Quick and Easy Android Malware Analysis - Part 2 Beginning Analysis - Let's see what it does

In the previous post I covered how to get an Android image running in an emulator and how to install the malicious APK to the device. This post will focus on performing some basic dynamic analysis of the APK in the emulator.

The first thing we need to do is start our device. I've found the best way to do this that allows me to save the network traffic is with the command line tool 'emulator'. If you type 'emulator -help' you will get a ton of arguments which this command takes but thankfully for us we only need a few of them. We start our device with the command emulator -avd  MyDevice -qemu -tcpdump traffic.pcap. This will start the device and save out a pcap of the network connections to the file specified.

TestAndroid - Galaxy Nexus Android v4.2.1 
Now its time to get to work. I pulled done a sample from VirusTotal that I've worked with before which is called MisoSMS. This malware was found targeting users in Asia and FireEye did a good writeup on it a while ago which you can read here. Its main purpose is to steal SMS messages from a device and send them back to servers in China.

Getting Dirty

Some people would start with static analysis but in our case lets just see what it does so we can get used to using some of the Android SDK tools and how they can help us. First we will need to due a little bit of static analysis in order to know what our APK will be called when installed. We will use the aapt for this which can be found in the Android SDK build-tools directory. Just follow their instructions and you should be good to go. our APK installed and then once it is installed we can run it.

Installing the APK is really easy with the adb tool provided with the Android SDK. 
1. Find device (Only needed if you have more than one running at a time): adb devices
$ adb devices
List of devices attached

emulator-5556 device
2. Install APK
$ adb install misoSMS.apk 
[100%] /data/local/tmp/misoSMS.apk
pkg: /data/local/tmp/misoSMS.apk
Success

rm failed for -f, Read-only file system
3. Now that we have the APK install we can go to our TestAndroid device and play around with MisoSMS.

Finding the installed APK took a little bit of work as it doesn't come right out and state its malware name. What we do see is a new app called 'Sec Policy' and so lets open it and see what it does.
MisoSMS installed as 'Sec Policy'
It asks us to activate a device administrator so lets say activate. 
Why not what bad could happen
Now that the app is started we can see that it doesn't seem to do much.
MisoSMS Started
Clicking on the settings doesn't launch anything either so it would appear to the end user that the application is broken. But when we close out of it and go back to our install apps screen we no longer see it. Where did it go??
No More MisoSMS
But if we go to our Running Apps we still see it.
There you are you sneak
Since we know this malicious steals SMS lets send a few and see if we can see them being sent over through traffic. 
Sending texts
Once we have done that we can kill our emulator and check our pcap for data. From reviewing the data I did not see our texts being stolen but did see some DNS queries for domains that I'm sure I didn't lookup. Here is a screenshot from Wireshark showing a few of them. That was about it in the cap and I know this outcome was a little boring but hopefully the next posts will tickle your fancy.
DNS Queries for weird domains

Conclusion

Hopefully someone gains some useful knowledge out of this post as I enjoyed writing it. The next post we will get a little more into the APK with some other tools to dig a little bit deeper into what it does and how it works. So stay tuned.

Comments

Popular posts from this blog

And now for something completely different...

Well I guess it's time to start this back up.

Been awhile hasn't it.