Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
2. about me
⢠senior consultant @intrepidusgroup
⢠member of @dragonresearch
⢠contribute to OWASP mobile project
⢠point-of-contact for defcon group 585
4. why mobile?
⢠eBay announced that it expects over
$7 billion USD via mobile in 2011
⢠41% of smartphone users have made a
purchase using their mobile devices
6. why malware analysis?
a) âbring your own deviceâ policies
b) lack of effective/enforceable security
c) mobile devices access corp. resources
a + b + c = ZOMG!
7. current state
⢠android malware increasing
⢠payloads getting more interesting
⢠infection routines becoming complex
⢠infected apps in official & 3rd party markets
14. tools
⢠generally fall into 3 categories:
â âi can show you the network trafficâ
â âi can unpack your APK for youâ
â âi can turn dex back into java classesâ
⢠fourth category starting to emerge:
â âi can tell you whatâs happening on the
deviceâ
22. packages
⢠APKs are stored in several places:
â /data/app
â /data/app-private
â /system/app
⢠You may need to have a rooted device to
access some of these locations.
⢠APK =~ /ZIP/
23. directories
⢠assets:
images and stuff
⢠META-INF:
various items
(MANIFEST.MF, certs, etc.)
⢠res:
layout and screen
information
⢠classes.dex:
the compiled smali classes
⢠AndroidManifest.xml:
android manifest
(application perms, etc.)
28. malware analysis live CDs
⢠REMnux, by Lenny Zeltser
(http://zeltser.com/remnux/)
â Ubuntu based live CD, preloaded with many
malware analysis tools
⢠A.R.E (http://www.honeynet.org/node/783)
â Virtualbox image preloaded with Android
analysis tools. One of the best ways to get
Androguard working.
30. static
⢠overview of Android application
layout
â Manifest.xml
â res directory
â assets directory
â strings.xml
â other data
31. this isnât the xml youâre looking for
AndroidManifest.xml is
stored as âbinaryâ data
use apktool to get it back into a
readable format:
> apktool d file.apk outputdir
if you need notes on the âabout meâ slide, ur doinâ it wrong.
âPayPal continued to demonstrate strength in mobile payments and now expects more than $3 billion in mobile TPV [net total payment volume] this year, compared to $750 million in 2010 ⌠The company remains on track to double eBay's mobile GMV [gross merchandise volume] including vehicles to over $4 billion in 2011â â eBay Q2 financial statement (July 20, 2011): http://www.ebayinc.com/press_releases#20110720006938
41% of smartphone users have made a purchase using their mobile device â http://www.internetretailer.com/2011/06/15/irce-2011-report-more-mobile-devices-means-more-shopping
âInMobi surveyed 15,000 mobile users in 14 countries about their shopping habits. Responses indicated that mobile shopping is already commonplace among a significant number of Americans, with 74 million consumers in the United States out of the total pool of 310 million consumers currently shopping on their mobile phone.â â InMobi Study: http://www.mobilecommercedaily.com/2011/04/29/mobile-shopping-sales-volume-to-reach-9b-in-2011-study
WebOS no longer exists since HP has killed its TouchPad product line.
Symbian has been discontinued as Nokia switches to WM7.
image taken from: http://www.pcworld.com/article/226339/android_market_share_growth_accelerating_nielsen_finds.html