O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

77
6
AndroId mAlwAre trendS
And reverSIng tActIcS
Although anyone can learn to reverse engineering malware, a key dif-
ferentiator in skill levels is often the ability to tackle the problem in a
fast and ecient manner. All reversers could systematically reverse an
application line by line, though this is not a scalable solution and leads
to massive amounts of time wasted. e essential toolkit for reversing
with speed will consist of at least baksmali, AXMLReader, and IDA
Pro 6.5. Starting with an APK le, we are going to emulate what we
might do when attacking any other binary: prepare the les for analy-
sis and look for entry points or other points of interest.
bebop:spamsoldier tstrazzere$ unzip -e com.example.
smsmessaging.apk -d contents
Archive: com.example.smsmessaging.apk
extracting: contents/assets/gta3game.apk
inflating: contents/res/layout/activity_main.xml
inflating: contents/res/menu/activity_main.xml
inflating: contents/AndroidManifest.xml
extracting: contents/resources.arsc
extracting: contents/res/drawable-hdpi/ic_action_
search.png
extracting: contents/res/drawable-hdpi/ic_launcher.png
extracting: contents/res/drawable-ldpi/ic_launcher.png
extracting: contents/res/drawable-mdpi/ic_action_
search.png
extracting: contents/res/drawable-mdpi/ic_launcher.png
extracting: contents/res/drawable-xhdpi/ic_action_
search.png
extracting: contents/res/drawable-xhdpi/ic_launcher.png
inflating: contents/classes.dex
inflating: contents/META-INF/MANIFEST.MF
inflating: contents/META-INF/CERT.SF
inflating: contents/META-INF/CERT.RSA
78
android Malware and analysis
Quick points of interest are the classes.dex, AndroidManifest.xml,
and gta3game.apk. e dex le contains all the executable code that
we will be reversing, and the AndroidManifest le will likely point us
to which entry points will be interesting. e le in the assets folder is
unknown, though one could likely make an educated guess at to what
it may be. e assets folder (or res/raw) is where non-APK resources
are stored and can be accessed by the APK for later use, whether it is
just extracting, loading, or other things. Lets continue the process by
looking at the manifest using AXMLPrinter.
bebop:spamsoldier tstrazzere$ axml contents/
AndroidManifest.xml
<?xml version=“1.0” encoding=“utf-8”?>
<manifest
xmlns:android=“http://schemas.android.com/apk/res/
android”
android:versionCode=“1”
android:versionName=“1.0”
package=“com.example.smsmessaging”
>
<uses-sdk
android:minSdkVersion=“8”
android:targetSdkVersion=“15”
>
</uses-sdk>
<uses-permission
android:name=“android.permission.INTERNET”
>
</uses-permission>
<uses-permission
android:name=“android.permission.CHANGE_COMPONENT_
ENABLED_STATE”
>
</uses-permission>
<uses-permission
android:name=“android.permission.RECEIVE_SMS”
>
</uses-permission>
<uses-permission
android:name=“android.permission.READ_SMS”
>
</uses-permission>
<uses-permission
79
android Malware trends and reversing taCtiCs
android:name=“android.permission.SEND_SMS”
>
</uses-permission>
<uses-permission
android:name=“android.permission.WRITE_SMS”
>
</uses-permission>
<uses-permission
android:name=“android.permission.RECEIVE_SMS”
>
</uses-permission>
<uses-permission
android:name=“android.permission.RAISED_THREAD_
PRIORITY”
>
</uses-permission>
<uses-permission
android:name=“android.permission.READ_CONTACTS”
>
</uses-permission>
<uses-permission
android:name=“android.permission.WRITE_EXTERNAL_
STORAGE”
>
</uses-permission>
<uses-permission
android:name=“android.permission.RECEIVE_BOOT_
COMPLETED”
>
</uses-permission>
<uses-permission
android:name=“android.permission.WAKE_LOCK”
>
</uses-permission>
<application
android:theme=“@android:01030055”
android:label=“@7F040000”
android:icon=“@7F020001”
android:debuggable=“true”
>
<activity
android:label=“@7F040003”
android:name=“.Main”
android:launchMode=“3”
>
80
android Malware and analysis
<intent-filter
>
<action
android:name=“android.intent.action.MAIN”
>
</action>
<category
android:name=“android.intent.category.
LAUNCHER”
>
</category>
</intent-filter>
</activity>
<service
android:label=“My Service”
android:name=“.TestService”
android:enabled=“true”
>
</service>
<receiver
android:name=“MyReceiver”
>
<intent-filter
android:priority=“100”
>
<action
android:name=“android.provider.Telephony.
SMS_RECEIVED”
>
</action>
</intent-filter>
</receiver>
<receiver
android:name=“.BootUpReceiver”
android:enabled=“true”
>
<intent-filter
>
<action
android:name=“android.intent.action.BOOT_
COMPLETED”
>
</action>
</intent-filter>
</receiver>
81
android Malware trends and reversing taCtiCs
</application>
</manifest>
Skimming the preceding manifest we can see the package name,
minimum version, lack of maximum version, and permissions
requested, along with which activities and services are runnable
for which intents. An interesting combination is that there are the
permissions RECEIVE_SMS, SEND_SMS, READ_CONTACTS,
and INTERNET. is could be a harmless combination, though it
is the bread and butter to most SMS Trojans. e next interesting
thing we can see is which activity can be launched from the launcher
tray. is can be seen since the .Main (which will inherit the pack-
age name to form its full class path, com.example.smsmessaging.Main)
has an intent lter for both android.intent.action.MAIN and android.
intent.category.LAUNCHER. ere is then a service that we can see
is declared, meaning a nonactivity that can continually run in the
background, which is com.example.smsmessaging.TestService. Last, we
have a receiver, com.example.smsmessaging.MyReceiver, which will
receive the android.provider.Telephony.SMS_RECEIVED intent.
ere is a similar receiver, com.example.smsmessaging.BootUpReceiver,
which handles the android.intent.action.BOOT_COMPLETED.
Although we could likely guess what is going on in each of these,
let us continue further and remember each of those entry points,
the main activity (Main), service (TestService), and receivers
(MyReceiver and BootUpReceiver).
After we run baksmali on the dex le, lets see if there is anything
that sticks out in the loaded strings. Since we do not care about the class
paths we do not run strings classes.dex as we might on an elf le. If we
step into the baksmali directory, avoiding the android/support/ folder, as
it is a compatibly library included from the sdk, we can grep for const-
string. We can see any string that is loaded from the string table.
bebop:baksmali tstrazzere$ grep -ir “const-string” com/*
com/example/smsmessaging/MyReceiver.smali: const-
string v0, “content://sms/inbox”
com/example/smsmessaging/MyReceiver.smali: const-
string v0, “address”
com/example/smsmessaging/MyReceiver.smali: const-
string v0, “display_name”

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required