O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

35
3
open Source toolS
Open source tools can be your best friend and your worst. is is
especially true with Android malware analysis software that is often
nonfunctional, quirky, or may require hours of manipulation to work
properly only to nd out that it is not near as functional as one had
hoped. As users of these tools ourselves, because free is always the
right price, we have sifted through dozens of tools to provide an over-
view of each primary tool of value on the market at the time of writ-
ing this book. Of course there are always new and updated tools, and
changes to tools and links beyond the publication of this book, which
you can nd online at our Web site http://androidrisk.com/.
e focus of open source tools in this chapter are for tools that are
ecient for a malware researcher to use in analyzing possible hostile
les, rather than that of apps that can be loaded onto a device such
as an antivirus app for signature leads and detection. ere is some
value in such an approach, but in general, use of apps on a device that
is infected with malware is a complicated and unreliable environment
because of how malware may be inuencing such apps postinfection.
e majority of tools and commands in this chapter are dedicated to
the analysis setup used by professionals to analyze possible hostile
code in static, dynamic, native, and reverse engineering settings.
Open source tools for the analysis of Android malware are broken
into several main categories based upon application of use. When a
tool can t into multiple categories the primary category of use is where
it is listed to avoid duplication. Some tools, such as APKInspector
(apkinspector wiki), are not included in the list of tools because we
did not nd them worth the trouble of installation or use. In the case
of APKInspector, it provides a graphical user interface with multiple
dependencies that are not trivial to setup and is buggy and less than
desired regarding performance once installed. Tools listed here are
the actual tools that authors of this book use for various stages of
Android malware analysis, largely from the freeware market.
36
android Malware and analysis
Locating and Downloading Android Packages
Where can you nd Android Packages (APKs) of interest or capture
malware? Legitimate APKs can be downloaded from Google Play
and other ocial sources. Sometimes, when a hostile app is pulled
from the market, a copy can still be obtained from a mirror site, such
as AppBrain or a security blog. A few sites to get you started are:
AppsAPK—http://www.appsapk.com/
AppBrain—http://www.appbrain.com/
Google Play—https://play.google.com/store
Another great source for Android malware are crack sites, especially
in Asia and Russia, where popular games are distributed for free (yes
it is too good to be true!). Such sites or domains dedicated to knocko
typosquatting-type domains and names related to popular games and
software are very common in such markets. Regularly researching and
investigating such domains leads to discoveries of new campaigns,
codes, and domains of interest. is requires a signicant amount of
time to properly track and research such content, but it can be done
with the right tools, tactics, and analysis outlined in this book.
For Android malware, look to private communities by getting to
know individuals in the eld, such as the authors of this book. A few
public sources exist for samples to get the novice started, in addition
to security blogs and information posted online:
Contagio Mobile—http://contagiominidump.blogspot.com/.
is Web site uses a special password, which can be obtained
from the owner of the site. It also regularly provides links to third-
party sites, such as VirusTotal, where hash and metadata/analysis
about an APK of interest may be found for a specic threat.
Androguard—http://code.google.com/p/androguard/wiki/
DatabaseAndroidMalwares. Androguard is a popular reverse
engineering tool that contains as part of a repository code,
signatures, and a database for Android malware. Signature
information and the database contain names and hashes for
Android malware, which can then be requested of other secu-
rity researchers, or found on the Internet or third-party sites.
Android Malware Dump—https://www.facebook.com/
AndroidMalwareDump. A Facebook page dedicated to

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required