Downloaded 58 times
![End
• contact info:
@rossja
jason.ross [at] intrepidusgroup [dot] com](https://image.slidesharecdn.com/androidmalwareanalysis-170117171256/85/Android-malware-analysis-38-320.jpg)
Uploaded byJason Ross
Android malware analysis
The document is a presentation by Jason Ross on Android malware analysis, highlighting the increasing prevalence and complexity of Android malware and the challenges it poses for security. It provides insights into various tools and methods for analyzing malware, including network, runtime, and static analysis techniques. Additionally, it discusses the importance of understanding mobile security in the context of corporate environments and presents a range of resources for effective malware analysis.
More Related Content
![Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/apachesparkgettingstarted-260203175547-8361bcc3-thumbnail.jpg?width=640&height=640&fit=bounds)
Android malware analysis
- 1.
- 2. about me • seniorconsultant @intrepidusgroup • member of @dragonresearch • contribute to OWASP mobile project • point-of-contact for defcon group 585
- 3. agenda • why mobile/ android / malware • tools • analysis
- 4. why mobile? • eBayannounced that it expects over $7 billion USD via mobile in 2011 • 41% of smartphone users have made a purchase using their mobile devices
- 5.
- 6. why malware analysis? a)‘bring your own device’ policies b) lack of effective/enforceable security c) mobile devices access corp. resources a + b + c = ZOMG!
- 7. current state • androidmalware increasing • payloads getting more interesting • infection routines becoming complex • infected apps in official & 3rd party markets
- 8. what is malwaredoing?
- 9. How can Iget samples? • open mobile malware repositories • official android market place • third party markets
- 10. challenges • it’s nota PC • antivirus won’t protect you
- 11. it’s not aPC • got root? • less control over the environment • not necessarily able to intercept traffic
- 12.
- 13.
- 14. tools • generally fallinto 3 categories: – “i can show you the network traffic” – “i can unpack your APK for you” – “i can turn dex back into java classes” • fourth category starting to emerge: – “i can tell you what’s happening on the device”
- 15. network based • pptpd •native sdk tools • mallory
- 16. pptpd • setting uppptpd for VPN – pptp config – ppp config – chap-secrets
- 17. mallory • what ismallory? • how is it helpful?
- 18. setting up mallory •grab ubuntu • run the installer script • start intercepting traffic
- 19. mallory configuration • newand improved
- 20. runtime • emulator – installingmalicious APK – using a proxy to monitor application traffic – reverting to clean image state
- 21. static • SDK – DDMS •andbug • androguard • apktool • ded • dexid • dex2jar
- 22. packages • APKs arestored in several places: – /data/app – /data/app-private – /system/app • You may need to have a rooted device to access some of these locations. • APK =~ /ZIP/
- 23. directories • assets: images andstuff • META-INF: various items (MANIFEST.MF, certs, etc.) • res: layout and screen information • classes.dex: the compiled smali classes • AndroidManifest.xml: android manifest (application perms, etc.)
- 24.
- 25.
- 26. android live CD •there really is one • i’ve run it in virtualbox • it’s exactly as clumsy to use as it sounds
- 27. android livecd (screenshot) SuperMario Bros included for great justice?
- 28. malware analysis liveCDs • REMnux, by Lenny Zeltser (http://zeltser.com/remnux/) – Ubuntu based live CD, preloaded with many malware analysis tools • A.R.E (http://www.honeynet.org/node/783) – Virtualbox image preloaded with Android analysis tools. One of the best ways to get Androguard working.
- 29. devices • installing maliciousAPK • using mitm to monitor application traffic • reverting to clean image state?
- 30. static • overview ofAndroid application layout – Manifest.xml – res directory – assets directory – strings.xml – other data
- 31. this isn’t thexml you’re looking for AndroidManifest.xml is stored as “binary” data use apktool to get it back into a readable format: > apktool d file.apk outputdir
- 32. apktool • “decompiles” the classes •classes.dex file becomes the smali directory follow the com.foo.trail to get to the .smali files
- 33. smali: java +assembly (whee) • variables get assigned sequential numeric names • this can make the code tough to follow
- 34.
- 35. others • ded • dexid •andbug • androguard
- 36. OK, i have.class, now what? • jd-gui • apkinspector
- 37. automation • scripts tomanipulate the emulator environment • scripts to manipulate 'bare metal' devices
- 38. End • contact info: @rossja jason.ross[at] intrepidusgroup [dot] com
Editor's Notes
- #3 if you need notes on the ‘about me’ slide, ur doin’ it wrong.
- #5 “PayPal continued to demonstrate strength in mobile payments and now expects more than $3 billion in mobile TPV [net total payment volume] this year, compared to $750 million in 2010 … The company remains on track to double eBay's mobile GMV [gross merchandise volume] including vehicles to over $4 billion in 2011” – eBay Q2 financial statement (July 20, 2011): http://www.ebayinc.com/press_releases#20110720006938 41% of smartphone users have made a purchase using their mobile device – http://www.internetretailer.com/2011/06/15/irce-2011-report-more-mobile-devices-means-more-shopping “InMobi surveyed 15,000 mobile users in 14 countries about their shopping habits. Responses indicated that mobile shopping is already commonplace among a significant number of Americans, with 74 million consumers in the United States out of the total pool of 310 million consumers currently shopping on their mobile phone.” – InMobi Study: http://www.mobilecommercedaily.com/2011/04/29/mobile-shopping-sales-volume-to-reach-9b-in-2011-study
- #6 WebOS no longer exists since HP has killed its TouchPad product line. Symbian has been discontinued as Nokia switches to WM7. image taken from: http://www.pcworld.com/article/226339/android_market_share_growth_accelerating_nielsen_finds.html
- #8 https://paulsparrows.wordpress.com/2011/08/11/one-year-of-android-malware-full-list/