111
Behavioral analysis
On the upstream machine
• FakeDNS—Used to direct all DNS requests to a single
host.
• FakeHTTP—Used as a generic Web server to host les.
• Proxy Server—Used to obscure your actual location.
• Wireshark—Used to capture all the netow trac pass-
ing through the machine.
Other helpful applications to have on hand include the SQL Database
Browser to read databases retrieved o the device and SQL Commander
to browse the device and move les on and o it.
Installing Samples to Devices and Emulators
Once the device is up, Eclipse will automatically see it and open
access to the monitoring tools under the DDMS perspective; but rst
you have to get something on the device to monitor. To get a sample
into your environment for testing can be done in one of two ways.
e rst way is to stage the APK downstream using Web services
such as FakeHTTP. en using the integrated browser, navigate to
that site and download the APK. In this method you will have to
turn on the setting “Unknown sources” to allow installation of non-
market applications. is setting can be found under Application set-
tings in older devices and under Security in newer devices. is will
place downloads where you can perform an installation of the sample.
Performing installations provides no distinctive advantage other than
the emulator will read the manifest and display the requested rights
for you to accept.
e second way is to use the ADB. e ADB (Android Debug
Bridge) is located under the platform-tools directory under your
SDK installation. e ADB is very versatile, providing a number
of commands to interact with your device. e command to install
an APK is “adb install <path to APK le>”. After a few seconds if
there are no problems the installation will be complete, the com-
mand prompt will be returned to you, and a new icon will show up
on your device. You are now ready to run, monitor, and capture data
from an emulated device.
112
android Malware and analysis
Application Storage and Data Locations
Applications and their data les are usually stored in one of two loca-
tions, internal and external storage. Installing applications to the SD
card can be controlled with the “-s” in the ADB install command.
Otherwise when an application is installed it will be placed in the
/data/app/directory named after the application’s package name. In
the meantime, another set of directories is created under/data/data for
the application to store its data. By way of example, if you install an
application called util with the package name com.android.utility the
APK will be com.android.utility.util-1.apk and its data will be stored
in/data/data/com.android.utility.util directory. What is stored there
can vary from application to application but les and databases are
usually the most noteworthy for analysis. e following are the most
common subdirectories you will nd under the application.
• lib—Static libraries used by the application
• cache—File cache to speed up performance
• les—Custom data storage
• databases—SQLite databases
If you locate a les directory it usually means the application required a
more complex data structure and would be a good place to mine for data.
By default this directory and its les are available to you in the emulator
where you can see them. However, on a physical device the /data/data/
directory, which this is a part of, is locked unless you have root access.
If that is the case, you will need to access and copy the les through the
ADB pull process.
Getting Samples O Devices
Much like putting samples on the device there are two ways to get sam-
ples o the device. e rst way is with application backup software.
App Backup from the play store is an excellent resource to do this.
When executed it polls the applications on the device and backs it up to
an SD card. You can then retrieve them with the ADB pull command
or if it is removable media take it out and mount on another system.
e second way is to use the ADB to connect and pull the appli-
cation o. To do this you will need the location of the APK le.
113
Behavioral analysis
Applications are typically located in one of two places. e rst place
is the system/app directory. is directory contains the APK les that
came with the system or are part of the system installation; how-
ever, other install packages can put their APK le here as well during
installation. e second location is “data/app” and is the more com-
mon location for installed APK les to reside. To pull les to your
machine you will need to enter the following command:
adb pull full path to the file/<filename.apk>
e Eclipse DDMS Perspective
e DDMS Perspective or Dalvik Debug Monitor monitors your
running devices be it emulated or physical and then reports back to a
series of dierent screens. As pointed out earlier, a perspective is the
name for a collection of windows and tools that allows the user to
work eciently and the DDMS is no dierent. It is divided into three
core parts: devices, the monitoring toolbar, and the log/console.
Image 7.12 DDMS perspective.
Devices View
e Devices view displays a navigation tree that includes running emu-
lators and any attached phones or tablets. In the following screenshot,
114
android Malware and analysis
the processes running on each emulated device are visible (look for the
phone icon to the left of each). Physical device processes will be seen
if the application has been debug enabled or it is running a modied
rom. In the example three device types are shown: KitKat showing all
processes, a Nexus 7 running that is rooted but running manufacturer
rom, and an HTC Iris running Gingerbread with a modied ROM.
e Devices toolbar oers many options to the developer for ana-
lyzing applications. e layout of the toolbar and a brief description
of each tool contained within follows. Out of these tools the Method
Image 7.13 Devices view.
115
Behavioral analysis
Proling and Screen Capture will be the most useful for the analysis
of malicious code. It is helpful, however, to know what other tools are
used, in the event you might have cause to use them.
Debug
Dump
HPROF
Update
reads
Stop
Process
Dump Hierarchy
for UI Automator
Start Open
GL Trace
Capture System
Wide Trace
Screen
Capture
Start Method
Profiling
Update
Heap
Devices
Name
Cause
GC
Image 7.14 Devices side menu.
Debug—Designed specically for application development;
without an Eclipse source code project debug does not work.
Update Heap—Used to track information about heap memory
usage gathering information about size, space, and the num-
ber of objects.
Cause GC—is tool is used in conjunction with Update Heap.
It invokes garbage collection, which enables the collection of
heap data.
Dump HPROF—is tool dumps the heap into a le for further
analysis and identication of things like memory leaks and
bad coding practices.
Update reads—is tool shows the number of open thread
and objects attached to those threads.
Start Method Proling—is tool proles the application show-
ing the objects and method called during application operation.
is is perhaps the most useful of the tools for analyzing mali-
cious code. More on this in the section “Application Tracing.”
Stop Process—Stops whatever process you have selected.
Device Screen Capture—Launches a utility to capture the current
device display. Additional buttons come with the utility includ-
ing Refresh, Rotate, Save, Copy, and Done. is is useful when
documenting display behavior of the sample during runtime.
Dump View Hierarchy for UI Automator—is is a user inter-
face (UI) tester.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.