Quick and Easy Android Malware Analysis - Part 1 Getting Started

Over the last year I have been performing research on mobile devices. My last job had me analyzing the security of Android applications and recently I found my new job drawing on my past experience to help someone analyze some Android malware. First we started to do some research on potential solutions that could help automate analysis or at least do some type of dynamic analysis and that is were I stumbled onto CuckooDroid (https://github.com/idanr1986/cuckoo-droid).
After a day or two of  messing with CuckooDroid I decided that it was a little overkill for what I needed to do which was grab a PCAP of the traffic. In one of my next post I'll cover setting it up but for now here is what you need to do if you want to do a quick and easy analysis of an Android malware sample. 

1) Install Android Studio (http://developer.android.com/sdk/installing/index.html)
2) Use the SDK Manager to install the SDKs and Images to work for the malware you are going to be analyzing.


3) Create a new Android Image using the AVD Manager.

4) After creating the image we can move onto actually analysis. 
5) Once the image up and running you can use adb to connect to the image to perform different actions. 

ADB stands for Android Debug Bridge and it allows you the ability to perform various actions such as install/uninstall an APK or redirect network traffic from the emulated device to your host system. Our main use will be to install our malware sample. This can be done using the command adb install /Path/to/apk.


6) So here is the steps to install our malicious APK. 
  1. List available devices: adb devices
  2. Connect to the device: adb -d emulator-5220
  3. Install our malicious APK: adb install bad.apk

7) Now the fun part. You can now start playing around with the malware in the emulator to see what it does. 

In the next post, I'll start to cover what kind of analysis you can do now that you have the APK installed and what kind of information you should be looking for. Also, you can start your image using the emulator command. We will cover this in another post since it is extremely help as we can tell it to write a traffic dump of all network traffic.

Comments

Popular posts from this blog

And now for something completely different...

Well I guess it's time to start this back up.

Been awhile hasn't it.