Android Malware Analysis Part 1:Static
Malware Analysis
Introduction
Malware is software used to disrupt gather sensitive information, or gain access to private systems. Any program or software which affects the working of a
device can be called as a Malware.
Nowadays, Mobile phones have become the victim for the malware attacks. Among the mobile phones malware attacks, the android smart phones are largely
targeted by the hackers. This is mainly due to the reason that, Android applications market provides an open platform to all the application. Another major
factor is that over 50 mobile phone companies will manufacture smartphones with Android operating system
Mobile malware detected in 2013 by platform and category
This massive user base of android has caught the attention of cybercriminals, who have begun to double down on their efforts to illegally obtain personal
information from Android owners. Mobile malware can allow cybercriminals to intercept messages, monitor calls, steal personal information, and even listen
in with the device's microphone.
The fake BBM app is a great example and it managed to secure more than 100,000 downloads before being removed.
Android Fundamentals
Android architecture layers are as follow:
A Linux Kernel that supports multiprocess and multithreads .Every application has its own Linux ID and runs in a separate process. Two applications with
the same ID can exchange data between them.
· Some Open source libraries.
· Android run-time environment, wherein a Dalvik Virtual Machine runs an applications in the dex binary format.
· An application framework that possesses a Java interface. This layer consists of the Android NDK and SDK.
· Some pre-installed core applications
Most Android applications are written in the Java programming language. The compiled Java code, along with any data and resource files required by the
application, is bundled into an Android package
Each Android application is composed of several components that can communicate between each other using Intent messages. Here is a list of those
components and a short description of each one.
- Activity: An activity represents a single screen with a user interface. One application might be composed of several activities.
- Service: A service doesn't have a visual user interface, but rather runs in the background for an indefinite period of time.
- Broadcast Receiver: A broadcast receiver listens to special messages being broadcast by the system or individual applications. For example when the phone receives an SMS, a broadcast message is sent by the system to inform that a message is available
- Content Provider: A content provider is a kind of database where an application makes data available to other applications. You can store the data in the file system, a SQLite database, on the web, or any other persistent storage location your app can access.
For malware analysis of android I use Santoku, made by viaForensics, has three purposes which are Mobile Forensics, Mobile Forensics and Mobile Security.
Santoku has the best known tools to examining mobile malware and contains mobile device emulators, Utilities to simulate network services for dynamic
analysis and decompilation and disassembly tools. There are two approaches for android malware analysis; static and dynamic.
AndApp.apk application was a malicious Android application for demonstration purpose.
Static analysis can yield a lot of useful information about an APK such as permissions requested, which API’s are called etc. For Static analysis we use
disassembler, which is used to convert the code into a format which is easily understandable. We need to start with the Code Analysis to understand the
working properly. For this we have to use the following approach.
When a user installs apk on the device, the apk file is extracted and when that application is initialized it triggers an activity. These activities are
mentioned in the Android Manifest file.
Apktool can decode the malicious code to its original code. Apktool used to convert the AndroidManifest binary XML file to a readable xml in order to have
information about application components and permissions requested by this application during its install.
Open the command prompt window and navigate to the root directory of ApkTool. We decompile AndApp.apk file using the following command as shown:
The AndroidManifest.xml file shows suspicious file permission granted to the application.
Following are the permission used by this application.
· INTERNET: Allows an application to create network sockets.
· READ_PHONE_STATE: Allows read only access to phone state.(ex. phone number)
· ACCESS_COARSE_LOCATION: Location based on WIFI
· ACCESS_FINE_LOCATION: Location based on GPS
· SEND_SMS: Send SMS
· READ_SMS: Read SMS
Unzip the compressed contents of the AndApp.apk file for analysis.
· Meta INF Folder: This folder consists of information that allows users to make sure of the security of the system and integrity of the APK application.
· Res folder: This folder contains XMLs defining the layout, attributes etc.
· Android Manifest File: It is one of the most important XML file which contains information about the permissions that the application needs or accesses,
the package name, version etc.
· Classes.dex: This file contains all the Java source code that is compiled. This file is run on the Dalvik Machine. This file consists of the complete
byte code that the Dalvik Machine will interpret.
· Resources.arsc: This file is binary resource file that is obtained after compilation.
We need java code for better clarity for that we need to convert the classes.dex file to .jar file. Dex2Jar is a tool, which is used to convert the dex
code into *.jar Java file. To open Dex2Jar we have to go to Santoku menu->Reverse Engineering-> Dex2Jar.
Conversion of classes.dex file to .jar file can be done by the command given below:
Once the jar file is generated we require a tool named JD-GUI which will load the jar and list out the packages and its corresponding java files. JD-GUI is
tool, which is used to view classes_dex2jar.jar files. It provides a GUI which can load all the packages embedded in the jar file and lists the
classes_dex2jar.jar code. To open JD-GUI we have to go to Santoku menu->Reverse Engineering-> JD-GUI.
Using this tool we can browse the reconstructed source code for instant access to methods and fields.
MyActivity.class file sets alarm for Location based on WIFI, GPS, Send SMS, Read SMS etc and alarm will triggered/broadcasts signal after particular time
period. The original activity gets started on the device and the user can’t notice the suspicious activity which is running in the background.
Package com.org.andapp.listner contains all Broadcast listener classes, which listen broadcast messages. When a broadcast message is triggered the register
class starts listening the event and start working in background.
GetGPSReciver set alarm (see localGregorianCalander.add(12,15)) from MainActivity.class. When the alarm triggered the onReceive method is called and the
network information with Google account is sent to the server.
SMSReciver.class registers itself with SMS broadcast service when app gets installed in our device. When device receive SMS, all listener classes will be
called and onReceive method copies SMS and send it to the server.
SmsReceiver.class uploads the user data into the remote server using HTTP calls.
By seeing the source code of SmsReceiver.class it was observed that the class file named SmsReceiver.class seemed suspicious as this was a simple display
text application and therefore SmsReceiver was not required.
We can get the more information about the malicious application by doing dynamic Android Malware Analysis which I cover in the next part of the tutorial.