![Page 1: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/1.jpg)
Android Security Development
PART 2 – Malicious Android AppDynamic Analyzing System
SEAN
![Page 2: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/2.jpg)
Sean
• Developer
• https://www.facebook.com/erinus
![Page 3: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/3.jpg)
You Need...
• Hardware• Phone
• Google Nexus 4
• Google Nexus 5
• Tablet• Google Nexus 7
• Google Nexus 9
![Page 4: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/4.jpg)
You Still Need...
• Software• Virtual Machine
• VMware Workstation
• VirtualBox
• Operating System• Ubuntu Desktop 14.04
![Page 5: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/5.jpg)
Build Nexus 5 Image
![Page 6: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/6.jpg)
[1] Install Ubuntu 14.04
# create user named "user"
> sudo apt-get update
> sudo apt-get install vim less gcc g++ make build-essential binutils wget ssh openssh-server openssh-client zip unzip perl python rsync git openssl
> sudo apt-get upgrade> sudo apt-get dist-upgrade
> sudo apt-get autoclean> sudo apt-get autoremove> sudo rm –f /var/cache/apt/archives/*.deb
![Page 7: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/7.jpg)
[2] Build Environment for 4.x
> sudo apt-get install git gnupg flex bison gperfbuild-essential zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 libgl1-mesa-dev gcc-multilib g++-multilibmingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386
> sudo ln -s /usr/lib/i386-linux-gnu/mesa/libGL.so.1 /usr/lib/i386-linux-gnu/libGL.so
> sudo apt-get install python-software-properties> sudo add-apt-repository ppa:webupd8team/java> sudo apt-get update> sudo apt-get install oracle-java6-installer
![Page 8: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/8.jpg)
[2] Build Environment for 5.x
> sudo apt-get install git gnupg flex bison gperfbuild-essential zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 libgl1-mesa-dev gcc-multilib g++-multilibmingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386
> sudo ln -s /usr/lib/i386-linux-gnu/mesa/libGL.so.1 /usr/lib/i386-linux-gnu/libGL.so
> sudo apt-get install openjdk-7-jdk
![Page 9: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/9.jpg)
[3] AOSP Environment
> cd ~> mkdir ~/aosp> mkdir ~/aosp/bin> PATH=~/aosp/bin:$PATH> curl https://storage.googleapis.com/git-repo-downloads/repo > ~/aosp/bin/repo> chmod a+x ~/aosp/bin/repo
> curl https://storage.googleapis.com/git-repo-downloads/repo > ~/aosp/bin/repo> chmod a+x ~/aosp/bin/repo
> git config --global user.email "user@USER"> git config --global user.name "user"
![Page 10: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/10.jpg)
[4] Download AOSP
> mkdir ~/aosp/src> cd ~/aosp/src
> repo init -u https://android.googlesource.com/platform/manifest -b android-4.4.4_r2.0.1
> sudo sysctl -w net.ipv4.tcp_window_scaling=0
# -j(?) means amount of thread(cores) used> repo sync -j1
![Page 11: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/11.jpg)
[6] Download Nexus 5 Driver
> cd ~/aosp/src
> wgethttps://dl.google.com/dl/android/aosp/broadcom-hammerhead-ktu84p-5a5bf60e.tgz> wget https://dl.google.com/dl/android/aosp/lge-hammerhead-ktu84p-49419c39.tgz> wget https://dl.google.com/dl/android/aosp/qcom-hammerhead-ktu84p-f159eadf.tgz
> tar xzvf broadcom-hammerhead-ktu84p-5a5bf60e.tgz> tar xzvf lge-hammerhead-ktu84p-49419c39.tgz> tar xzvf qcom-hammerhead-ktu84p-f159eadf.tgz
![Page 12: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/12.jpg)
[7] Import Nexus 5 Driver
> cd ~/aosp/src
> ./extract-broadcom-hammerhead.sh> ./extract-lge-hammerhead.sh> ./extract-qcom-hammerhead.sh
![Page 13: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/13.jpg)
[5] Build AOSP
> cd ~/aosp/src
> source build/envsetup.sh> lunch aosp_hammerhead-userdebug> make –j1
![Page 14: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/14.jpg)
[8] Download Android SDK
• Android SDK Platform-tools
• SDK Build-tools
![Page 15: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/15.jpg)
[9] Flash Image Onto Device
> export ANDROID_PRODUCT_OUT=/home/user/aosp/src/out/target/product/hammerhead
> fastboot erase boot> fastboot erase cache> fastboot erase recovery> fastboot erase system> fastboot erase userdata
> fastboot flash boot boot.img> fastboot flash cache cache.img> fastboot flash recovery recovery.img> fastboot flash system system.img> fastboot flash userdata userdata.img
![Page 16: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/16.jpg)
The Walking Deadveloper Orz...
![Page 17: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/17.jpg)
Find Java Base Class Library
libcore/luni/src/main/java
![Page 18: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/18.jpg)
Find Android Base Class Library
frameworks/base/core/java
![Page 19: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/19.jpg)
Find Android ADB
system/core/adb
![Page 20: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/20.jpg)
Android Image Modification
> source build/envsetup.sh> lunch aosp_hammerhead-userdebug> make update-api> make –j1
![Page 21: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/21.jpg)
Android ADB Modification
# Build for Windows> sudo apt-get install mingw-w64
> cd ~/aosp/src> make USE_MINGW=yes adb showcommands
# Build for Linux> cd ~/aosp/src> make adb showcommands
![Page 22: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/22.jpg)
Customize Logcat
![Page 23: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/23.jpg)
[1] Start...
1. Android developers use "Log.d / Log.e / ..." toread messages.
http://developer.android.com/reference/android/util/Log.html
2. So, monitor "Log.d / Log.e / ..."?
No, it's not enough!
Why?
![Page 24: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/24.jpg)
[2] Base Knowledge
3. Android Architecture
Log.d
?
![Page 25: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/25.jpg)
[3] View Source Code
4. Android Source Online
https://android.googlesource.com
5. Search Android Source Online
http://code.metager.de/source/xref/android/4.4/
http://grepcode.com/project/repository.grepcode.com/java/ext/com.google.android/android
![Page 26: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/26.jpg)
[4] Where?
6. Search Possible Occurrence
![Page 27: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/27.jpg)
[4] Where?
7. System.java
![Page 28: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/28.jpg)
[4] Where?
7. System.java
CLICK
![Page 29: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/29.jpg)
[5] Got You!
8. System.java
![Page 30: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/30.jpg)
[6] Java – JNI – C++
9. Java
/libcore/luni/src/main/java/java/
JNI
/libcore/luni/src/main/native/
![Page 31: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/31.jpg)
[7] JNI – C++
10. java_lang_System.cpp
![Page 32: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/32.jpg)
[8] Modify...
11. Patch java_lang_System.cpp
![Page 33: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/33.jpg)
[8] Modify...
11. Patch java_lang_System.cpp
ADD
![Page 34: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/34.jpg)
[8] Modify...
11. Patch java_lang_System.cpp
ADD
![Page 35: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/35.jpg)
[8] Modify...
11. Patch java_lang_System.cpp
MODIFY
MODIFY
![Page 36: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/36.jpg)
[8] Modify...
11. Patch java_lang_System.cpp
![Page 37: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/37.jpg)
[9] Modify...
12. Patch System.java
![Page 38: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/38.jpg)
[9] Modify...
12. Patch System.java
ADD
ADD
![Page 39: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/39.jpg)
[9] Modify...
12. Patch System.java
Create Customized Function: appsandbox(String)
ADD
![Page 40: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/40.jpg)
[10] Output
> adb logcat –v long appsandbox:V *:S > adb.log
# appsandbox:V means "Verbose for Tag:appsandbox“# *:S means "Silence for Other Tags"
![Page 41: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/41.jpg)
Dive Into Source
![Page 42: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/42.jpg)
First
![Page 43: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/43.jpg)
PID
![Page 44: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/44.jpg)
[1] Why I Need PID?
1. When you try to get package, you get the package name where your called.
It's not package name of app!
com.td.bookshelf.provider
com.td.bookshelf
![Page 45: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/45.jpg)
[2] Get PID
2. import android.os.Process;
/frameworks/base/core/java/android/os/Process.java
![Page 46: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/46.jpg)
[2] Get PID
3. Process.myPid();
![Page 47: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/47.jpg)
[2] Get PID
3. Process.myPid();
![Page 48: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/48.jpg)
[3] Application
4. import android.app.Application;
/frameworks/base/core/java/android/app/Application.java
![Page 49: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/49.jpg)
[3] Inject Code
5. Monitor onCreate()
![Page 50: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/50.jpg)
[3] Inject Code
6. Monitor onTerminate()
![Page 51: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/51.jpg)
Second
![Page 52: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/52.jpg)
IO Stream
![Page 53: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/53.jpg)
[1] Find Base Class
1. import java.io.InputStream;
/libcore/luni/src/main/java/java/io/InputStream.java
2. import java.io.OutputStream;
/libcore/luni/src/main/java/java/io/OutputStream.java
![Page 54: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/54.jpg)
[2] What Is Necessary?
3. Monitor InputStream
![Page 55: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/55.jpg)
[2] What Is Necessary?
4. Monitor OutputStream
![Page 56: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/56.jpg)
Third
![Page 57: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/57.jpg)
Network
![Page 58: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/58.jpg)
[1] Find Base Class
1. import java.net.URL;
/libcore/luni/src/main/java/java/net/URL.java
2. import java.net.URI;
/libcore/luni/src/main/java/java/net/URI.java
![Page 59: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/59.jpg)
[2] What Is Necessary?
3. Monitor URL
Hook Constructor
![Page 60: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/60.jpg)
[2] What Is Necessary?
3. Monitor URL
Hook Constructor
![Page 61: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/61.jpg)
[2] What Is Necessary?
4. Monitor URI
Hook Constructor
![Page 62: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/62.jpg)
Demo
![Page 63: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/63.jpg)
Interested On This? Join Me!
![Page 64: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/64.jpg)
Next Part
![Page 65: Android Security Development - Part 2: Malicious Android App Dynamic Analyzing System](https://reader033.vdocuments.site/reader033/viewer/2022051016/55a5230f1a28aba8348b48b9/html5/thumbnails/65.jpg)
Malicious Android AppStatic Analysis