• Performing Android malware analysis

    In the past few years, malware and Trojans have moved with a rapid pace when it comes to mobile portability. Many famous Trojans and malwares have been detected and analyzed in the past. Android being the latest and a popular mobile platform has become all time famous target of cyber crooks and malware authors. Android application package file or APK is the file format used to distribute and install application software and middle-ware into Android operating system.To make an APK file, a program for Android is first compiled, and then all of its parts are packaged into one file. This holds all of that programís code such as (.dex files), resources, assets, certificates, and manifest file.These files have .apk extension, but they are just ZIP files. They can be extracted using win-rar or win-zip.

    Today we will look into analysis of malicious Android application. As usual in a malware analysis, the analysis is basically of two types: Static Analysis and Dynamic Analysis. Many free tools are available over the internet for malware analysis. Let me tell you a few that would help you in the analysis of malicious Android application

    Static Analysis:
    Mobile Sandbox: It provides static analysis of malware images with an easy accessible web interface for submission.

    IDA pro: It is a well known and most common among reverse engineers disassembler and debugger. It is supporting Android bytecode from the professional versions 6.1 and above.

    APKInspector: APKinspector is a powerful GUI tool for analysts to analyze the Android applications.

    Dex2jar: It is a tool for converting Androidís .dex format to Javaís .class format

    JD-GUI: JD-GUI is a standalone graphical utility that displays Java source codes of .class files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

    Androguard: An Android reverse engineering toolkit

    Dexdump: It is a Java .dex file format decompiler

    Dynamic Analysis:
    Droidbox: An Android Application Sandbox for Dynamic Analysis,the sandbox will utilize static pre-check, dynamic taint analysis and API monitoring. Data leaks can be detected by tainting sensitive data and placing taint sinks throughout the API. Additionally, by logging relevant API function parameters and return values, a potential malware can be discovered and reported for further analysis.

    The Android SDK: A software development kit that enables developers to create applications for the Android platform. The Android SDK includes sample projects with source code, development tools, an emulator, and required libraries to build Android applications. Applications are written using the Java programming language and run on Dalvik, a custom virtual machine designed for embedded use which runs on top of a Linux kernel.Using the Android SDK we can create a virtual android device almost identical in functionality and capabilities of an android telephone and using that virtual device as secure environment we can execute the malware and observe the behavior of it.

    Let us quickly perform a static analysis of an Android malware. Contagion has always been the top choice when it comes to grab some malware sample. Contagion Mini is the new place where you can get mobile malware samples. We have iMatch, a malicious Android application. A malicious Android application, we will try to look into the internals of the file and try to detect the malicious code. The very first step would be to extract the iMatch.apk file. It can be done easily using win-rar or win-zip.



    Now to get a better overview of the source code, we will convert .dex file into .jar file. We will use dex2jar tool kit that will perform the function.


    JD-GUI will help us view the readable format of the class file.


    Thereafter, we can perform thorough analysis of the file and check for the malicious codes and the unwanted things.


    While going through the classes IMatch and MJReciver, we noticed few unwanted numbers. On reading the code, we analyzed a function was made to send SMS to some numbers. Usually, Android applications access contacts, network extra as a part of application features



    Doing a quick search on Google resulted that those number where premium rate SMS numbers. This means that this malicious application sends premium SMS from the users mobile, thus making cyber crooks cheat people and earn money. The chain is simple: Malicious application downloaded ó> Installed on the phone ó> Once application runs, it sends premium rate SMS. So this was a quick malware analysis that can be practiced to perform and analyze malicious Android application.
    This article was originally published in blog: Performing Android malware analysis started by prashant_uniyal
  • G4H Facebook

  • G4H Twitter