Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.

1. jason ross
android
malware analysis

2. about me
• senior consultant @intrepidusgroup
• member of @dragonresearch
• contribute to OWASP mobile project
• point-of-contact for defcon group 585

3. agenda
• why mobile / android / malware
• tools
• analysis

4. why mobile?
• eBay announced that it expects over
$7 billion USD via mobile in 2011
• 41% of smartphone users have made a
purchase using their mobile devices

5. why android?

6. why malware analysis?
a) ‘bring your own device’ policies
b) lack of effective/enforceable security
c) mobile devices access corp. resources
a + b + c = ZOMG!

7. current state
• android malware increasing
• payloads getting more interesting
• infection routines becoming complex
• infected apps in official & 3rd party markets

8. what is malware doing?

9. How can I get samples?
• open mobile malware repositories
• official android market place
• third party markets

10. challenges
• it’s not a PC
• antivirus won’t protect you

11. it’s not a PC
• got root?
• less control over the environment
• not necessarily able to intercept traffic

12. antivirus won’t protect you

13. process
• network
• runtime
• static

14. tools
• generally fall into 3 categories:
– “i can show you the network traffic”
– “i can unpack your APK for you”
– “i can turn dex back into java classes”
• fourth category starting to emerge:
– “i can tell you what’s happening on the
device”

15. network based
• pptpd
• native sdk tools
• mallory

16. pptpd
• setting up pptpd for VPN
– pptp config
– ppp config
– chap-secrets

17. mallory
• what is mallory?
• how is it helpful?

18. setting up mallory
• grab ubuntu
• run the installer script
• start intercepting traffic

19. mallory configuration
• new and improved

20. runtime
• emulator
– installing malicious APK
– using a proxy to monitor application traffic
– reverting to clean image state

21. static
• SDK
– DDMS
• andbug
• androguard
• apktool
• ded
• dexid
• dex2jar

22. packages
• APKs are stored in several places:
– /data/app
– /data/app-private
– /system/app
• You may need to have a rooted device to
access some of these locations.
• APK =~ /ZIP/

23. directories
• assets:
images and stuff
• META-INF:
various items
(MANIFEST.MF, certs, etc.)
• res:
layout and screen
information
• classes.dex:
the compiled smali classes
• AndroidManifest.xml:
android manifest
(application perms, etc.)

24. droidbox

25. taintdroid

26. android live CD
• there really is one
• i’ve run it in virtualbox
• it’s exactly as clumsy to use as it sounds

27. android livecd (screenshot)
Super Mario Bros
included for great
justice?

28. malware analysis live CDs
• REMnux, by Lenny Zeltser
(http://zeltser.com/remnux/)
– Ubuntu based live CD, preloaded with many
malware analysis tools
• A.R.E (http://www.honeynet.org/node/783)
– Virtualbox image preloaded with Android
analysis tools. One of the best ways to get
Androguard working.

29. devices
• installing malicious APK
• using mitm to monitor application traffic
• reverting to clean image state?

30. static
• overview of Android application
layout
– Manifest.xml
– res directory
– assets directory
– strings.xml
– other data

31. this isn’t the xml you’re looking for
AndroidManifest.xml is
stored as “binary” data
use apktool to get it back into a
readable format:
> apktool d file.apk outputdir

32. apktool
• “decompiles” the
classes
• classes.dex file
becomes the smali
directory
follow the com.foo.trail to
get to the .smali files

33. smali: java + assembly (whee)
• variables get
assigned
sequential
numeric names
• this can make
the code tough
to follow

34. dex2jar
• why?
• usage

35. others
• ded
• dexid
• andbug
• androguard

36. OK, i have .class, now what?
• jd-gui
• apkinspector

37. automation
• scripts to manipulate the emulator
environment
• scripts to manipulate 'bare metal' devices

38. End
• contact info:
@rossja
jason.ross [at] intrepidusgroup [dot] com