This presentation will demonstrate a complete end-to-end analysis of an Android bot. This will include the decompilation and static analysis of bot code and the dynamic analysis of the bot’s behavior in a controlled sandboxed environment. The session will provide details of the lab environment and tools used for the analysis. (Source: RSA USA 2016-San Francisco)

1. SESSION ID:
#RSAC
Kevin McNamee
How to Analyze an Android Bot
MBS-R02
Nokia Threat Intelligence Lab
@KevMcNamee

2. #RSAC
Agenda
2
Introduction
Tools
The Lab
Demo
Q&A

3. #RSAC
Why Analyze Android Malware
3
We monitor mobile traffic
for malware infections
Malware C&C
Exploits
DDOS
Hacking
Need accurate detection
rules
RAN
GGSN/PGW
Malware Detection
Sensor
Alert
Aggregation
& Analysis
MOBILE NETWORK SECURITY ANALYTICS
Forensic Analysis
SGSN
RNC
NodeB
eNodeB
SGW
Internet

4. #RSAC
Developing Malware Detection Rules
4
MALWARE
SAMPLES
VIRUS VAULT
• 120K+ ANALYZED
PER DAY
• 30M+ Active samples
SANDBOX
MALWARE
TRAFFIC
LIBRARY
RULES REPOSITORY
QUALITY
TESTING
DEPLOYMENT-SPECIFIC
RULE SETS
RULE ACTIVATION
RULES
DEVELOPMENT RULES LIBRARY
FIELD TESTING IN
LIVE NETWORKS
FEEDBACK
FROM FIELD
TESTS
TRAFFIC
POLICY
ZERO DAY
BEHAVIORAL
RULES

5. #RSAC
Android Malware Analysis
5
So, we built our own Android malware analysis lab
You will learn
What tools are required
How to set up the network environment
How they are used
Analysis allows you to:
Know what the malware does
Understand its threat level
Detect and remediate the infection

6. #RSAC
Android App
6
Contained in APK file (zip format)
Main components include:
Manifest
Dalvik byte code (classes.dex file)
Resources
Assets
Libraries

7. #RSAC
Basic Analysis Process
7
Explore what’s in APK file
Decompile DEX and review source
Run app on phone or AVD & capture network activity

8. #RSAC
Tools – Android Studio
8
If you are going to analyze apps
you have to know a bit about
how they are made…
Also provides many of the tools
needed for analysis…
ADB (debugging)
AVD (simulated phones)

9. #RSAC
Tools – Apktool
9
Tool for reverse engineering
Android packages (apk files)
Extract components
Manifest, Resources, Libraries,
Assets, Byte-code (Smali)
Can edit and modify
components
Rebuild modified app

10. #RSAC
Tools – ADB
10
Android Debug Bridge
Comes with Android Studio
Provides:
Shell access
Access to file system
Scripted remote control
Application Install/Uninstall

11. #RSAC
Tools – dex2jar
11
Converts Dalvik byte code to Java
byte code
First step in de-compiling an
Android app.

12. #RSAC
Tools – Java Decompiler
12
Converts Java byte code to
source code.
Doesn’t always work 
Options include:
JD-GUI
Luyten (Procyon)

13. #RSAC
Tools – WireShark
13
Capture and network traffic
Analyze network traffic
Help develop detection rules

14. #RSAC
The Lab
14
Internet
Control Server
ADB/USB
wifi
Malware
Packet Capture

15. 15

16. 16

17. 17

18. #RSAC
Using a Real Mobile Network
18
Some malware may only function on a real mobile network
You can build your own mobile network.
Internet
GPRS ETHETH
BTS
Linux
OpenBSC
OsmoSGSN
OpenGGSN

19. #RSAC
Automation
19
We have automated the analysis process using:
Web based user interface
Real phones and AVDs
Malware database
APKtool/Dex2Jar/GD-GUI
ADB scripting
Monkey Script
WireShark
Interface to Virus Total

20. 20
Provides a name

21. 21
Information from
Manifest

22. 22
Run Sample in AVD

23. 23
Analyze Network Traffic

24. #RSAC
Manual Demo – NotCompatible Proxy Bot

25. 25
Disassemble APK

26. 26
Directory structure
created by apktool
Disassembled Dex
in Smali format

27. 27
Permissions
Intents
View Manifest

28. 28
Unzip APK file
Convert to JAR

29. 29
Config file is encrypted
using AES
View the Java source

30. 30
C&C Decoder

31. 31
C&C Decoder
If you don’t like Java
you can look at the
Smali code.
It can be modified
and the APK can be
rebuilt using
apktool

32. 32
Ping/Pong
C&C packet
capture
Proxy Request
Data

33. #RSAC
NotCompatible - Overview
Web Proxy Bot ported from
Windows to Android
environment.
Allows remote miscreants to
anonymously browse the web
through the victim’s phone.
Consumes lots of bandwidth, for
example 165MB in two hours over
300K TCP sessions

34. #RSAC
NotCompatible – Infection
Phishing spam is used to lure the victim to
an infected web site.
Web site tells you the browser is “not
compatible” and provides an update.
The user downloads and installs update.apk
Malware has no icon or user interface. It is
automatically started on BOOT.
You can get rid of the infection by
uninstalling the application.

35. #RSAC
NotCompatible – Operation
Opens an encrypted configuration file
containing the address and port
number of the server.
The bot connects to the server via TCP.
Sophisticated command and control
protocol is then used to multiplex Web
proxy services over that connection.
This provides an anonymous web
browsing services to clients.

36. #RSAC
NotCompatible – Command & Control
Simple command/response packet
format contains both commands and
data.
Channel number can multiplex many
connection at once.
The ping and pong are used as a
heartbeat when there is no proxy work
to be done.
Once a proxy request is issued the
“raw data” commands are used to
transfer the data in either direction.
Packet format:
Commands:

37. #RSAC
NotCompatible – Uses & Impact
Uses
Anonymous Web Browsing Service
Providing Access to Restricted Foreign Content
Ad-Click Fraud
Web Site Optimization Fraud
APT Probing and Exfiltration
Impact
One user from Finland, roaming in the US, used over 165MBytes in less than two hours of airtime.
In the lab it averages 100MBytes per hour.
Causes huge data bills
Caused the battery to run down quickly
Who knows what sites your phone in visiting!!!

38. #RSAC
Summary
38
Android malware analysis enables you to:
Know what the malware does
Understand the threat level
Detect and remediate the infection
You should now know:
What tools are required
How to set up the network environment
How to use the tools

39. #RSAC
39
Questions?
Email: kevin.mcnamee@nokia.com
Twitter: @KevMcNamee