Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System

2,067 views

Published on

Android Security Development

Part 2: Malicious Android App Dynamic Analyzing System

How to Analyze App in Real-Time ?

Published in: Software
1 Comment
31 Likes
Statistics
Notes
No Downloads
Views
Total views
2,067
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
130
Comments
1
Likes
31
Embeds 0
No embeds

No notes for slide

Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System

  1. 1. Android Security Development PART 2 – Malicious Android App Dynamic Analyzing System SEAN
  2. 2. Sean • Developer • erinus.startup@gmail.com • https://www.facebook.com/erinus
  3. 3. You Need... • Hardware • Phone • Google Nexus 4 • Google Nexus 5 • Tablet • Google Nexus 7 • Google Nexus 9
  4. 4. You Still Need... • Software • Virtual Machine • VMware Workstation • VirtualBox • Operating System • Ubuntu Desktop14.04
  5. 5. Build Nexus 5 Image
  6. 6. [1] Install Ubuntu 14.04 # create user named "user" > sudo apt-get update > sudo apt-get install vim less gcc g++ make build- essential binutils wget ssh openssh-server openssh- client zip unzip perl python rsync git openssl > sudo apt-get upgrade > sudo apt-get dist-upgrade > sudo apt-get autoclean > sudo apt-get autoremove > sudo rm –f /var/cache/apt/archives/*.deb
  7. 7. [2] Build Environment for 4.x > sudo apt-get install git gnupg flex bison gperf build-essential zip curl libc6-dev libncurses5- dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 libgl1-mesa-dev gcc-multilib g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386 > sudo ln -s /usr/lib/i386-linux- gnu/mesa/libGL.so.1 /usr/lib/i386-linux- gnu/libGL.so > sudo apt-get install python-software-properties > sudo add-apt-repository ppa:webupd8team/java > sudo apt-get update > sudo apt-get install oracle-java6-installer
  8. 8. [2] Build Environment for 5.x > sudo apt-get install git gnupg flex bison gperf build-essential zip curl libc6-dev libncurses5- dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 libgl1-mesa-dev gcc-multilib g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386 > sudo ln -s /usr/lib/i386-linux- gnu/mesa/libGL.so.1 /usr/lib/i386-linux- gnu/libGL.so > sudo apt-get install openjdk-7-jdk
  9. 9. [3] AOSP Environment > cd ~ > mkdir ~/aosp > mkdir ~/aosp/bin > PATH=~/aosp/bin:$PATH > curl https://storage.googleapis.com/git-repo- downloads/repo > ~/aosp/bin/repo > chmod a+x ~/aosp/bin/repo > curl https://storage.googleapis.com/git-repo- downloads/repo > ~/aosp/bin/repo > chmod a+x ~/aosp/bin/repo > git config --global user.email "user@USER" > git config --global user.name "user"
  10. 10. [4] Download AOSP > mkdir ~/aosp/src > cd ~/aosp/src > repo init -u https://android.googlesource.com/platform/manifest -b android-4.4.4_r2.0.1 > sudo sysctl -w net.ipv4.tcp_window_scaling=0 # -j(?) means amount of thread(cores) used > repo sync -j1
  11. 11. [6] Download Nexus 5 Driver > cd ~/aosp/src > wget https://dl.google.com/dl/android/aosp/broadcom- hammerhead-ktu84p-5a5bf60e.tgz > wget https://dl.google.com/dl/android/aosp/lge- hammerhead-ktu84p-49419c39.tgz > wget https://dl.google.com/dl/android/aosp/qcom- hammerhead-ktu84p-f159eadf.tgz > tar xzvf broadcom-hammerhead-ktu84p-5a5bf60e.tgz > tar xzvf lge-hammerhead-ktu84p-49419c39.tgz > tar xzvf qcom-hammerhead-ktu84p-f159eadf.tgz
  12. 12. [7] Import Nexus 5 Driver > cd ~/aosp/src > ./extract-broadcom-hammerhead.sh > ./extract-lge-hammerhead.sh > ./extract-qcom-hammerhead.sh
  13. 13. [5] Build AOSP > cd ~/aosp/src > source build/envsetup.sh > lunch aosp_hammerhead-userdebug > make –j1
  14. 14. [8] Download Android SDK • Android SDK Platform-tools • SDK Build-tools
  15. 15. [9] Flash Image Onto Device > export ANDROID_PRODUCT_OUT=/home/user/aosp/src/out/target /product/hammerhead > fastboot erase boot > fastboot erase cache > fastboot erase recovery > fastboot erase system > fastboot erase userdata > fastboot flash boot boot.img > fastboot flash cache cache.img > fastboot flash recovery recovery.img > fastboot flash system system.img > fastboot flash userdata userdata.img
  16. 16. The Walking Deadveloper Orz...
  17. 17. Find Java Base Class Library libcore/luni/src/main/java
  18. 18. Find Android Base Class Library frameworks/base/core/java
  19. 19. Find Android ADB system/core/adb
  20. 20. Android Image Modification > source build/envsetup.sh > lunch aosp_hammerhead-userdebug > make update-api > make –j1
  21. 21. Android ADB Modification # Build for Windows > sudo apt-get install mingw-w64 > cd ~/aosp/src > make USE_MINGW=yes adb showcommands # Build for Linux > cd ~/aosp/src > make adb showcommands
  22. 22. Customize Logcat
  23. 23. [1] Start... 1. Android developers use "Log.d / Log.e / ..." to read messages. http://developer.android.com/reference/android/ util/Log.html 2. So, monitor "Log.d / Log.e / ..."? No, it's not enough! Why?
  24. 24. [2] Base Knowledge 3. Android Architecture Log.d ?
  25. 25. [3] View Source Code 4. Android Source Online https://android.googlesource.com 5. Search Android Source Online http://code.metager.de/source/xref/android/4.4/ http://grepcode.com/project/repository.grepcode .com/java/ext/com.google.android/android
  26. 26. [4] Where? 6. Search Possible Occurrence
  27. 27. [4] Where? 7. System.java
  28. 28. [4] Where? 7. System.java CLICK
  29. 29. [5] Got You! 8. System.java
  30. 30. [6] Java – JNI – C++ 9. Java /libcore/luni/src/main/java/java/ JNI /libcore/luni/src/main/native/
  31. 31. [7] JNI – C++ 10. java_lang_System.cpp
  32. 32. [8] Modify... 11. Patch java_lang_System.cpp
  33. 33. [8] Modify... 11. Patch java_lang_System.cpp ADD
  34. 34. [8] Modify... 11. Patch java_lang_System.cpp ADD
  35. 35. [8] Modify... 11. Patch java_lang_System.cpp MODIFY MODIFY
  36. 36. [8] Modify... 11. Patch java_lang_System.cpp
  37. 37. [9] Modify... 12. Patch System.java
  38. 38. [9] Modify... 12. Patch System.java ADD ADD
  39. 39. [9] Modify... 12. Patch System.java Create Customized Function: appsandbox(String) ADD
  40. 40. [10] Output > adb logcat –v long appsandbox:V *:S > adb.log # appsandbox:V means "Verbose for Tag:appsandbox“ # *:S means "Silence for Other Tags"
  41. 41. Dive Into Source
  42. 42. First
  43. 43. PID
  44. 44. [1] Why I Need PID? 1. When you try to get package, you get the package name where your called. It's not package name of app! com.td.bookshelf.provider com.td.bookshelf
  45. 45. [2] Get PID 2. import android.os.Process; /frameworks/base/core/java/android/os/Process.j ava
  46. 46. [2] Get PID 3. Process.myPid();
  47. 47. [2] Get PID 3. Process.myPid();
  48. 48. [3] Application 4. import android.app.Application; /frameworks/base/core/java/android/app/Applicat ion.java
  49. 49. [3] Inject Code 5. Monitor onCreate()
  50. 50. [3] Inject Code 6. Monitor onTerminate()
  51. 51. Second
  52. 52. IO Stream
  53. 53. [1] Find Base Class 1. import java.io.InputStream; /libcore/luni/src/main/java/java/io/InputStream .java 2. import java.io.OutputStream; /libcore/luni/src/main/java/java/io/OutputStrea m.java
  54. 54. [2] What Is Necessary? 3. Monitor InputStream
  55. 55. [2] What Is Necessary? 4. Monitor OutputStream
  56. 56. Third
  57. 57. Network
  58. 58. [1] Find Base Class 1. import java.net.URL; /libcore/luni/src/main/java/java/net/URL.java 2. import java.net.URI; /libcore/luni/src/main/java/java/net/URI.java
  59. 59. [2] What Is Necessary? 3. Monitor URL Hook Constructor
  60. 60. [2] What Is Necessary? 3. Monitor URL Hook Constructor
  61. 61. [2] What Is Necessary? 4. Monitor URI Hook Constructor
  62. 62. Demo
  63. 63. Interested On This? Join Me!
  64. 64. Next Part
  65. 65. Malicious Android App Static Analysis

×