Quick and Easy Android Malware Analysis - Part 1 Getting Started

Over the last year I have been performing research on mobile devices. My last job had me analyzing the security of Android applications and recently I found my new job drawing on my past experience to help someone analyze some Android malware. First we started to do some research on potential solutions that could help automate analysis or at least do some type of dynamic analysis and that is were I stumbled onto CuckooDroid (https://github.com/idanr1986/cuckoo-droid).
After a day or two of  messing with CuckooDroid I decided that it was a little overkill for what I needed to do which was grab a PCAP of the traffic. In one of my next post I'll cover setting it up but for now here is what you need to do if you want to do a quick and easy analysis of an Android malware sample. 

1) Install Android Studio (http://developer.android.com/sdk/installing/index.html)
2) Use the SDK Manager to install the SDKs and Images to work for the malware you are going to be analyzing.


3) Create a new Android Image using the AVD Manager.

4) After creating the image we can move onto actually analysis. 
5) Once the image up and running you can use adb to connect to the image to perform different actions. 

ADB stands for Android Debug Bridge and it allows you the ability to perform various actions such as install/uninstall an APK or redirect network traffic from the emulated device to your host system. Our main use will be to install our malware sample. This can be done using the command adb install /Path/to/apk.


6) So here is the steps to install our malicious APK. 
  1. List available devices: adb devices
  2. Connect to the device: adb -d emulator-5220
  3. Install our malicious APK: adb install bad.apk

7) Now the fun part. You can now start playing around with the malware in the emulator to see what it does. 

In the next post, I'll start to cover what kind of analysis you can do now that you have the APK installed and what kind of information you should be looking for. Also, you can start your image using the emulator command. We will cover this in another post since it is extremely help as we can tell it to write a traffic dump of all network traffic.

Comments

Post a Comment

Popular posts from this blog

And now for something completely different...

Over the course of my INFOSEC career I've worked in many different positions. IDS, network analysis, pentester, mobile application testing and a few others but one area has always stoked my interest. Vulnerability development is an area I wish I knew more about along with having a better grasp of reversing software. So over the next few months I've decided to try and fuel that interest by jumping into the world of fuzzing. I have chosen to start messing around with american fuzzy lop (AFL)  and see if I can find my first CVE. So here goes nothing.
Read more

Been awhile hasn't it.

It's been over a year since the last time I posted anything so I'll give a quick update. The whole AFL thing didn't pan out as much as I'd like as I never really made time for it. I did add another child into the world so I got that going for me. As for work, I'm still at Cisco Talos doing the Detection Response Team (DRT) stuff, basically creating rules for Snort and sigs for ClamAV. That's going ok, gets a little mundane at times as I'm a researcher by trade and love looking into different things, especially mobile stuff, but overall I feel it's going well. At least no one has told me otherwise. That's pretty much it for me over the last year so lets start on some new exciting info. I recently went to TROOPERS  for TROOPERS19 and it was awesome. For those that don't know, it is a computer security conference in Heidelberg, Germany that takes place in March time frame. The city of Heidelberg was beautiful and the content of the conference was
Read more

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla
Read more