106
android Malware and analysis
settings and tools will be there. Additionally, the time to boot and
interact with the emulator is substantially quicker.
e next way to preserve the settings is to run the emulator within
a virtual machine, such as VMWare or Virtual Box. Next congure
the emulator to support your analysis and then save a snapshot with
the virtual machine software. is will ensure that each time you
revert to the snapshot the emulator is reverted as well.
An alternative way to support preservation is to overwrite your
default image le with your updated image. As shown earlier the
emulator uses the le userdata.img to create the default environment
you see when starting up for the rst time. Once running, the system
creates another le called userdata-qemu.img to hold user congura-
tion and information. Install your applications and make your con-
guration changes and close the emulator. is data will be preserved
in the userdata-gemu.img. Take this le and overwrite the userdata.img
le with this. To take advantage of this, when you start the emulator,
select the “wipe user data” option. is will open the updated userdata.
img and replace the userdata-qemu.img le with this data. Using this
method can be helpful backup in the event that the emulator snapshot
becomes corrupt or unusable.
Setting Up a Physical Device for Testing
Almost any Android device can be used for testing; it just takes a few
more steps to get it congured. But before getting into the congura-
tion of the device one note about procuring a physical device. Android
devices having o-brand names and cheap prices are not usually the
best choice for testing. Namely, they use inferior hardware and have
limited support. Additionally, they may have a modied version of
Android that can produce unexpected behaviors during testing. at
being said, once you have your device the rst thing to do is determine
what version of Android you have. To do this, nd and click Settings
and scroll down to the bottom to nd the About tablet and select it.
ere you will nd an entry for your Android version. Depending on
what version you have you will have to go through a couple steps to
get this congured.
If you are running Android prior to version 4 do the following:
107
Behavioral analysis
• Select Settings, then Applications.
• Check the Unknown sources box—Allows installation of
non-market applications.
• Select Development and turn on.
− USB Debugging—is will allow the ADB Bridge
and Eclipse to see the device.
− Stay Awake—Keeps the screen on while working with
the device.
If you are running Android 4.x and above do the following:
• Select About tablet.
• Scroll down until you nd the build number listed.
• Click on that seven times to activate the developer functions.
Image 7.9 Activating developer options.
• Go back one level to the settings list and you will see {}
Developer Options now available.
108
android Malware and analysis
• Select the following from within developer options.
• Stay Awake
• USB Debugging
• Select Security from the settings list.
• Check Unknown Sources—Allows installation of apps
from sources other than the Play Store.
• Uncheck Verify Apps—Disallows or warns before instal-
lation of apps that may cause harm.
Image 7.10 Allowing for third-party applications.
Limitations and Capabilities of Physical Devices
It can be preferable to use a physical device over an emulated one for
reasons such as speed, performance, and accurate observations about
what the victims will see. Additionally, some take advantage of sen-
sors and accessories that are not available to the emulator and as such
109
Behavioral analysis
will not function in an emulated environment. Here is an overview of
some of those capabilities and limitations a physical device may have.
Capabilities
• Make real phone calls and real SMS messages.
• Multitouch screen support.
• Use of actual location data.
• Advanced sensors, examples include gyroscope, compass,
and headphone jack.
Limitations
• Certain core services of the device might be locked down
or made inaccessible by the manufacturer.
• Testing the device could break it or worse case brick the
device, making it unusable.
ere are ways around some of these limitations including root-
ing the device to unlock the system. e popularity of the device and
its support in the community will determine your ability to do this.
XDA Developers (http://www.xda-developers.com/) is one of the
best locations to nd information on rooting your device.
Network Architecture for Sning in a Physical Environment
If you choose to use a physical device for testing versus the emulator
only slight modication of the infrastructure is required. Only one
machine will need to be downstream to sni trac as well as pro-
vide basic services to the rst. is machine can be physical or virtual
depending on what resources you have available. e added elements
include a wireless access point and a physical device. e device can
be any Android device you choose. If the device is one with a cellular
plan attached to it, not recommended, you will need to congure it to
only use the wireless access point.
In the following diagram, we have a virtual machine acting as a
router participating in the 192.168.x network and the 172.16.x network.
Downstream of this is a wireless access point that routes all of its traf-
c to this machine. e trac can then be easily captured and ltered.
110
android Malware and analysis
Applications for Analysis
After the network is congured, there are several applications for
both the downstream machine and within the emulator itself. e
following is a list of those applications and their purpose.
On the physical device
• AFLogical—is is a forensics software package loaded
on the device that captures phone call and SMS commu-
nication logs.
• App Backup & Restore.
• SuperSU—Grants superuser access to applications and
command line functions.
• BusyBox—Adds several helpful UNIX utilities to the
system.
Internet
192.168.1.x
VM
172.16.225.x
With Proxy Installed
Lab Machine
USB
Connected
Image 7.11 Lab conguration with a physical device.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.