Upload
jason-ross
View
54
Download
0
Embed Size (px)
Citation preview
jason ross
android malware analysis
about me
• senior consultant @intrepidusgroup
• member of @dragonresearch
• contribute to OWASP mobile project
• point-of-contact for defcon group 585
agenda
• why mobile / android / malware
• tools
• analysis
why mobile?
• eBay announced that it expects over$7 billion USD via mobile in 2011
• 41% of smartphone users have made a purchase using their mobile devices
why android?
why malware analysis?
a) ‘bring your own device’ policies
b) lack of effective/enforceable security
c) mobile devices access corp. resources
a + b + c = ZOMG!
current state
• android malware increasing
• payloads getting more interesting
• infection routines becoming complex
• infected apps in official & 3rd party markets
what is malware doing?
How can I get samples?
• open mobile malware repositories• official android market place• third party markets
challenges
• it’s not a PC
• antivirus won’t protect you
it’s not a PC
• got root?
• less control over the environment
• not necessarily able to intercept traffic
antivirus won’t protect you
process
• network• runtime• static
tools
• generally fall into 3 categories:– “i can show you the network traffic”– “i can unpack your APK for you”– “i can turn dex back into java classes”
• fourth category starting to emerge:– “i can tell you what’s happening on the device”
network based
• pptpd• native sdk tools• mallory
pptpd
• setting up pptpd for VPN– pptp config– ppp config– chap-secrets
mallory
• what is mallory?• how is it helpful?
setting up mallory
• grab ubuntu
• run the installer script
• start intercepting traffic
mallory configuration
• new and improved
runtime
• emulator– installing malicious APK– using a proxy to monitor application traffic– reverting to clean image state
static
• SDK– DDMS
• andbug• androguard• apktool• ded• dexid• dex2jar
packages
• APKs are stored in several places:– /data/app– /data/app-private– /system/app
• You may need to have a rooted device toaccess some of these locations.
• APK =~ /ZIP/
directories
• assets:images and stuff
• META-INF:various items (MANIFEST.MF, certs, etc.)
• res:layout and screen information
• classes.dex:the compiled smali classes
• AndroidManifest.xml:android manifest (application perms, etc.)
droidbox
taintdroid
android live CD
• there really is one
• i’ve run it in virtualbox
• it’s exactly as clumsy to use as it sounds
android livecd (screenshot)
Super Mario Brosincluded for great
justice?
malware analysis live CDs
• REMnux, by Lenny Zeltser(http://zeltser.com/remnux/)– Ubuntu based live CD, preloaded with many
malware analysis tools
• A.R.E (http://www.honeynet.org/node/783)– Virtualbox image preloaded with Android
analysis tools. One of the best ways to get Androguard working.
devices
• installing malicious APK• using mitm to monitor application traffic• reverting to clean image state?
static
• overview of Android application layout– Manifest.xml– res directory– assets directory– strings.xml– other data
this isn’t the xml you’re looking for
AndroidManifest.xml is stored as “binary” data
use apktool to get it back into a readable format:
> apktool d file.apk outputdir
apktool
• “decompiles” the classes
• classes.dex file becomes the smali directory
follow the com.foo.trail to get to the .smali files
smali: java + assembly (whee)
• variables get assigned sequential numeric names
• this can make the code tough to follow
dex2jar
• why?• usage
others
• ded• dexid• andbug• androguard
OK, i have .class, now what?
• jd-gui• apkinspector
automation
• scripts to manipulate the emulator environment
• scripts to manipulate 'bare metal' devices
End
• contact info:
@rossja
jason.ross [at] intrepidusgroup [dot] com