Chapter 7: Behavioral Analysis (6/8)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

116

android Malware and analysis

Capture System Wide Trace Using Android Systrace—is tool

is for analyzing application performance by capturing and

displaying execution times.

Start Open GL Trace—is tool is for analyzing OpenGL code

in Android applications.

ere is a set of tabs to the right of Devices containing the view-

able screens of the data collected from the devices toolbar. However,

there are a couple of extra tabs for your use. ey include Network

Statistics, File Explorer, Emulator Control, and System Information.

Image 7.15 DDMS tabbed toolbar.

Network Statistics

e Network Statistics tab allows you to gather network transmit and

receive statistics of a running application. Select the application you

wish to gather statistics on from the Devices view, select Start, and

then Stop when nished.

File Explorer

To explore the le system on a running device a File Explorer tool

is made available. It allows you to navigate the system and see what

les are there. Additionally, it allows you to copy les to and from

the system as well as manipulate the le system by adding folders and

moving les. To access, select the File Explorer tab and make sure a

device from the Devices view has been selected.

Image 7.16 File Explorer tab with push–pull icons.

One item to note is that the view of the le system will be based

on the connected device. If you are working with the emulator it will

show you the contents on the datadata directory, which is the com-

mon location of applications and their supporting les. is is not the

117

Behavioral analysis

case with the physical device unless it is rooted and had a modied

ROM installed.

Emulator Control

e Emulator Control tool allows you to set geolocations as well as

some telephony settings for the type of phone network connection

and status you are working with such as GSM and roaming.

System Information

e System Information tool simply tells you the status of the device.

LogCat View

Android’s LogCat tool displays messages created by a running emula-

tor or a connected device. It reports all kinds of information. Some

information is relevant to your application; other information is mostly

about the device and other running processes. e LogCat view is great

to help understand the application’s behavior. It will contain stack track

information as well as which methods are calling which other methods.

Filtering LogCat Output

LogCat can quickly lead to information overload. To get a better grip

on what is going on you can adjust Android’s log levels as well as apply

Image 7.17 LogCat lter screen.

118

android Malware and analysis

lters. Android has ve levels of logging: ERROR, WARN, INFO,

DEBUG, and VERBOSE. e ability to change this is located on

the right-hand side of the LogCat screen. Additionally, you can apply

lters to the output allowing ltering for such things as PID and

Application Name. To create a lter, click the green plus (+) sign on

the left-hand side of the LogCat view.

Application Tracing

Now that you have been introduced to most of the tools, let’s put

together an example to show you how all of them come together for a

complete analysis. We are going to look at a very simple application to

test systems for DOS attacks. e application called AnDOSid can

be found at https://github.com/Scott-Herbert/AnDOSid.

• Using the ADB tool we install the application into our test

environment as described earlier.

• Next we start a packet capture from our upstream machine to

capture any network trac.

• Next from our lab machine we execute the application so it

shows up as a running process under our device in Eclipse.

• Next we select the running process and click the Start

Method Proling button to trace the object and method calls

of the application.

• Next we capture a screenshot. As seen in the following screen-

shot we have set up a target and left the other settings at their

defaults (Image 7.18).

• Next we select the Network Statistics tab on the left side of

the screen and select Start.

• Next we exercise the application by pressing Go, in this case,

for a period of time before selecting Stop.

• Last, we stop all of our captures to begin the analysis of results.

Analysis of Results

• Starting with the Network Statistics you can easily see there

was network trac, additionally you can see the frequency

interval of the trac.

119

Behavioral analysis

Image 7.19 Network statistics tab.

Image 7.18 Main AnDOSid screen.

120

android Malware and analysis

• Moving to the method proling results, you can see the order

in which the application called objects and methods.

Image 7.20 Method proling results.

• Taking these methods into consideration you can go back to

your static analysis and look at what these methods contain

and follow the progression of application. For example, step 3

com/scott/herbert/AnDOSid/DOService.addNewDoS looks

like this.

Image 7.21 Matched code to method prole.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 7: Behavioral Analysis (6/8)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 7: Behavioral Analysis (6/8)