O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

71
5
AndroId mAlwAre evolutIon
e evolution of Android malware, while mapping closely to the
desktop trends, is often viewed at an accelerated pace. Malware and
botnets have had time to grow and trial dierent methods of infec-
tions and potential uses, and the authors of the mobile counterparts
are denitely applying these learned lessons. ere are clear indicators
that these are often the same groups working toward extending their
list of infected machines to the Android world.
Android also provides an extra interesting launching point for these
actors. Although broadband connection PCs were often considered
golden, with the always-on connection and almost never being shut
o, the mobile phone provides even more perks: access to telephony
systems, the ability to dial or text numbers, location-aware services,
and access to high-speed segmented systems. Although with some
of these features there are clear monetization methods, such as pre-
mium text messaging, others like the Internet may seem questionable.
One could assume a malicious actor would rather have unchanging
Internet connection from a desktop machine, however this would not
give them the possibility for roaming. A cell phone could drift from
3G to 4G, oering an interesting proxy scenario. Add in the fact that
this device might then connect to a sensitive network at some point,
it could exltrate or gain intimate knowledge that a PC might never
have access to.
e rst Android malware to come into existence in early August
2010 was dubbed FakePlayer. ere was really no magic to this mal-
ware; it purported to be a video player for viewing porn on Android.
Since the code was compiled with debug information left in, we could
estimate how many lines the original Java code would have been. is
trick is actually quite easy. e Dalvik code allows us to see which
opcodes originated from which Java code, so that if an error occurs
the stack trace can give you useful information about which line the
72
android Malware and analysis
error occurred at. FakePlayer only consists of three main classes—
MoviePlayer, HelloWorld, and DataHelperso focusing on these
classes after using baksmali on the APK le we can look for the .line
operation. If we then only look at the highest line count, we should
be able to get an accurate estimation of how many lines of Java it
originated from. Grepping (Linux tool grep) through we can see that
DataHelper has 69 lines, HelloWorld has 55, and MoviePlayer has 210
lines; this leads us to a total of 334 lines of code. is would include
empty lines, comments, and other nonfunctional pieces of code. If we
look at the following excerpts from the MoviePlayer class in smali
code, we can quickly and easily translate it to Java pseudocode:
.line 35
invoke-static {}, Landroid/telephony/SmsManager;-
>getDefault()Landroid/telephony/SmsManager;
move-result-object v0
.line 54
.local v0, “m”:Landroid/telephony/SmsManager;
const-string v1, “3353”
.line 55
.local v1, “destination”:Ljava/lang/String;
const-string v3, “798657”
.line 57
.local v3, “text”:Ljava/lang/String;
const/4 v2, 0x0
const/4 v4, 0x0
const/4 v5, 0x0
:try_start_2a
invoke-virtual/range {v0.. v5}, Landroid/telephony/
SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/
lang/String;Ljava/lang/String;Landroid/app/
PendingIntent;Landroi\
d/app/PendingIntent;)V
:try_end_2d
.catch Ljava/lang/Exception; {:try_start_2a..
:try_end_2d} :catch_44
is code essentially will just take the SmsManager object and use it
to send a text message to the 3353 number with a body of 798657. e
rest of the registers are loaded with 0x0, which is interpreted as null in
this case, and not actually required for the sendTextMessage method.
Immediately before this, a TextView is set to read “Подождите,

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required