What is considered malicious for an APK?

It's been a few months since my last post and I thought that a post about what items might be considered suspicious in an APK would be good to have. There is only two main items that I can think of but should provide a researcher with an idea of when they might need to reverse an application to figure out exactly what it is doing.

Permissions
In order for applications to access certain features of an Android device they must request access to the corresponding permissions for that feature. Such as, if an application wants to send SMS it must request access to that feature. This is usually done on install. When you choose to install a new application the user has to grant or deny access. This is the only time a user is prompted to allow access as the application will not request permissions when running. This can be dangerous if you allow access to an application and do not know what it is actually requesting access to.

Permissions are a good place to start with when trying to figure out if an application has malicious functions. Example being an simple game application might need permissions to INTERNET which allows it to create sockets but what if it also wanted access to READ_CONTACTS. This might be something to look at as why would a simple game need access to read my contacts??

You can find a list of permissions for a given application in its AndroidManifest.xml file. Also, here are a few links to the Android Developer's site to help figure out what each permission does.

https://developer.android.com/guide/topics/permissions/requesting.html
https://developer.android.com/reference/android/Manifest.permission.html

Application Code Signing
There isn't much to this one but every application that runs on Android must be signed. Verifying the signer might give you an idea about whether something is malicious or not. Questions to ask yourself might be, have they created malicious apps in the past or can you find info on that author as to his/her company's legitimacy? A little research about the signer could help you decide whether to take the time to reverse the application or move on.

Conclusion
As I stated early it's a short list but has helped me decide when a sample can wait or if I need to do more research on a particular APK.

Comments

Post a Comment

Popular posts from this blog

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla
Read more

Been awhile hasn't it.

It's been over a year since the last time I posted anything so I'll give a quick update. The whole AFL thing didn't pan out as much as I'd like as I never really made time for it. I did add another child into the world so I got that going for me. As for work, I'm still at Cisco Talos doing the Detection Response Team (DRT) stuff, basically creating rules for Snort and sigs for ClamAV. That's going ok, gets a little mundane at times as I'm a researcher by trade and love looking into different things, especially mobile stuff, but overall I feel it's going well. At least no one has told me otherwise. That's pretty much it for me over the last year so lets start on some new exciting info. I recently went to TROOPERS  for TROOPERS19 and it was awesome. For those that don't know, it is a computer security conference in Heidelberg, Germany that takes place in March time frame. The city of Heidelberg was beautiful and the content of the conference was
Read more

And now for something completely different...

Over the course of my INFOSEC career I've worked in many different positions. IDS, network analysis, pentester, mobile application testing and a few others but one area has always stoked my interest. Vulnerability development is an area I wish I knew more about along with having a better grasp of reversing software. So over the next few months I've decided to try and fuel that interest by jumping into the world of fuzzing. I have chosen to start messing around with american fuzzy lop (AFL)  and see if I can find my first CVE. So here goes nothing.
Read more