android reverse engineering tools from an anti-virus ... · from an anti-virus analyst's...
TRANSCRIPT
![Page 1: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/1.jpg)
Android Reverse Engineering Tools
From an anti-virus analyst's perspective
Axelle Apvrille
InsomniHack'12, March 2012
![Page 2: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/2.jpg)
Agenda
I Contents of anAPK: manifest,.dex, resources...
I Tutorial: reversingAn-droid/Spitmo.C!tr.spy
I A few other tricks:logs,anti-emulator...
I Miscellaneous tools
InsomniHack'12 - A. Apvrille 2/42
![Page 3: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/3.jpg)
APK - Android Packages
InsomniHack'12 - A. Apvrille 3/42
![Page 4: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/4.jpg)
Example: APK contents of Android/Spitmo.C!tr.spy
$ unzip criptomovil.apk
Archive: criptomovil.apk
inflating: res/layout/main.xml
inflating: AndroidManifest.xml
extracting: resources.arsc
extracting: res/drawable-hdpi/icon.png
extracting: res/drawable-ldpi/icon.png
extracting: res/drawable-mdpi/icon.png
inflating: classes.dex
inflating: META-INF/MANIFEST.MF
inflating: META-INF/CERT.SF
inflating: META-INF/CERT.RSA
InsomniHack'12 - A. Apvrille 4/42
![Page 5: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/5.jpg)
Reading the AndroidManifest.xml
Binary manifest
$ hexdump -C AndroidManifest.xml | head
00000000 03 00 08 00 b0 1c 00 00 01 00 1c 00 8c 0d 00 00 |................|
00000010 3d 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 |=...............|
00000020 00 00 00 00 00 00 00 00 1a 00 00 00 34 00 00 00 |............4...|
Better with aapt
$ aapt dump xmltree criptomovil.apk AndroidManifest.xml
N: android=http://schemas.android.com/apk/res/android
E: manifest (line=2)
A: android:versionCode(0x0101021b)=(type 0x10)0x1
A: android:versionName(0x0101021c)="1.0" (Raw: "1.0")
A: package="com.antivirus.kav" (Raw: "com.antivirus.kav")
E: uses-permission (line=8)
A: android:name(0x01010003)="android.permission.
BROADCAST_STICKY"
(Raw: "android.permission.BROADCAST_STICKY")
InsomniHack'12 - A. Apvrille 5/42
![Page 6: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/6.jpg)
Reading the AndroidManifest.xml (2)
AXMLPrinter$ java -jar AXMLPrinter2.jar AndroidManifest.binary.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="4"
..
Other Swiss KnivesI Androguard: collection of Python tools
$ ./androaxml.py -i criptomovil.apk -o
AndroidManifest.human.xml
I Apktool: re-engineering Android apps$ java -jar apktool.jar d criptomovil.apk output
InsomniHack'12 - A. Apvrille 6/42
![Page 7: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/7.jpg)
Reading package resources
I Same as the manifest: they are not directly readable (forhumans...)
I aapt dump resources works, but output not excellent
I Use Apktool! Great tool :)
$ java -jar apktool.jar d criptomovil.apk output
...
$ cat output/res/layout/main.xml
<?xml version="1.0" encoding="UTF-8"?>
<LinearLayout android:orientation="vertical"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
...
InsomniHack'12 - A. Apvrille 7/42
![Page 8: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/8.jpg)
Dalvik Executables (.dex)
I Similar to Java .class: .class converted to .dex by "dx"More at:http://en.wikipedia.org/wiki/Dalvik_(software)
I Opcodes: see http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
I Parse with a hex editor. 010 Editor has a Dex template
InsomniHack'12 - A. Apvrille 8/42
![Page 9: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/9.jpg)
Dalvik bytecode - Android/Foncy.A!tr
InsomniHack'12 - A. Apvrille 9/42
![Page 10: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/10.jpg)
Dissassembling DEX: you (probably) don't want to usedexdump
I Ships with theAndroid SDK, inplatform-tools/
I Always works (?)
I Output di�cult toread: all classestogether etc.
InsomniHack'12 - A. Apvrille 10/42
![Page 11: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/11.jpg)
Disassembling DEX
I Apktool: producessmali
I Code syntaxhighlight:
I Emacs: NelsonElhage or TimStrazzere
I Vim: JonLarimer
I Notepad++:lohan+
I UltraEdit:lohan+
InsomniHack'12 - A. Apvrille 11/42
![Page 12: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/12.jpg)
Issues with disassembling
$ java -jar apktool.jar d fjcon.apk outputException in thread "main" brut.androlib.AndrolibException:
brut.directory.DirectoryException: java.util.zip.ZipException:
error in opening zip file
at brut.androlib.ApkDecoder.hasSources(Unknown Source)
...
Dedexer produces .ddx �les ≈http://jasmin.sourceforge.net/about.htmlJasmin w/Dalvik opcodes
$ mkdir ./dedexer
$ java -jar ddx1.18.jar -d ./dedexer/ ./classes.dex
...
$ cat ./dedexer/com/nl/MyService.ddx
...
.method public <init>()V
.limit registers 2
; this: v1 (Lcom/nl/MyService;)
.line 74
invoke-direct {v1},android/app/Service/<init> ; <init>()VInsomniHack'12 - A. Apvrille 12/42
![Page 13: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/13.jpg)
The DED Decompiler
Command line - Decompiling Android/RootSmart.A!tr
$./ded.sh suspect.apk -d ./ded-output -c
...
Soot finished on Fri Feb 10 14:05:46 CET 2012
Soot has run for 0 min. 2 sec.
./ded-output/optimized-decompiled/[..]/smart/y.java
Decompiled 144 classes out of 152
Retargeting time: 32.708s
Decompilation time: 945.141s
InsomniHack'12 - A. Apvrille 13/42
![Page 14: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/14.jpg)
dex2jar + jd-gui
I Dex2jar: Java-based tool converting .dex to .jar :)
$ ./dex2jar.sh criptomovil.apk
dex2jar version: reader-1.7, translator-0.0.9.6, ir-1.4
dex2jar criptomovil.apk -> criptomovil_dex2jar.jar
Done.
I View the Jar with a Java Decompiler (jd-gui, jad, dj...)
I "Java Decompiler" Pros: GUI, save source �les, browse Jar,jump from one class to another
I Cons: not speci�cally meant for Dalvik, a few bugs (but notmany)
InsomniHack'12 - A. Apvrille 14/42
![Page 15: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/15.jpg)
Decompiled Java source code - at a glance
Figure: Android/Spitmo.C!tr.spy
InsomniHack'12 - A. Apvrille 15/42
![Page 16: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/16.jpg)
Tutorial with Android/Spitmo.C!tr.spy
Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service
I SMS Receiver with high priority
I Main
InsomniHack'12 - A. Apvrille 16/42
![Page 17: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/17.jpg)
Tutorial with Android/Spitmo.C!tr.spy
Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service
I SMS Receiver with high priority
I Main
InsomniHack'12 - A. Apvrille 16/42
![Page 18: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/18.jpg)
Tutorial with Android/Spitmo.C!tr.spy
Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service
I SMS Receiver with high priority
I Main
InsomniHack'12 - A. Apvrille 16/42
![Page 19: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/19.jpg)
Tutorial with Android/Spitmo.C!tr.spy
Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service
I SMS Receiver with high priority
I Main
InsomniHack'12 - A. Apvrille 16/42
![Page 20: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/20.jpg)
Reversing MainActivity
I onCreate() called when application is launched.
I Get 8th character of IMEI.
I Display alert dialog with activation code "1"+8th char+"3"
I Exit dialog when button pressed
InsomniHack'12 - A. Apvrille 17/42
![Page 21: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/21.jpg)
Reversing MainActivity
I onCreate() called when application is launched.
I Get 8th character of IMEI.
I Display alert dialog with activation code "1"+8th char+"3"
I Exit dialog when button pressed
InsomniHack'12 - A. Apvrille 17/42
![Page 22: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/22.jpg)
Reversing MainActivity
I onCreate() called when application is launched.
I Get 8th character of IMEI.
I Display alert dialog with activation code "1"+8th char+"3"
I Exit dialog when button pressed
InsomniHack'12 - A. Apvrille 17/42
![Page 23: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/23.jpg)
Reversing MainActivity
I onCreate() called when application is launched.
I Get 8th character of IMEI.
I Display alert dialog with activation code "1"+8th char+"3"
I Exit dialog when button pressed
InsomniHack'12 - A. Apvrille 17/42
![Page 24: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/24.jpg)
Reversing KavService
How to start a serviceI startService() → onCreate() → onStartCommand() (or
onStart() for old SDKs)
I bindService() → onCreate()
Not started?$ grep -ri startService ./smali
$ grep -ri bindService ./smali
Not used (yet)?
InsomniHack'12 - A. Apvrille 18/42
![Page 25: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/25.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 26: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/26.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 27: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/27.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 28: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/28.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 29: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/29.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 30: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/30.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 31: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/31.jpg)
Reversing SmsReceiver with Java Decompiler
InsomniHack'12 - A. Apvrille 19/42
![Page 32: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/32.jpg)
Reversing SmsReceiver
Things we know
I onReceive processes incoming SMS messages
I AntivirusEnabled is a �ag, if not enabled, won't do much.
I Calls GetStaticDataString
I Retrieves SMS body and originating phone number
I Formats a string: &from=ORIGIN&text=BODY
I Calls GetRequest
I AntivirusEnabled true: don't forward SMS to others
Things which are unclear yet
I What does GetStaticDataString() do?
I The result of GetStaticDataString() is overwritten...?
I What is variable k?
I What does GetRequest() do?
InsomniHack'12 - A. Apvrille 20/42
![Page 33: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/33.jpg)
GetStaticDataString
InsomniHack'12 - A. Apvrille 21/42
![Page 34: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/34.jpg)
GetStaticDataString
InsomniHack'12 - A. Apvrille 21/42
![Page 35: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/35.jpg)
Reversing SmsReceiver
Things we know
I onReceive processes incoming SMS messages
I AntivirusEnabled is a �ag, if not enabled, won't do much.
I Calls GetStaticDataString: ?to=PHONE&i=IMSI&m=IMEI...
I Retrieves SMS body and originating phone number
I Formats a string: &from=ORIGIN&text=BODY
I Calls GetRequest
I AntivirusEnabled true: don't forward SMS to others
Things which are unclear yet
I The result of GetStaticDataString() is overwritten...?
I What is variable k?
I What does GetRequest() do?
InsomniHack'12 - A. Apvrille 22/42
![Page 36: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/36.jpg)
A look into Smali
InsomniHack'12 - A. Apvrille 23/42
![Page 37: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/37.jpg)
A look into Smali
InsomniHack'12 - A. Apvrille 23/42
![Page 38: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/38.jpg)
A look into Smali
InsomniHack'12 - A. Apvrille 23/42
![Page 39: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/39.jpg)
A look into Smali
InsomniHack'12 - A. Apvrille 23/42
![Page 40: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/40.jpg)
A look into Smali
InsomniHack'12 - A. Apvrille 23/42
![Page 41: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/41.jpg)
A look into Smali
InsomniHack'12 - A. Apvrille 23/42
![Page 42: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/42.jpg)
Findings with Smali
I Bad decompilation of �rst initial test:
// WRONG
if (! intent.getAction().equals("OUTGOING_CALL") &&
! intent.getAction().equals("BOOT_COMPLETED")) {
}
// CORRECT
if (intent.getAction().equals("OUTGOING_CALL") {
...
} else if (! intent.getAction().equals("BOOT_COMPLETED")) {
}
I Missing variable names: TotalHideSms (AntivirusEnabled �ag)and SendReport (k)
I Wrong decompilation of string composition: GetStringinitialized to GetStaticDataString() and then append&from=ORIGIN&text=BODY
InsomniHack'12 - A. Apvrille 24/42
![Page 43: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/43.jpg)
Reversing SmsReceiver
Things we know
I If OUTGOING_CALL, schedule KavService
I Build string, initialize it to: ?to=PHONE&i=IMSI&m=IMEI...
I Retrieves SMS body and originating phone number
I Append &from=ORIGIN&text=BODY to string
I Calls GetRequest if SendReport true
I AntivirusEnabled true: don't forward SMS to others
Things which are unclear yet
I What does GetRequest() do?
InsomniHack'12 - A. Apvrille 25/42
![Page 44: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/44.jpg)
GetRequest: Decompilation failure
InsomniHack'12 - A. Apvrille 26/42
![Page 45: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/45.jpg)
Solution? Use another tool!
I Use another decompiler (e.g Jad)
I Or read smali
InsomniHack'12 - A. Apvrille 27/42
![Page 46: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/46.jpg)
Solution? Use another tool!
I Use another decompiler (e.g Jad)
I Or read smali
InsomniHack'12 - A. Apvrille 27/42
![Page 47: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/47.jpg)
Solution? Use another tool!
I Use another decompiler (e.g Jad)
I Or read smali
InsomniHack'12 - A. Apvrille 27/42
![Page 48: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/48.jpg)
GetRequest decompilation
I LinkAntivirus(): obfuscated string
I URL = de-obfuscated string + parameter
I Open URL
I Read HTTP response
I If HTTP response is ok (200), read header ForgetMessages:store in AntivirusEnabled �ag
InsomniHack'12 - A. Apvrille 28/42
![Page 49: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/49.jpg)
Spitmo: conclusion
What it doesI Displays a fake 3-digit activation code. 2nd digit is based on
IMEI
I KavService not used. Missing start command?
I SMS forwarded to a remote URL:http://CENSORED?to=PHONE&i=IMSI&m=IMEI-
&aid=ACTIVATIONCODE&h=BOOLEAN&from=ORIGIN&text=BODY
Lessons learned
Read smali when decompilation fails
InsomniHack'12 - A. Apvrille 29/42
![Page 50: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/50.jpg)
Understanding access$0
.method static synthetic access$0(Lcom/tapjoy/TJCOffersWebView;)
Landroid/widget/ProgressBar;
.locals 1
.parameter
.prologue
.line 28
iget-object v0, p0, Lcom/tapjoy/TJCOffersWebView;->progressBar:Landroid/widget/ProgressBar;
return-object v0
.end method
Compiler created
I Java: Inner classes can access private members of theirenclosing class.
I Byte-code: creates synthetic access$0
InsomniHack'12 - A. Apvrille 30/42
![Page 51: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/51.jpg)
Anti-emulator tricks
Honeynet challenge 2011
// com.fc9.currencyguide.daemon.e.b:
if (a.a(Build.DEVICE).equalsIgnoreCase(
"46a808cfd5beafa5e60aefee867bf92025dc2849"))
localBoolean = Boolean.valueOf(1); // true
}
...
// com.fc9.currencyguide.fc9:
if (!com.fc9.currencyguide.daemon.e.b.a().booleanValue()) {
// MALICIOUS BEHAVIOUR
} else { // DO NOTHING }
I 46a808cfd5beafa5e60aefee867bf92025dc2849 =sha1sum("generic")
I 5a374dcd2e5eb762b527af3a5bab6072a4d24493 =sha1sum("sdk") ...
I Di�erent behaviour if on an emulator :(
InsomniHack'12 - A. Apvrille 31/42
![Page 52: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/52.jpg)
Solution: modify the application
Modify the smali code
1. Fix the test
2. Recompile the smali �les
$ ./apktool b -d ~/honeynet/smali-re modified.apk
$ jarsigner -verbose -keystore test.ks modified.apk test
InsomniHack'12 - A. Apvrille 32/42
![Page 53: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/53.jpg)
Adding debug logs
I Modify & recompile smali! No need to have source code :)I Example: Insert calls to Log.v
const-string v6, "AXELLE str: "
invoke-static {v6, v0}, Landroid/util/Log;->v(Ljava/lang/String;
Ljava/lang/String;)I
I call = invoke-static
I v0 = what to log
I re-use variables with caution...
adb logcat:..
V/AXELLE: str: ( 407): CD2ACE300D6687D4
..
InsomniHack'12 - A. Apvrille 33/42
![Page 54: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/54.jpg)
Customize Your Emulator
I Patchemulator-arm
I Search for+CGSN:IMEI
I Search for+CIMI: IMSI
InsomniHack'12 - A. Apvrille 34/42
![Page 55: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/55.jpg)
Customize Your Emulator
I Patchemulator-arm
I Search for+CGSN:IMEI
I Search for+CIMI: IMSI
InsomniHack'12 - A. Apvrille 34/42
![Page 56: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/56.jpg)
Who uses those permissions?
Androguard's androlyze
$ ./androlyze.py -i criptomovil.apk -x
PERM : READ_PHONE_STATE
Lcom/antivirus/kav/MainActivity; onCreate
(Landroid/os/Bundle;)V (@onCreate-BB@0x0-0x16)
---> Landroid/telephony/TelephonyManager;
getDeviceId ()Ljava/lang/String;
Lcom/antivirus/kav/SmsReceiver; GetStaticDataString
(Landroid/content/Context;) Ljava/lang/String;
(@GetStaticDataString-BB@0x0-0x10) --->
Landroid/telephony/TelephonyManager;
getLine1Number ()Ljava/lang/String;
...
PERM : INTERNET
Lcom/antivirus/kav/SmsReceiver; GetRequest
(Ljava/lang/String;)I (@GetRequest-BB@0x3c-0x3c)
---> Ljava/net/URL; openConnection ()
Ljava/net/URLConnection;
InsomniHack'12 - A. Apvrille 35/42
![Page 57: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/57.jpg)
Similarities and di�erences
Androsim$ ./androsim.py -i com.christmasgame.balloon_v1.3.apk
plankton_sample1.apk
DIFF METHODS : 115
NEW METHODS : 5
MATCH METHODS : 0
DELETE METHODS : 318
[0.9955412745475769, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0,
..
1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0]
0.0038437288383
Conclusion: Those samples of Riskware/CounterClank andAndroid/Plankton are not similar :)
InsomniHack'12 - A. Apvrille 36/42
![Page 58: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/58.jpg)
Visualization of APK: Androguard + cytoscape
Is it usable?
$ ./androxgmml.py -i sample.apk -o output.xgmml -f
InsomniHack'12 - A. Apvrille 37/42
![Page 59: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/59.jpg)
Visualization of APK: Androguard + cytoscape
Is it usable?
$ ./androxgmml.py -i sample.apk -o output.xgmml -f
InsomniHack'12 - A. Apvrille 37/42
![Page 60: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/60.jpg)
Androguard + gephi
Powerful... but is it usable? - Ex: Android/BaseBridge
$ ./androgexf.py -i sendere.apk -o sendere.gexf
InsomniHack'12 - A. Apvrille 38/42
![Page 61: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/61.jpg)
Androguard + gephi
Powerful... but is it usable? - Ex: Android/BaseBridge
$ ./androgexf.py -i sendere.apk -o sendere.gexf
InsomniHack'12 - A. Apvrille 38/42
![Page 68: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/68.jpg)
Conclusion
I loveI Android Emulator
I Apktool
I baksmali
I dex2jar
I Java Decompiler
To investigate
I AndBug: a debugger,not immediate to use
I AndroidAuditTools
I use from time to timeI Androguard: similarities,
di�erences, manifest, permissions
I ded, IDA Pro and dedexer:alternate disassemblers/decompilers
I never useI Droidbox: bugs
I Androguard visualization: Iprobably need training :)
I AXMLPrinter: included in othertools
I APKInspector, Manitree: perhaps,but never encountered a real usecase
InsomniHack'12 - A. Apvrille 41/42
![Page 69: Android Reverse Engineering Tools From an anti-virus ... · From an anti-virus analyst's perspective Axelle Apvrille InsomniHack'12, March 2012. Agenda I Contents of an APK: manifest,.dex,](https://reader031.vdocuments.site/reader031/viewer/2022021915/5ca0d1c588c993e3018d17ee/html5/thumbnails/69.jpg)
Thank You !
Follow us on twitter: @FortiGuardLabs
Axelle Apvrille
aka Crypto Girl
/mobile malware reverse engineering/[email protected]
Slides edited with LOBSTER=LATEX+Beamer + Editor
InsomniHack'12 - A. Apvrille 42/42