mobile malware analysis with the a.r.e. vm
DESCRIPTION
TRANSCRIPT
![Page 1: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/1.jpg)
LA2600
LA2600.org
Android Malware Analysis with the Android Reverse Engineering(A.R.E.)
VM
Jimmy Shah
![Page 2: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/2.jpg)
2
LA2600
LA2600.org
Android Reverse Engineering(A.R.E.) VM
● VM from the Honeynet Project
● Includes a full set of tools for reverse engineering Android apps
● Conversion tools
– Dex2jar● Classes.dex → Classes.dex.dex2jar.jar
– AXMLprinter2.jar● binary XML → Human readable XML
● Disassembler
– Baksmali● Dalvik bytecode → Jasmin-like assembly language
● GUI
– APKInspector● GUI includes baksmali, dex2jar, APKtool
![Page 3: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/3.jpg)
3
LA2600
LA2600.org
Android Reverse Engineering(A.R.E.) VM, cont.
● More tools
● Conversion tools
– APKTool●
● smali/baksmali● Disassembler
– Baksmali● Dalvik bytecode → Jasmin-like assembly language
![Page 4: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/4.jpg)
LA2600
LA2600.org
Android for Reverse Engineers
![Page 5: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/5.jpg)
5
LA2600
LA2600.org
Android for Reverse Engineers
● Android apps are distributed as APKs(zip files) – what's inside?
● Files
– AndroidManifest.xml● Stored as binary XML● Permissions requested● Registered intents
– Entry points– classes.dex
● bytecode for the Dalvik VM● App code is in classes.dex files.
– resources.arsc● compiled resource table
![Page 6: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/6.jpg)
6
LA2600
LA2600.org
Android for Reverse Engineers, cont.
● Android apps are distributed as APKs(zip files) – what's inside?
● Directories
– META-INF● Public Keys● Signatures for each component in the APK
– res● Images, strings, etc.
– assets● libraries● other executables● Other JARs
![Page 7: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/7.jpg)
7
LA2600
LA2600.org
Android for Reverse Engineers, cont.
JARJAR
.CLASS.CLASS
.CLASS.CLASS
.CLASS.CLASS
.CLASS
main()
.CLASS
main()
.JAVA .CLASSjavac JAR dx
APKAPK
classes.dexclasses.dex
Java vs. Android
![Page 8: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/8.jpg)
8
LA2600
LA2600.org
●Processing a suspicious sample
1) Get sample
2) Begin analysis
● Static
● Identify known and active files● File formats
● Executables● Data fies● Archives
● “active” files● Executables and all files that can have an effect on the system
● Dynamic
● Run in Android VM
![Page 9: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/9.jpg)
LA2600
LA2600.org
What's in the A.R.E.?
![Page 10: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/10.jpg)
LA2600
LA2600.org
Overview – GNU strings
● You need strings, use strings.
● Ascii is default, unicode with option
● '-el' for 16 bit little-endian strings
● Why?
● Function calls
● Interesting Strings
– Messages● Errors● Debug● To analysts/press/etc.● Shout-outs
![Page 11: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/11.jpg)
11
LA2600
LA2600.org
Conversion - AXMLPrinter2
● Java tool to convert AndroidManifest.xml to human readable XML
![Page 12: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/12.jpg)
12
LA2600
LA2600.org
Decompilers - JAD
● Java Decompiler
● Feed it a JAR and get back decompiled .java source code.
● One of the few currently available java decompilers
● Useful but may no longer be updated by the author.
● Fails on some JAR files, classes
● Easy to run
![Page 13: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/13.jpg)
13
LA2600
LA2600.org
Decompilers - ded
● Android decompiler
● Newer academic project designed specifically for mobile apps
● Optionally uses the Soot Java optimization framework to provide better results.
● Combines translation to JVM bytecode , optimization and decompilation
● Takes a while,but the success rate is higher than other tools.
![Page 14: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/14.jpg)
14
LA2600
LA2600.org
VM - DroidBox
● Instrumented Android VM
● Monitors
– Network activity
– Opened connections
– Outgoing traffic
– Incoming traffic
– DexClassLoader
– Broadcast receivers
– Started services
– Enforced permissions
– Permissions bypassed
– Information leakage
– Sent SMS
– Phone calls
![Page 15: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/15.jpg)
15
LA2600
LA2600.org
VM - DroidBox, cont.
● Running VM
● ./startemu.sh Android21
● ./droidbox.sh <sample.apk>
● Ctrl-C to end logging/analysis
![Page 16: Mobile malware analysis with the a.r.e. vm](https://reader035.vdocuments.site/reader035/viewer/2022081806/5472c123b4af9fc80a8b503b/html5/thumbnails/16.jpg)
16
LA2600
LA2600.org
GUI - APKInspector
● Useful for analyzing APKs in one place
● Static analysis only
– Strings, Methods, Disassembly, CFGs,etc.