126
android Malware and analysis
Once complete you will have a backup of that partition in a tar format
from which you can extract and review the les contained within. As
pointed out earlier, the tar le will be located in your home directory
under the Cygwin installation unless you change it in the aforemen-
tioned command.
Other Items of Interest
In analysis of Android malware you may have to perform nonstan-
dard operations to get what you are looking for. e following sec-
tions cover a few of those nonstandard operations that you may have
to perform.
Using Google Services Accounts
Some of the operations will require you to work with a Google
account in order to complete tasks. Two are recommended since you
can use one to interact with the other. It can be benecial to create
the accounts in such a way they are easily identiable such as using
test1000 and test2000.
Sending SMS Messages
SMS Messaging with the Emulator e emulators open port 5554 by
default. Each new emulator spawned simultaneously increments by
2 (e.g., 5556, 5558). You can spawn up to 16 simultaneous emulators.
e full number is 1-555-521-5554, 1-555-521-5556, and so on.
To send SMS messages you can open the messaging application on
two running instances of the emulator. Note, they must be running
on the same host and using the full phone number of the emulated
device to send and receive messages through it. An example of this
type of transaction is shown in Image 7.24.
SMS Messaging with a Device Sending SMS messages with a device is
a little more complicated but can be done. You will need two devices
with active Google accounts to do this. en from the play store
download and install a texting software such as Google Messaging.
Note with this method you are working with a third-party SMS
127
Behavioral analysis
provider requiring your lab device to be exposed to applications that
may steal or send premium SMS messages.
Getting Apps from Google Play
Occasionally, malicious applications get into the Google Play Store,
which you might be asked to analyze. You can get it using your test
accounts to pull it down since Google streams applications to the device
from the Play store. en once it is streamed and installed use the backup
method you have chosen to get the APK into your lab for analysis.
Working with Databases
Many applications have databases that can be found in the database
directories of their applications. ey will be denoted with a .db
extension. Databases on Android devices are SQLite databases and
Image 7.25 Contacts database as viewed in SQLiteBrowser.
Image 7.24 SMS messages between two emulators.
128
android Malware and analysis
once you have pulled them o the device you can use something like
sqlitebrowser, found at http://sourceforge.net/projects/sqlitebrowser/,
to visually inspect them. Following is an example of the contacts data-
base extracted from a test device.
Conclusion
Dynamic analysis is a complex process with a number of moving
parts and characteristics not usually seen in Windows-based malware
analysis. In this chapter we have seen how to set up Eclipse and the
Android SDK to support emulating dierent devices. We not only
showed their capabilities but their limitations as well. We introduced
physical devices and how to congure them to support the lab envi-
ronment. Next we reviewed how to leverage the Eclipse framework
to capture, trace, and qualify how samples run and what objects they
use. Last, we looked at some of the other tricks and tools that can be
implemented in the lab environment to further qualify your results
and make your analysis easier to complete.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.