Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android malware analysis

310 views

Published on

Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.

Published in: Technology
  • Be the first to comment

Android malware analysis

  1. 1. jason ross android malware analysis
  2. 2. about me • senior consultant @intrepidusgroup • member of @dragonresearch • contribute to OWASP mobile project • point-of-contact for defcon group 585
  3. 3. agenda • why mobile / android / malware • tools • analysis
  4. 4. why mobile? • eBay announced that it expects over $7 billion USD via mobile in 2011 • 41% of smartphone users have made a purchase using their mobile devices
  5. 5. why android?
  6. 6. why malware analysis? a) ‘bring your own device’ policies b) lack of effective/enforceable security c) mobile devices access corp. resources a + b + c = ZOMG!
  7. 7. current state • android malware increasing • payloads getting more interesting • infection routines becoming complex • infected apps in official & 3rd party markets
  8. 8. what is malware doing?
  9. 9. How can I get samples? • open mobile malware repositories • official android market place • third party markets
  10. 10. challenges • it’s not a PC • antivirus won’t protect you
  11. 11. it’s not a PC • got root? • less control over the environment • not necessarily able to intercept traffic
  12. 12. antivirus won’t protect you
  13. 13. process • network • runtime • static
  14. 14. tools • generally fall into 3 categories: – “i can show you the network traffic” – “i can unpack your APK for you” – “i can turn dex back into java classes” • fourth category starting to emerge: – “i can tell you what’s happening on the device”
  15. 15. network based • pptpd • native sdk tools • mallory
  16. 16. pptpd • setting up pptpd for VPN – pptp config – ppp config – chap-secrets
  17. 17. mallory • what is mallory? • how is it helpful?
  18. 18. setting up mallory • grab ubuntu • run the installer script • start intercepting traffic
  19. 19. mallory configuration • new and improved
  20. 20. runtime • emulator – installing malicious APK – using a proxy to monitor application traffic – reverting to clean image state
  21. 21. static • SDK – DDMS • andbug • androguard • apktool • ded • dexid • dex2jar
  22. 22. packages • APKs are stored in several places: – /data/app – /data/app-private – /system/app • You may need to have a rooted device to access some of these locations. • APK =~ /ZIP/
  23. 23. directories • assets: images and stuff • META-INF: various items (MANIFEST.MF, certs, etc.) • res: layout and screen information • classes.dex: the compiled smali classes • AndroidManifest.xml: android manifest (application perms, etc.)
  24. 24. droidbox
  25. 25. taintdroid
  26. 26. android live CD • there really is one • i’ve run it in virtualbox • it’s exactly as clumsy to use as it sounds
  27. 27. android livecd (screenshot) Super Mario Bros included for great justice?
  28. 28. malware analysis live CDs • REMnux, by Lenny Zeltser (http://zeltser.com/remnux/) – Ubuntu based live CD, preloaded with many malware analysis tools • A.R.E (http://www.honeynet.org/node/783) – Virtualbox image preloaded with Android analysis tools. One of the best ways to get Androguard working.
  29. 29. devices • installing malicious APK • using mitm to monitor application traffic • reverting to clean image state?
  30. 30. static • overview of Android application layout – Manifest.xml – res directory – assets directory – strings.xml – other data
  31. 31. this isn’t the xml you’re looking for AndroidManifest.xml is stored as “binary” data use apktool to get it back into a readable format: > apktool d file.apk outputdir
  32. 32. apktool • “decompiles” the classes • classes.dex file becomes the smali directory follow the com.foo.trail to get to the .smali files
  33. 33. smali: java + assembly (whee) • variables get assigned sequential numeric names • this can make the code tough to follow
  34. 34. dex2jar • why? • usage
  35. 35. others • ded • dexid • andbug • androguard
  36. 36. OK, i have .class, now what? • jd-gui • apkinspector
  37. 37. automation • scripts to manipulate the emulator environment • scripts to manipulate 'bare metal' devices
  38. 38. End • contact info: @rossja jason.ross [at] intrepidusgroup [dot] com

×