What is considered malicious for an APK?

It's been a few months since my last post and I thought that a post about what items might be considered suspicious in an APK would be good to have. There is only two main items that I can think of but should provide a researcher with an idea of when they might need to reverse an application to figure out exactly what it is doing.

Permissions
In order for applications to access certain features of an Android device they must request access to the corresponding permissions for that feature. Such as, if an application wants to send SMS it must request access to that feature. This is usually done on install. When you choose to install a new application the user has to grant or deny access. This is the only time a user is prompted to allow access as the application will not request permissions when running. This can be dangerous if you allow access to an application and do not know what it is actually requesting access to.

Permissions are a good place to start with when trying to figure out if an application has malicious functions. Example being an simple game application might need permissions to INTERNET which allows it to create sockets but what if it also wanted access to READ_CONTACTS. This might be something to look at as why would a simple game need access to read my contacts??

You can find a list of permissions for a given application in its AndroidManifest.xml file. Also, here are a few links to the Android Developer's site to help figure out what each permission does.

https://developer.android.com/guide/topics/permissions/requesting.html
https://developer.android.com/reference/android/Manifest.permission.html

Application Code Signing
There isn't much to this one but every application that runs on Android must be signed. Verifying the signer might give you an idea about whether something is malicious or not. Questions to ask yourself might be, have they created malicious apps in the past or can you find info on that author as to his/her company's legitimacy? A little research about the signer could help you decide whether to take the time to reverse the application or move on.

Conclusion
As I stated early it's a short list but has helped me decide when a sample can wait or if I need to do more research on a particular APK.

Comments

Popular posts from this blog

And now for something completely different...

Well I guess it's time to start this back up.

Been awhile hasn't it.