android malware analysis
TRANSCRIPT
Motivation
• Someone posted it on the Facebook. I am also curious about the “machine.apk” file.
Static Analysis - Tools
• apktool – can decode resources to nearly original form
and rebuild them after making some modifications
• dex2jar – used by translator dex to jar
• jd-gui – a standalone graphical utility that displays
Java source codes of “.class” file
Dynamic Analysis - Tools
• Anubis – can decode resources to nearly original form
and rebuild them after making some modifications
• CopperDroid – used by dex-translator
• VirusTotal – used to check out Anti-Virus results
AndroidManifest.xml
• Convert “AndroidManifest.xml” from binary format to xml format (by apktool)
• First, check out “Permission”
• Second, check out interesting “Activity, Service, Receiver”
Permission
• Guess that it will track your location, steal sms and contracts, and do tapping. Let’s go details.
Permission - 1
• Allows an application to create network sockets.
Permission - 2
• ACCESS_FINE_LOCATION – based on GPS
• ACCESS_COARSE_LOCATION – based on WIFI
Permission - 3
• CALL_PHONE – Allows an application to initiate a phone call without going
through the Dialer user interface for the user to confirm the call being placed.
• READ_PHONE_STATE – Allows read only access to phone state.(ex. phone number)
Permission - 4
• RECEIVE_BOOT_COMPLETED – Allows an application to receive the
ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.
Interesting Things
• Figure out interesting service name such as “TappingService” and “GPSTracking”.
Static Analysis
• Decompile – Convert classes.dex to .jar by dex2jar and take a
look at it by jd-gui.
• Strategy is very Simple 1. Examine the “.MainActivity”. 2. Follow the piece of the code.
Static Analysis
• Set preference to 0(READ/WRITE)
Static Analysis
• Save “AllowTapping” variable to “0”.
Static Analysis
• Let’s check out to “doRegisterUser()”.
Static Analysis
• “doRegisterUser()” extract phone number and Network operators.
Static Analysis
• Send them to Thailand.
Static Analysis
• Let’s check out “PreodicService”. Maybe it originally is from Periodic Service.
Static Analysis
• Service Life Cycle.
Static Analysis
• Let’s Analysis “PreodicService”. – schedule(myTask, start-time, repeat cycle);
Static Analysis
• Let’s Analysis “AutoCallPhone”. – Request 2 times.
Static Analysis
• Let’s check out “TappingService”.
Static Analysis
• Let’s check out MediaRecorder Flow.
Static Analysis
• Let’s check out “startTapping()”.
Static Analysis
• Let’s check out “startTapping()”.
Static Analysis
• Let’s check out “stopTapping()”.
Static Analysis
• Let’s check out “GPSTracking”.
Static Analysis
• Let’s check out “GPSTracking”.
Static Analysis
• Let’s check out “GPSTracking”.
Static Analysis
• Let’s check out “RegDPMActivity”. – Device Policy Manager
Static Analysis
• Let’s check out on create of “RegDPMActivity”.
Static Analysis
• Let’s check out “CallBroadcastReceiver”.
Static Analysis
• Let’s check out “SMSBroadcastReceiver”.
Dynamic Analysis
• CopperDroid and Anubis. – As experienced, CopperDroid works good on
network traffic analysis and Anubis works good on timeline analysis.
Reference - 1
• A collection of mobile security resources – http://wiki.secmobi.com/
• Abunis – http://anubis.iseclab.org
• CopperDorid – http://copperdroid.isg.rhul.ac.uk/copperdroid/
• VirusTotal – https://www.virustotal.com
• My location – http://blog.naver.com/PostView.nhn?blogId=new
efgold777&logNo=90104291392
Reference - 2
• Preference – http://blog.daum.net/agapeuni/77
• TelephonyManager – http://arabiannight.tistory.com/73
• Service LifeCycle – http://gongdoo.tistory.com/235 – http://www.androes.com/137
• Timer – http://infodev.tistory.com/126
• Flags – http://surprisen.egloos.com/
Reference - 3
• RequestLocationUpdates – http://blog.naver.com/PostView.nhn?blogId=har
a9&logNo=10155762477 • getSystemService
– http://promobile.tistory.com/169 • onCallStateChanged
– http://daddycat.blogspot.kr/2011/05/android-broadcastreceiver-event-catch.html
• URL Decoder/Encoder – http://meyerweb.com/eric/tools/dencoder/
• Google Maps lat/long finder – http://www.doogal.co.uk/LatLong.php