The document is a detailed guide on dynamic analysis of malicious Android applications, specifically focusing on setting up a development environment and building the Android Open Source Project (AOSP). It provides step-by-step instructions for installing necessary software, downloading AOSP, and configuring the Nexus 5 device for testing. Additionally, it addresses monitoring and modifying Android code to assist in the analysis of app behavior and potential security threats.

1. Android Security
Development
PART 2 – Malicious Android App
Dynamic Analyzing System
SEAN

2. Sean
• Developer
• erinus.startup@gmail.com
• https://www.facebook.com/erinus

3. You Need...
• Hardware
• Phone
• Google Nexus 4
• Google Nexus 5
• Tablet
• Google Nexus 7
• Google Nexus 9

4. You Still Need...
• Software
• Virtual Machine
• VMware Workstation
• VirtualBox
• Operating System
• Ubuntu Desktop14.04

5. Build Nexus 5 Image

6. [1] Install Ubuntu 14.04
# create user named "user"
> sudo apt-get update
> sudo apt-get install vim less gcc g++ make build-
essential binutils wget ssh openssh-server openssh-
client zip unzip perl python rsync git openssl
> sudo apt-get upgrade
> sudo apt-get dist-upgrade
> sudo apt-get autoclean
> sudo apt-get autoremove
> sudo rm –f /var/cache/apt/archives/*.deb

7. [2] Build Environment for 4.x
> sudo apt-get install git gnupg flex bison gperf
build-essential zip curl libc6-dev libncurses5-
dev:i386 x11proto-core-dev libx11-dev:i386
libreadline6-dev:i386 libgl1-mesa-glx:i386
libgl1-mesa-dev gcc-multilib g++-multilib
mingw32 tofrodos python-markdown libxml2-utils
xsltproc zlib1g-dev:i386
> sudo ln -s /usr/lib/i386-linux-
gnu/mesa/libGL.so.1 /usr/lib/i386-linux-
gnu/libGL.so
> sudo apt-get install python-software-properties
> sudo add-apt-repository ppa:webupd8team/java
> sudo apt-get update
> sudo apt-get install oracle-java6-installer

8. [2] Build Environment for 5.x
> sudo apt-get install git gnupg flex bison gperf
build-essential zip curl libc6-dev libncurses5-
dev:i386 x11proto-core-dev libx11-dev:i386
libreadline6-dev:i386 libgl1-mesa-glx:i386
libgl1-mesa-dev gcc-multilib g++-multilib
mingw32 tofrodos python-markdown libxml2-utils
xsltproc zlib1g-dev:i386
> sudo ln -s /usr/lib/i386-linux-
gnu/mesa/libGL.so.1 /usr/lib/i386-linux-
gnu/libGL.so
> sudo apt-get install openjdk-7-jdk

9. [3] AOSP Environment
> cd ~
> mkdir ~/aosp
> mkdir ~/aosp/bin
> PATH=~/aosp/bin:$PATH
> curl https://storage.googleapis.com/git-repo-
downloads/repo > ~/aosp/bin/repo
> chmod a+x ~/aosp/bin/repo
> curl https://storage.googleapis.com/git-repo-
downloads/repo > ~/aosp/bin/repo
> chmod a+x ~/aosp/bin/repo
> git config --global user.email "user@USER"
> git config --global user.name "user"

10. [4] Download AOSP
> mkdir ~/aosp/src
> cd ~/aosp/src
> repo init -u
https://android.googlesource.com/platform/manifest
-b android-4.4.4_r2.0.1
> sudo sysctl -w net.ipv4.tcp_window_scaling=0
# -j(?) means amount of thread(cores) used
> repo sync -j1

11. [6] Download Nexus 5 Driver
> cd ~/aosp/src
> wget
https://dl.google.com/dl/android/aosp/broadcom-
hammerhead-ktu84p-5a5bf60e.tgz
> wget https://dl.google.com/dl/android/aosp/lge-
hammerhead-ktu84p-49419c39.tgz
> wget https://dl.google.com/dl/android/aosp/qcom-
hammerhead-ktu84p-f159eadf.tgz
> tar xzvf broadcom-hammerhead-ktu84p-5a5bf60e.tgz
> tar xzvf lge-hammerhead-ktu84p-49419c39.tgz
> tar xzvf qcom-hammerhead-ktu84p-f159eadf.tgz

12. [7] Import Nexus 5 Driver
> cd ~/aosp/src
> ./extract-broadcom-hammerhead.sh
> ./extract-lge-hammerhead.sh
> ./extract-qcom-hammerhead.sh

13. [5] Build AOSP
> cd ~/aosp/src
> source build/envsetup.sh
> lunch aosp_hammerhead-userdebug
> make –j1

14. [8] Download Android SDK
• Android SDK Platform-tools
• SDK Build-tools

15. [9] Flash Image Onto Device
> export
ANDROID_PRODUCT_OUT=/home/user/aosp/src/out/target
/product/hammerhead
> fastboot erase boot
> fastboot erase cache
> fastboot erase recovery
> fastboot erase system
> fastboot erase userdata
> fastboot flash boot boot.img
> fastboot flash cache cache.img
> fastboot flash recovery recovery.img
> fastboot flash system system.img
> fastboot flash userdata userdata.img

16. The Walking Deadveloper Orz...

17. Find Java Base Class Library
libcore/luni/src/main/java

18. Find Android Base Class Library
frameworks/base/core/java

19. Find Android ADB
system/core/adb

20. Android Image Modification
> source build/envsetup.sh
> lunch aosp_hammerhead-userdebug
> make update-api
> make –j1

21. Android ADB Modification
# Build for Windows
> sudo apt-get install mingw-w64
> cd ~/aosp/src
> make USE_MINGW=yes adb showcommands
# Build for Linux
> cd ~/aosp/src
> make adb showcommands

22. Customize Logcat

23. [1] Start...
1. Android developers use "Log.d / Log.e / ..." to
read messages.
http://developer.android.com/reference/android/
util/Log.html
2. So, monitor "Log.d / Log.e / ..."?
No, it's not enough!
Why?

24. [2] Base Knowledge
3. Android Architecture
Log.d
?

25. [3] View Source Code
4. Android Source Online
https://android.googlesource.com
5. Search Android Source Online
http://code.metager.de/source/xref/android/4.4/
http://grepcode.com/project/repository.grepcode
.com/java/ext/com.google.android/android

26. [4] Where?
6. Search Possible Occurrence

27. [4] Where?
7. System.java

28. [4] Where?
7. System.java
CLICK

29. [5] Got You!
8. System.java

30. [6] Java – JNI – C++
9. Java
/libcore/luni/src/main/java/java/
JNI
/libcore/luni/src/main/native/

31. [7] JNI – C++
10. java_lang_System.cpp

32. [8] Modify...
11. Patch java_lang_System.cpp

33. [8] Modify...
11. Patch java_lang_System.cpp
ADD

34. [8] Modify...
11. Patch java_lang_System.cpp
ADD

35. [8] Modify...
11. Patch java_lang_System.cpp
MODIFY
MODIFY

36. [8] Modify...
11. Patch java_lang_System.cpp

37. [9] Modify...
12. Patch System.java

38. [9] Modify...
12. Patch System.java
ADD
ADD

39. [9] Modify...
12. Patch System.java
Create Customized Function: appsandbox(String)
ADD

40. [10] Output
> adb logcat –v long appsandbox:V *:S > adb.log
# appsandbox:V means "Verbose for Tag:appsandbox“
# *:S means "Silence for Other Tags"

41. Dive Into Source

42. First

43. PID

44. [1] Why I Need PID?
1. When you try to get package, you get the
package name where your called.
It's not package name of app!
com.td.bookshelf.provider
com.td.bookshelf

45. [2] Get PID
2. import android.os.Process;
/frameworks/base/core/java/android/os/Process.j
ava

46. [2] Get PID
3. Process.myPid();

47. [2] Get PID
3. Process.myPid();

48. [3] Application
4. import android.app.Application;
/frameworks/base/core/java/android/app/Applicat
ion.java

49. [3] Inject Code
5. Monitor onCreate()

50. [3] Inject Code
6. Monitor onTerminate()

51. Second

52. IO Stream

53. [1] Find Base Class
1. import java.io.InputStream;
/libcore/luni/src/main/java/java/io/InputStream
.java
2. import java.io.OutputStream;
/libcore/luni/src/main/java/java/io/OutputStrea
m.java

54. [2] What Is Necessary?
3. Monitor InputStream

55. [2] What Is Necessary?
4. Monitor OutputStream

56. Third

57. Network

58. [1] Find Base Class
1. import java.net.URL;
/libcore/luni/src/main/java/java/net/URL.java
2. import java.net.URI;
/libcore/luni/src/main/java/java/net/URI.java

59. [2] What Is Necessary?
3. Monitor URL
Hook Constructor

60. [2] What Is Necessary?
3. Monitor URL
Hook Constructor

61. [2] What Is Necessary?
4. Monitor URI
Hook Constructor

62. Demo

63. Interested On This? Join Me!

64. Next Part

65. Malicious Android App
Static Analysis