O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

51
4
StAtIc AnAlySIS
Identifying if a suspect le is malicious typically begins with static analy-
sis. Static analysis does not involve running the code or opening a le
(dynamic analysis), or reverse engineering of the code via disassembly or
debugging. Static analysis largely involves identifying and querying cryp-
tographic hash values, such as MD5, strings, and metadata. More impor-
tant, static analysis is part of a larger process that is recursive by nature,
such as extracting class les from a hostile APK and then collecting static
data on individual artifacts, looking at static analysis of related APKs,
and so on as an analyst seeks to establish more context and analytical
relationships for evaluative authority in understanding a threat.
Static analysis is the most exible part of Android malware analysis
as it can be performed from a multitude of operating systems rather
than being dependent upon the Android operating system. Many
analysts prefer to develop a set of tools and scripts within a Linux
environment, such as Ubuntu, because of the security provided by the
operating system, native solutions for script (Python, Perl, Bash), and
wide variety of tools that can easily be used in such an environment
for ecient static analysis of malware.
e process of static analysis of Android malware is the same
as that of traditional Windows, Linux, or other types of malware.
What does dier for Android threats is how APKs are packaged and
compiled compared to that of a Windows binary. Windows binaries
are compiled as executables with an MZ header. Android apps are
compiled as an APK that can be unpacked into separate les includ-
ing the source code, a manifest, and other les common to an APK
le. Analysts familiar with static analysis of other malware types
will quickly adapt to performing static analysis of Android malware.
Of note for more experienced readers is that static analysis can and
should be automated, such as a Python script or tool to generate hash
data for multiple les.
52
android Malware and analysis
is chapter approaches static analysis through the following hier-
archy of topics: collections, le types, cryptographic hashes, meta-
data, visualization, and automation. Readers should remember that
static analysis is a process requiring an analyst to regularly perform
static analysis on new artifacts and discoveries as one performs in-
depth Android malware analysis. Android malware analysis likely
falls within another process, incident response, which involves several
of its own steps and phases as one responds to an event or incident.
Collections: Where to Find Apps for Analysis
e ability to nd code to research can be challenging for an analyst
new to Android malware analysis. Fortunately, there are several loca-
tions where collections for such samples may be acquired. Additionally,
advanced researchers regularly script automated methods for identify-
ing, downloading, and triaging possible new app threats that may lead
to new discoveries of Android malware in the wild.
Google Play Marketplace
Google Play is the ocial marketplace for Android apps. e app
itself is called Google Play on devices, pointing to the aforementioned
Web site (https://play.google.com/store). Users may easily download
any app of interest from the site, with some being free and others
commercially developed apps. However, permissions through Google
Play do vary based on feature and geolocation, such as TV shows
only being available for a small number of countries. All countries
enable purchasing of apps through Google Play but select coun-
tries are supported for developers (merchants) being able to sell apps
through the marketplace (https://support.google.com/googleplay/
android-developer/table3539140?rd=1).
In the early days, rogue developer accounts were used to distribute
hostile apps through the ocial marketplace, such as the infamous
DroidDream with at least three rogue accounts and dozens of hostile
apps, which spread to the marketplace in 2011. Improved security con-
trols followed such events, with fraudsters now hijacking compromised
developer accounts or spreading code through other means, such as unof-
cial “cracked” sites, distributing popular apps of interest to consumers.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required