Quick and Easy Android Malware Analysis - Part 3 Digging In!

Hope you brought your shovel as we start to take apart this malware and look at it's internal code. To get started we will need to pull the APK from the device to our local system. To do this you will need to turn on usb debugging on the phone or emulator from the settings menu of Android (Check out this link if you don't know how https://www.kingoapp.com/root-tutorials/how-to-enable-usb-debugging-mode-on-android.htm). Now that you have your phone/emulator connected to your system you can now download the malicious APK.

In our case we already have the APK but for those situations when you might now already have it downloaded you use the adb pull  command (e.g. adb pull /data/app/bad.apk)to pull the package from the device. After you have completed this process we can now start the static analysis of APK.

The main tool for performing static analysis of the APK is a decompiler. I prefer JEB (https://www.pnfsoftware.com/jeb2/) but it requires a subscription. A free decompiler that does a fairly decent job is JD-GUI (http://jd.benow.ca) and that is the tool we will use. So go download and install JD-GUI. The only issue we have now is that we need to obtain the Jar or Class files from the APK as that is what JD-GUI can use. To do this we will use a tool called dex2jar which can be obtained from https://sourceforge.net/p/dex2jar. Then all we need to do is run the command d2j-dex2jar.sh and the tool will do the rest.

Now sometimes dex2jar is able to decompile the code without any errors but other times it produces a bunch of errors. We should be able to get most of the information we need even if there are errors though but just remember that in case you run into a situation that dex2jar is unable to help you.

$ ../dex2jar-2.0/d2j-dex2jar.sh classes.dex 
dex2jar classes.dex -> ./classes-dex2jar.jar

When dex2jar works the next step is easy as all you have to do is take the classes-dex2jar.jar file and open it in JD-GUI.


JD-GUI Window
Once opened you will see the programs structure and then you can start statically analyzing the APK to determine if it is malicious or not.

JD-GUI MisoSMS Decompiled
That is pretty much it when the APK is not protected in some way shape or form. From what we can see in this APK is that this app seems to send SMS messages containing phone information such as contacts. Well that's the end of this post that I'm sure people have been waiting for; hopefully, my next post doesn't take me this long.

Comments

Post a Comment

Popular posts from this blog

And now for something completely different...

Over the course of my INFOSEC career I've worked in many different positions. IDS, network analysis, pentester, mobile application testing and a few others but one area has always stoked my interest. Vulnerability development is an area I wish I knew more about along with having a better grasp of reversing software. So over the next few months I've decided to try and fuel that interest by jumping into the world of fuzzing. I have chosen to start messing around with american fuzzy lop (AFL)  and see if I can find my first CVE. So here goes nothing.
Read more

Been awhile hasn't it.

It's been over a year since the last time I posted anything so I'll give a quick update. The whole AFL thing didn't pan out as much as I'd like as I never really made time for it. I did add another child into the world so I got that going for me. As for work, I'm still at Cisco Talos doing the Detection Response Team (DRT) stuff, basically creating rules for Snort and sigs for ClamAV. That's going ok, gets a little mundane at times as I'm a researcher by trade and love looking into different things, especially mobile stuff, but overall I feel it's going well. At least no one has told me otherwise. That's pretty much it for me over the last year so lets start on some new exciting info. I recently went to TROOPERS  for TROOPERS19 and it was awesome. For those that don't know, it is a computer security conference in Heidelberg, Germany that takes place in March time frame. The city of Heidelberg was beautiful and the content of the conference was
Read more

Well I guess it's time to start this back up.

Image
 The last couple of years I've spent doing a job that was out of my usually wheel house. I went to a learning and content development team within Cisco where I served as a SME for a lot of Cisco Secure Products. This position was not as technical as I'd like and ultimately led to my demise at Cisco. My position was terminated in July and I've spent the last few months looking within Cisco and outside for a new position. From what I can tell, most places have turned me down, which I can only assume, due to my none technical position the last two years. This is very annoying as I still have most of my technical information in my head and still know how to do things. But I guess it only matters what you have done recently. I'm hopeful to find something but in the mean time I'm going to start blogging about new things I'm trying to learn to further develop my security skillset. 
Read more