O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

175
9
cASe Study exAmpleS
Case study examples provide analysts with real-world challenges
and insights into analyzing Android malware. Commonly, an ana-
lyst must focus on specic business objectives to limit the time and
expense involved in analyzing malware. Various tools and tactics may
be utilized to quickly derive necessary results. Two dierent authors
of this book contributed to this chapter to help diversify individual
approaches applying tools and tactics reviewed in this book.
Usbcleaver
We have been provided a sample of an Android Trojan called
Usbcleaver. Preliminary research suggests it is both Android and
Windows Malcode by taking advantage of users who connect their
Android devices to Windows machines that do not have autorun dis-
abled. e Trojan uses this advantage to gather information from the
computer, including:
HOST NAME DNS
MAC address Google Chrome password
IP address Microsoft Internet Explorer password
Subnet mask Mozilla Firefox password
Default gateway Wi-Fi password
We have been tasked to establish if the sample provided is
Usbcleaver and verify its capabilities.
Lets take a look and see exactly how this Trojan is able to accom-
plish this task. First we will start with a known sample. One can
be found on Contagio Mobile at the following location: http://con-
tagiominidump.blogspot.com/2013/11/usbcleaver-android-infos-
tealer-from.html. Once downloaded, or working with any sample for
176
android Malware and analysis
that matter, we get the MD5 hash for it. e MD5 hash for this
sample is 283d16309a5a35a13f8fa4c5e1ae01b1.
Now that we have the hash for the sample we can check the Internet
for any previous reporting on the sample and correlate our ndings
with the ndings of others. You can return to searching throughout
your analysis as indicators make themselves known, possibly reveal-
ing the nature of the sample you are working with as well as revealing
variants of the specic sample. Following are results of a simple hash
search; there are quite a few hits on this (see Image 9.1).
Now that we have some reporting to work with we can check to
see if any antivirus signatures exist for the sample. We can do this by
accessing a site like virustotal.com, which accepts APK les for sub-
mittal, and either perform a hash search or submit it. Following are
the results from VirusTotal.
https://www.virustotal.com/en/le/08db067f2a8c1d2b2f3b85643f9642d08c86dcfc98a661796db
cb52303922f33/analysis/
SHA256 08db067f2a8c1d2b2f3b85643f9642d08c86dcfc98a661796dbcb52303922f33
File name USB_Cleaver1.3r1.apk
Detection ratio 27/47
Comodo UnclassiedMalware
NANO-Antivirus Trojan.UsbCleaver.caikhb
Rising Trojan.UNIX.AndroidUCleaver.b
VIPRE Trojan.AndroidOS.Generic.A
TrendMicro-HouseCall TROJ_GEN.F47V0322
DrWeb Tool.UsbCleaver.1.origin
Symantec Infostealer
Kaspersky HEUR:HackTool.AndroidOS.UsbCleaver.a
Baidu-International HackTool.AndroidOS.UsbCleaver.amf
Ikarus Hacktool.AndroidOS.USBCleaver
F-Secure Hack-Tool:Android/UsbCleaver.A
McAfee Artemis!283D16309A5A
McAfee-GW-Edition Artemis!283D16309A5A
TrendMicro ANDROIDOS_USBCLEAVER.A
F-Prot AndroidOS/UsbCleaver.A
Commtouch AndroidOS/GenBl.283D1630!Olympus
Avast Android:UsbCleaver-A [PUP]
AntiVir Android/UsbCleaver.a.1
ESET-NOD32 Android/UsbCleaver.A
AVG Android/USBCleaver
Emsisoft Android.Hacktool.UsbCleaver.A (B)
MicroWorld-eScan Android.Hacktool.UsbCleaver.A
177
Case study exaMPles
Image 9.1 Google MD5 search.
178
android Malware and analysis
GData Android.Hacktool.UsbCleaver.A
Kingsoft Android.ADWARE.Agent.ac.(kcloud)
AhnLab-V3 Android-AppCare/UsbCleaver
Sophos Android USB Cleaver
ClamAV Andr.Spyware.USBCleaver
Before getting too deep into analysis, it can be helpful to run the
sample through a sandbox. is will help you correlate previous
reporting but give a quick behavioral analysis without having to com-
mit your lab to work. One such sandbox that works with APK les is
mobile sandbox: www.mobilesandbox.org.
Image 9.2 Mobile sandbox.
is sandbox will take in an APK le and give a brief overview of
a sample showing rights requested and its basic structure. is will
begin to give an overall idea of what the sample might be doing before
starting any analysis. Additionally, the information can be cross-ref-
erenced against the results of other tools. Following are the sandbox
results for Usbcleaver.
179
Case study exaMPles
Image 9.3 Mobile sandbox results USBCleaver.apk.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required