Mobile malware analysis with the a.r.e. vm
-
Upload
jimmy-shah -
Category
Mobile
-
view
268 -
download
1
description
Transcript of Mobile malware analysis with the a.r.e. vm
LA2600
LA2600.org
Android Malware Analysis with the Android Reverse Engineering(A.R.E.)
VM
Jimmy Shah
2
LA2600
LA2600.org
Android Reverse Engineering(A.R.E.) VM
● VM from the Honeynet Project
● Includes a full set of tools for reverse engineering Android apps
● Conversion tools
– Dex2jar● Classes.dex → Classes.dex.dex2jar.jar
– AXMLprinter2.jar● binary XML → Human readable XML
● Disassembler
– Baksmali● Dalvik bytecode → Jasmin-like assembly language
● GUI
– APKInspector● GUI includes baksmali, dex2jar, APKtool
3
LA2600
LA2600.org
Android Reverse Engineering(A.R.E.) VM, cont.
● More tools
● Conversion tools
– APKTool●
● smali/baksmali● Disassembler
– Baksmali● Dalvik bytecode → Jasmin-like assembly language
LA2600
LA2600.org
Android for Reverse Engineers
5
LA2600
LA2600.org
Android for Reverse Engineers
● Android apps are distributed as APKs(zip files) – what's inside?
● Files
– AndroidManifest.xml● Stored as binary XML● Permissions requested● Registered intents
– Entry points– classes.dex
● bytecode for the Dalvik VM● App code is in classes.dex files.
– resources.arsc● compiled resource table
6
LA2600
LA2600.org
Android for Reverse Engineers, cont.
● Android apps are distributed as APKs(zip files) – what's inside?
● Directories
– META-INF● Public Keys● Signatures for each component in the APK
– res● Images, strings, etc.
– assets● libraries● other executables● Other JARs
7
LA2600
LA2600.org
Android for Reverse Engineers, cont.
JARJAR
.CLASS.CLASS
.CLASS.CLASS
.CLASS.CLASS
.CLASS
main()
.CLASS
main()
.JAVA .CLASSjavac JAR dx
APKAPK
classes.dexclasses.dex
Java vs. Android
8
LA2600
LA2600.org
●Processing a suspicious sample
1) Get sample
2) Begin analysis
● Static
● Identify known and active files● File formats
● Executables● Data fies● Archives
● “active” files● Executables and all files that can have an effect on the system
● Dynamic
● Run in Android VM
LA2600
LA2600.org
What's in the A.R.E.?
LA2600
LA2600.org
Overview – GNU strings
● You need strings, use strings.
● Ascii is default, unicode with option
● '-el' for 16 bit little-endian strings
● Why?
● Function calls
● Interesting Strings
– Messages● Errors● Debug● To analysts/press/etc.● Shout-outs
11
LA2600
LA2600.org
Conversion - AXMLPrinter2
● Java tool to convert AndroidManifest.xml to human readable XML
12
LA2600
LA2600.org
Decompilers - JAD
● Java Decompiler
● Feed it a JAR and get back decompiled .java source code.
● One of the few currently available java decompilers
● Useful but may no longer be updated by the author.
● Fails on some JAR files, classes
● Easy to run
13
LA2600
LA2600.org
Decompilers - ded
● Android decompiler
● Newer academic project designed specifically for mobile apps
● Optionally uses the Soot Java optimization framework to provide better results.
● Combines translation to JVM bytecode , optimization and decompilation
● Takes a while,but the success rate is higher than other tools.
14
LA2600
LA2600.org
VM - DroidBox
● Instrumented Android VM
● Monitors
– Network activity
– Opened connections
– Outgoing traffic
– Incoming traffic
– DexClassLoader
– Broadcast receivers
– Started services
– Enforced permissions
– Permissions bypassed
– Information leakage
– Sent SMS
– Phone calls
15
LA2600
LA2600.org
VM - DroidBox, cont.
● Running VM
● ./startemu.sh Android21
● ./droidbox.sh <sample.apk>
● Ctrl-C to end logging/analysis
16
LA2600
LA2600.org
GUI - APKInspector
● Useful for analyzing APKs in one place
● Static analysis only
– Strings, Methods, Disassembly, CFGs,etc.