Quick and Easy Android Malware Analysis - Part 2 Beginning Analysis - Let's see what it does

In the previous post I covered how to get an Android image running in an emulator and how to install the malicious APK to the device. This post will focus on performing some basic dynamic analysis of the APK in the emulator.

The first thing we need to do is start our device. I've found the best way to do this that allows me to save the network traffic is with the command line tool 'emulator'. If you type 'emulator -help' you will get a ton of arguments which this command takes but thankfully for us we only need a few of them. We start our device with the command emulator -avd  MyDevice -qemu -tcpdump traffic.pcap. This will start the device and save out a pcap of the network connections to the file specified.

TestAndroid - Galaxy Nexus Android v4.2.1 
Now its time to get to work. I pulled done a sample from VirusTotal that I've worked with before which is called MisoSMS. This malware was found targeting users in Asia and FireEye did a good writeup on it a while ago which you can read here. Its main purpose is to steal SMS messages from a device and send them back to servers in China.

Getting Dirty

Some people would start with static analysis but in our case lets just see what it does so we can get used to using some of the Android SDK tools and how they can help us. First we will need to due a little bit of static analysis in order to know what our APK will be called when installed. We will use the aapt for this which can be found in the Android SDK build-tools directory. Just follow their instructions and you should be good to go. our APK installed and then once it is installed we can run it.

Installing the APK is really easy with the adb tool provided with the Android SDK. 
1. Find device (Only needed if you have more than one running at a time): adb devices
$ adb devices
List of devices attached

emulator-5556 device
2. Install APK
$ adb install misoSMS.apk 
[100%] /data/local/tmp/misoSMS.apk
pkg: /data/local/tmp/misoSMS.apk
Success

rm failed for -f, Read-only file system
3. Now that we have the APK install we can go to our TestAndroid device and play around with MisoSMS.

Finding the installed APK took a little bit of work as it doesn't come right out and state its malware name. What we do see is a new app called 'Sec Policy' and so lets open it and see what it does.
MisoSMS installed as 'Sec Policy'
It asks us to activate a device administrator so lets say activate. 
Why not what bad could happen
Now that the app is started we can see that it doesn't seem to do much.
MisoSMS Started
Clicking on the settings doesn't launch anything either so it would appear to the end user that the application is broken. But when we close out of it and go back to our install apps screen we no longer see it. Where did it go??
No More MisoSMS
But if we go to our Running Apps we still see it.
There you are you sneak
Since we know this malicious steals SMS lets send a few and see if we can see them being sent over through traffic. 
Sending texts
Once we have done that we can kill our emulator and check our pcap for data. From reviewing the data I did not see our texts being stolen but did see some DNS queries for domains that I'm sure I didn't lookup. Here is a screenshot from Wireshark showing a few of them. That was about it in the cap and I know this outcome was a little boring but hopefully the next posts will tickle your fancy.
DNS Queries for weird domains

Conclusion

Hopefully someone gains some useful knowledge out of this post as I enjoyed writing it. The next post we will get a little more into the APK with some other tools to dig a little bit deeper into what it does and how it works. So stay tuned.

Comments

Post a Comment

Popular posts from this blog

And now for something completely different...

Over the course of my INFOSEC career I've worked in many different positions. IDS, network analysis, pentester, mobile application testing and a few others but one area has always stoked my interest. Vulnerability development is an area I wish I knew more about along with having a better grasp of reversing software. So over the next few months I've decided to try and fuel that interest by jumping into the world of fuzzing. I have chosen to start messing around with american fuzzy lop (AFL)  and see if I can find my first CVE. So here goes nothing.
Read more

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla
Read more

Been awhile hasn't it.

It's been over a year since the last time I posted anything so I'll give a quick update. The whole AFL thing didn't pan out as much as I'd like as I never really made time for it. I did add another child into the world so I got that going for me. As for work, I'm still at Cisco Talos doing the Detection Response Team (DRT) stuff, basically creating rules for Snort and sigs for ClamAV. That's going ok, gets a little mundane at times as I'm a researcher by trade and love looking into different things, especially mobile stuff, but overall I feel it's going well. At least no one has told me otherwise. That's pretty much it for me over the last year so lets start on some new exciting info. I recently went to TROOPERS  for TROOPERS19 and it was awesome. For those that don't know, it is a computer security conference in Heidelberg, Germany that takes place in March time frame. The city of Heidelberg was beautiful and the content of the conference was
Read more