LA2600

LA2600.org

Android Malware Analysis with the Android Reverse Engineering(A.R.E.)

VM

Jimmy Shah

2

LA2600

LA2600.org

Android Reverse Engineering(A.R.E.) VM

● VM from the Honeynet Project

● Includes a full set of tools for reverse engineering Android apps

● Conversion tools

– Dex2jar● Classes.dex → Classes.dex.dex2jar.jar

– AXMLprinter2.jar● binary XML → Human readable XML

● Disassembler

– Baksmali● Dalvik bytecode → Jasmin-like assembly language

● GUI

– APKInspector● GUI includes baksmali, dex2jar, APKtool

3

LA2600

LA2600.org

Android Reverse Engineering(A.R.E.) VM, cont.

● More tools

● Conversion tools

– APKTool●

● smali/baksmali● Disassembler

– Baksmali● Dalvik bytecode → Jasmin-like assembly language

LA2600

LA2600.org

Android for Reverse Engineers

5

LA2600

LA2600.org

Android for Reverse Engineers

● Android apps are distributed as APKs(zip files) – what's inside?

● Files

– AndroidManifest.xml● Stored as binary XML● Permissions requested● Registered intents

– Entry points– classes.dex

● bytecode for the Dalvik VM● App code is in classes.dex files.

– resources.arsc● compiled resource table

6

LA2600

LA2600.org

Android for Reverse Engineers, cont.

● Android apps are distributed as APKs(zip files) – what's inside?

● Directories

– META-INF● Public Keys● Signatures for each component in the APK

– res● Images, strings, etc.

– assets● libraries● other executables● Other JARs

7

LA2600

LA2600.org

Android for Reverse Engineers, cont.

JARJAR

.CLASS.CLASS

.CLASS.CLASS

.CLASS.CLASS

.CLASS

main()

.CLASS

main()

.JAVA .CLASSjavac JAR dx

APKAPK

classes.dexclasses.dex

Java vs. Android

8

LA2600

LA2600.org

●Processing a suspicious sample

1) Get sample

2) Begin analysis

● Static

● Identify known and active files● File formats

● Executables● Data fies● Archives

● “active” files● Executables and all files that can have an effect on the system

● Dynamic

● Run in Android VM

LA2600

LA2600.org

What's in the A.R.E.?

LA2600

LA2600.org

Overview – GNU strings

● You need strings, use strings.

● Ascii is default, unicode with option

● '-el' for 16 bit little-endian strings

● Why?

● Function calls

● Interesting Strings

– Messages● Errors● Debug● To analysts/press/etc.● Shout-outs

11

LA2600

LA2600.org

Conversion - AXMLPrinter2

● Java tool to convert AndroidManifest.xml to human readable XML

12

LA2600

LA2600.org

Decompilers - JAD

● Java Decompiler

● Feed it a JAR and get back decompiled .java source code.

● One of the few currently available java decompilers

● Useful but may no longer be updated by the author.

● Fails on some JAR files, classes

● Easy to run

13

LA2600

LA2600.org

Decompilers - ded

● Android decompiler

● Newer academic project designed specifically for mobile apps

● Optionally uses the Soot Java optimization framework to provide better results.

● Combines translation to JVM bytecode , optimization and decompilation

● Takes a while,but the success rate is higher than other tools.

14

LA2600

LA2600.org

VM - DroidBox

● Instrumented Android VM

● Monitors

– Network activity

– Opened connections

– Outgoing traffic

– Incoming traffic

– DexClassLoader

– Broadcast receivers

– Started services

– Enforced permissions

– Permissions bypassed

– Information leakage

– Sent SMS

– Phone calls

15

LA2600

LA2600.org

VM - DroidBox, cont.

● Running VM

● ./startemu.sh Android21

● ./droidbox.sh <sample.apk>

● Ctrl-C to end logging/analysis

16

LA2600

LA2600.org

GUI - APKInspector

● Useful for analyzing APKs in one place

● Static analysis only

– Strings, Methods, Disassembly, CFGs,etc.