O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

180
android Malware and analysis
Checkpoint
So far we now know there is reporting on the sample. Signatures have
been created by antivirus companies and we have very basic sandbox
results. With this information we can now begin formal static and
dynamic analysis.
Static Analysis
An APK le is a zip container holding many assets inside. e APK
tool is the best tool for not only opening an APK le but decoding
the les contained within making them legible to the reader. Among
those les made legible is the AndroidManifest.xml le. is le
contains important information about the functionality of the sample
including requested rights and actions the sample takes. Following is
the output of the AndroidManifest.xml after the APK tool decode.
Image 9.4 AndroidManifest.xml for Usbcleaver.
181
Case study exaMPles
Reviewing the AndroidManifest for Usbcleaver we can see it is
broken down into two parts: permissions and activities. First the
permissions; it asks for WRITE_EXTERNAL_STORAGE,
INTERNET, and ACCESS_NETWORK_STATE. With these
we now know the application is capable of writing les to the SD
card, and accessing the Internet. Now we can look at activities.
Android applications are driven by events, and activities wrap those
events called intents. In this case, there are four intents, or events, that
will drive activities for this application: downloader, FileChooser,
logView, and payload.
Now we can look at strings. Utilities to gather string informa-
tion have to be run against the classes.dex le, which contains all
the java class les. To get the classes.dex le, unzip the .apk with
a standard unzipping utility such as 7-Zip. Contained in the root
of the extracted directory will be classes.dex. Following is a por-
tion of the output from the strings utility found in the Windows
Sysinternals suite:
/autorun.inf
/go.bat
/usbcleaver
/usbcleaver.zip
/usbcleaver/LOGS
/usbcleaver/config
%/usbcleaver/config/Drive_Location.cfg
“/usbcleaver/config/External_IP.cfg
/usbcleaver/logs
/usbcleaver/system
EXIT
File Size:
FileArrayAdapter.java
FileChooser.java
Landroid/app/Activity;
!Landroid/app/AlertDialog$Builder;
Landroid/app/AlertDialog;
Landroid/app/Dialog;
Landroid/app/ListActivity;
Landroid/app/ProgressDialog;
Landroid/content/Context;
1Landroid/content/DialogInterface$OnClickListener;
!Landroid/content/DialogInterface;
Landroid/content/Intent;
*Landroid/content/SharedPreferences$Editor;
182
android Malware and analysis
#Landroid/content/SharedPreferences;
Landroid/os/AsyncTask
Landroid/os/AsyncTask;
Landroid/os/Bundle;
Landroid/os/Environment;
Landroid/util/Log;
Landroid/view/LayoutInflater;
Landroid/view/Menu;
Landroid/view/MenuItem;
#Landroid/view/View$OnClickListener;
Landroid/view/View;
Landroid/view/ViewGroup;
Landroid/widget/ArrayAdapter
Landroid/widget/ArrayAdapter;
Landroid/widget/Button;
Landroid/widget/CheckBox;
7Landroid/widget/CompoundButton$OnCheckedChangeListener;
Landroid/widget/CompoundButton;
Landroid/widget/LinearLayout;
Landroid/widget/ListAdapter;
Landroid/widget/ListView;
Landroid/widget/TextView;
Landroid/widget/Toast;
,Lcom/novaspirit/usbcleaver/FileArrayAdapter;
‘Lcom/novaspirit/usbcleaver/FileChooser;
“Lcom/novaspirit/usbcleaver/Option;
“Lcom/novaspirit/usbcleaver/R$attr;
&Lcom/novaspirit/usbcleaver/R$drawable;
Lcom/novaspirit/usbcleaver/R$id;
$Lcom/novaspirit/usbcleaver/R$layout;
$Lcom/novaspirit/usbcleaver/R$string;
Lcom/novaspirit/usbcleaver/R;
0Lcom/novaspirit/usbcleaver/USBCleaverActivity$1;
0Lcom/novaspirit/usbcleaver/USBCleaverActivity$2;
.Lcom/novaspirit/usbcleaver/USBCleaverActivity;
&Lcom/novaspirit/usbcleaver/decompress;
(Lcom/novaspirit/usbcleaver/downloader$1;
8Lcom/novaspirit/usbcleaver/downloader$DownloadFileAsync;
&Lcom/novaspirit/usbcleaver/downloader;
#Lcom/novaspirit/usbcleaver/logView;
&Lcom/novaspirit/usbcleaver/mainMenu$1;
&Lcom/novaspirit/usbcleaver/mainMenu$2;
&Lcom/novaspirit/usbcleaver/mainMenu$3;
$Lcom/novaspirit/usbcleaver/mainMenu;
%Lcom/novaspirit/usbcleaver/payload$1;
%Lcom/novaspirit/usbcleaver/payload$2;
%Lcom/novaspirit/usbcleaver/payload$3;
183
Case study exaMPles
%Lcom/novaspirit/usbcleaver/payload$4;
%Lcom/novaspirit/usbcleaver/payload$5;
%Lcom/novaspirit/usbcleaver/payload$6;
%Lcom/novaspirit/usbcleaver/payload$7;
#Lcom/novaspirit/usbcleaver/payload;
*Lcom/novaspirit/usbcleaver/payloadHandler;
“Ldalvik/annotation/EnclosingClass;
#Ldalvik/annotation/EnclosingMethod;
Ldalvik/annotation/InnerClass;
!Ldalvik/annotation/MemberClasses;
Ldalvik/annotation/Signature;
Lenght of file:
Ljava/io/BufferedInputStream;
Ljava/io/BufferedReader;
Ljava/io/BufferedWriter;
Ljava/io/File;
Ljava/io/FileInputStream;
Ljava/io/FileOutputStream;
Ljava/io/FileReader;
Ljava/io/FileWriter;
Ljava/io/IOException;
Ljava/io/InputStream;
Ljava/io/OutputStream;
Ljava/io/Reader;
Ljava/io/Writer;
Ljava/lang/CharSequence;
Ljava/lang/Class;
Ljava/lang/Comparable
Ljava/lang/Comparable;
Ljava/lang/Exception;
$Ljava/lang/IllegalArgumentException;
Ljava/lang/Integer;
Ljava/lang/Object;
Ljava/lang/String;
Ljava/lang/StringBuilder;
Ljava/lang/System;
Ljava/lang/Throwable;
Ljava/net/URL;
Ljava/net/URLConnection;
Ljava/util/ArrayList;
Ljava/util/Collection;
Ljava/util/Collections;
Ljava/util/List
Ljava/util/List;
4Ljava/util/List<Lcom/novaspirit/usbcleaver/Option;>;
Ljava/util/zip/ZipEntry;
Ljava/util/zip/ZipInputStream;
184
android Malware and analysis
Not Dir
Option.java
PREFS_NAME
Parent Directory
Payload Generated
R.java
Recursive Call
TextView01
TextView02
This is a 3 mb download of the tools needed to run the
payloads. If you have not downloaded this on first run,
please download this now.
This program will hold no responsibility for your action.
What you decide to do with this application is your own
decision, and the developer(s) of this application will
hold no responsibility for your actions or will be
responsible for his/her misdeeds. This application was
not created to encourage and/or for hacking anything
other than his/her own equipment.
USBCleaverActivity.java
Unzipping
[Ljava/io/File;
[Ljava/lang/Object;
[Ljava/lang/String;
T[autorun]
icon = usbcleaver
older.ico
action = Open folder to view files
open = go.bat
cbDumpChrome
cbDumpChromePassword
cbDumpFF
cbDumpFFPassword
cbDumpIEPassword
cbDumpIEPasswords
cbDumpSystemInfo
cbDumpSystemInformation
cbDumpWifiPassword
check.dyndns.com
checkFolders
checkForDisarm
%com.novaspirit.usbcleaver.FileChooser
$com.novaspirit.usbcleaver.downloader
!com.novaspirit.usbcleaver.logView
!com.novaspirit.usbcleaver.payload
decompress.java
downloader.java

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required