using mitm to monitor application traffic• reverting to clean image state?

static

• overview of Android application layout– Manifest.xml– res directory– assets directory– strings.xml– other data

this isn’t the xml you’re looking for

AndroidManifest.xml is stored as “binary” data

use apktool to get it back into a readable format:

> apktool d file.apk outputdir

apktool

• “decompiles” the classes

• classes.dex file becomes the smali directory

follow the com.foo.trail to get to the .smali files

smali: java + assembly (whee)

• variables get assigned sequential numeric names

• this can make the code tough to follow

dex2jar

• why?• usage

others

• ded• dexid• andbug• androguard

OK, i have .class, now what?

• jd-gui• apkinspector

automation

• scripts to manipulate the emulator environment

• scripts to manipulate 'bare metal' devices

End

• contact info:

@rossja

jason.ross [at] intrepidusgroup [dot] com