O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

1
1
IntroductIon to the
AndroId operAtIng
SyStem And threAtS
Android is the most popular mobile operating system, based on the
Linux kernel, primarily designed for touchscreen mobile devices at the
time this book was written. Google became involved with the nancial
backing of Android Inc. in 2005, with smartphones using the operating
system, which debuted in 2008 (HTC Dream). e operating system
is open source, distributed under the Apache License, leading to rapid
development by many globally. According to AppBrain, over 1.1 mil-
lion Android apps exist in the market as of February 13, 2014, with
22percent identied as low-quality apps.
Android operating system versions are named after consumables
starting with version 1.5. e version where each platform name was
rst provided is in parenthesis: Cupcake (1.5), Donut (1.6), Eclair (2.0),
Froyo (2.2), Gingerbread (2.3), Honeycomb (3.0), Ice Cream Sandwich
(4.0), Jelly Bean (4.1), and KitKat (4.4), with Key Lime Pie (5.0) expected
in the future. ere is a pattern in the naming of each version, can you
spot it? Each version introduces new functionality and requirements.
For example, KitKat, the most recent release, is designed to streamline
memory usage for maximum compatibility with all devices in party by
introducing new application programming interface (API) solutions,
such as “ActivityManager.isLowRamDevice()”, and tools like meminfo
for developers. Back to the teaser above, each version of Android is
named after a sequential letter in the English alphabet, with versions
Cupcake through KitKat representing versions C, D, E, F, G, H, I,
J, and K. e next major version following Key Lime Pie should start
with the letter L and be a dessert item such as Ladyngers, Lemon
Meringue Pie, or Licorice. Are Android avors becoming responsible
for our obsession with desserts and food?
2
android Malware and analysis
e architecture of the Android operating system is well published,
involving the Linux kernel, libraries, an application framework, appli-
cations, and the Dalvik Virtual Machine (DVM) environment. is is
further expanded upon later in the book. To gain “root” on a device one
must gain access to the core Linux kernel running an Android device.
Most Android malware do not attempt to perform exploits to get to
root, as that is not required for nefarious motives. Rather, apps are com-
monly modied to add in a hidden Trojan component so that when a
user installs an app the Trojan is also installed. Once installed and run,
Android malware may employ a wide variety of permissions enabled for
the app to then send text messages, and phone and geolocation infor-
mation to manage and intercept all types of communications and more.
When obtaining root access to the Linux kernel on an Android
operating system, several methods may be employed. is can be help-
ful for an analyst in several situations but may also involve legal consid-
erations for the analyst and country of work requiring discernment and
legal review before performing such actions on a device. For example,
some Android malware attempt to perform an exploit to achieve root
on a device, forcing an analyst to be familiar with all such exploits and
how to research and respond to such a threat. Additionally, a researcher
or law enforcement may employ an exploit to gain access to a device that
is otherwise inaccessible. Take for example a device that is password
protected by a deceased person where family members may want to
obtain photographs and other information o the device. Some com-
mercial packages include rooting exploits as part of a solution to sup-
port forensic access and research on a phone. Rooting typically only
works for specic devices or operating systems and congurations that
are commonly patched quickly to limit risk exposure. Well-known
Android exploits used to obtain root for various versions of the Android
operating system include RageIneCage, Exploid (CVE-2009-1185),
GingerBreak (CVE-2011-1823), and ZergRush (CVE-2011-3874).
Android Development Tools
Researchers commonly leverage Android development tools as part
of analyzing and working with Android malware. Naturally a Java
runtime environment (JRE, Java Downloads) needs to be installed
on a machine to work with Java-based components of development,
debugging, and malware analysis.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required