O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

195
Case study exaMPles
RegistrarWHOISServer:whois.godaddy.com
RegistrarURL:http://www.godaddy.com
UpdateDate:2013-04-1514:45:57
CreationDate:2003-04-1517:59:07
RegistrarRegistrationExpirationDate:2014-04-1517:59:07
Registrar:GoDaddy.com,LLC
RegistrarIANAID:146
RegistrarAbuseContactPhone:+1.480-624-2505
DomainStatus:clientTransferProhibited
DomainStatus:clientUpdateProhibited
DomainStatus:clientRenewProhibited
DomainStatus:clientDeleteProhibited
RegistrantOrganization:Novaspirit
RegistrantCountry:UnitedStates
AdminOrganization:Novaspirit
TechOrganization:Novaspirit
TechCountry:UnitedStates
NameServer:NS43.DOMAINCONTROL.COM
NameServer:NS44.DOMAINCONTROL.COM
Summary
As stated before Usbcleaver takes advantage of the autorun feature in
Windows using it as a means of reconnaissance and data collection. e
Trojan has the ability to gather information from the computer, including:
HOST NAME DNS
MAC address Google Chrome password
IP address Microsoft Internet Explorer password
Subnet mask Mozilla Firefox password
Default gateway WiFi password
However, during testing the results of the capture were less suc-
cessful on Windows 7 and 8 machines versus Windows XP. Analysis
of the attached Windows system showed it to remain intact and
undisturbed by the Trojan, besides the data stolen from the system.
Also, no means of remote data exltration was noted; this means the
data collected by the infected device stayed on that device until man-
ually retrieved. Additionally, Usbcleaver demonstrated a cross plat-
form nonstandard delivery method for malicious activity that is not
protected by standard security methods. While the disabling auto-
run is a widely known security measure that is easily implemented,
this delivery method allows the attacker to possibly get deep within
196
android Malware and analysis
an organization without much resistance or alarm from the internal
security systems and should act as a demonstration of the level of
security to be maintained within an organization.
Torec
Torec is an interesting sample for Android malware, mainly due to
the rst usage of TOR (onion routing project) for communication to a
command and control (C&C) network. Outside of that, it is a rather
simple SMS style bot. e only sample found has been uploaded
to the Contagio MiniMalwareDump (Android TOR Trojan). In
this case study we analyze the le with sha1 hash 2e6dbfa85186af-
23a598694d2667207a254f8979. As always we will start by unzipping
the APK le and skimming the contents:
bebop:torec user$unzip -e com.baseapp.apk -d contents
Archive: com.baseapp.apk
extracting: contents/res/drawable/ic_launcher.png
inflating: contents/res/raw/debiancacerts.bks
extracting: contents/res/raw/geoip.mp3
inflating: contents/res/raw/iptables
inflating: contents/res/raw/iptables_g1
inflating: contents/res/raw/iptables_n1
inflating: contents/res/raw/obfsproxy
inflating: contents/res/raw/privoxy
inflating: contents/res/raw/privoxy_config
extracting: contents/res/raw/tor.mp3
inflating: contents/res/raw/torrc
inflating: contents/res/raw/torrctether
inflating: contents/res/xml/policies.xml
inflating: contents/AndroidManifest.xml
extracting: contents/resources.arsc
extracting: contents/res/drawable-hdpi/ic_launcher.png
extracting: contents/res/drawable-ldpi/ic_launcher.png
extracting: contents/res/drawable-mdpi/ic_launcher.png
extracting: contents/res/drawable-xhdpi/ic_launcher.png
inflating: contents/classes.dex
inflating: contents/info/guardianproject/onionkit/trust/
StrongTrustManager.java.underreview.txt
inflating: contents/ch/boye/httpclientandroidlib/impl/conn/
tsccm/doc-files/tsccm-structure.png
inflating: contents/META-INF/MANIFEST.MF
inflating: contents/META-INF/CERT.SF
inflating: contents/META-INF/CERT.RSA
197
Case study exaMPles
Immediately we can see inside the res/raw directory that there
are interesting looking and potentially TOR-related binaries. Upon
closer inspection, we nd that these are les from the Orbot project
by GuardianProject. If we run baksmali on the classes.dexle, we can
dive into the code and see what is attempting to access these les.
First though, we want to nd the entry points of the application so we
can focus on those. By examining the AndroidManifest.xml le we can
nd this relevant information. e following is an excerpt of interest-
ing components for us to look at:
bebop:torec user$axml contents/AndroidManifest.xml
...
<application
android:label = “@7F05000E”
android:debuggable = “true”
android:allowBackup = “false”
>
<activity
android:name = “.Main”
>
<intent-filter
>
<action
android:name = “android.intent.action.MAIN”
>
</action>
<category
android:name = “android.intent.category.LAUNCHER”
>
</category>
</intent-filter>
</activity>
<receiver
android:name = “.ServiceStarter”
android:enabled = “true”
android:exported = “true”
>
<intent-filter
>
<action
android:name = “android.intent.action.BOOT_COMPLETED”
>
</action>
</intent-filter>
</receiver>
<receiver
android:name = “.MessageReceiver”
198
android Malware and analysis
android:enabled = “true”
android:exported = “true”
>
<intent-filter
android:priority = “999”
>
<action
android:name = “android.provider.Telephony.SMS_RECEIVED”
>
</action>
</intent-filter>
</receiver>
<service
android:name = “.MainService”
>
</service>
e most interesting components to us are the Main activity,
ServiceStarter receiver, and the MessageReceiver receiver. ere is also
a MainService service, which is likely started by all three components
we have listed. Although there are other components to this malware,
these are likely the three entry points we care about the most and
want to analyze rst—so lets dive into them by grepping the smali
code for const-string to look for anything interesting.
bebop:torec user$baksmali com.baseapp.apk -o baksmali
bebop:torec user$cd baksmali/
bebop:torec user$cd baksmali/com/baseapp/
bebop:baseapp user$grep “const-string” Main* ServiceStarter.
smali MessageReceiver.smali
Main.smali: const-string v3, “com.baseapp.MainServiceStart”
MainService$2.smali: const-string v1, “Tor”
MainService$2.smali: const-string v2, “error registering
callback to service”
MainService$4.smali: const-string v1, “content://sms”
MainService$4.smali: const-string v0, “protocol”
MainService$4.smali: const-string v0, “type”
MainService$4.smali: const-string v0, “body”
MainService$4.smali: const-string v0, “address”
MainService$4.smali: const-string v1, “LISTENING_SMS_ENABLED”
MainService.smali: const-string v1, “content://sms”
MainService.smali: const-string v1, “AppPrefs”
MainService.smali: const-string v1, “device_policy”
MainService.smali: const-string v2, “org.torproject.android.
service.TOR_SERVICE”
MainService.smali: const-string v1, “Tor”
MainService.smali: const-string v2, “remote exception
updating status”

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required