Chapter 8: Building Your Own Sandbox (4/10)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

144

android Malware and analysis

distribute malware exploiting these vulnerabilities have been found.

As in the case of Android.Rootcager, which takes advantage of a

similar vulnerability and allows an attacker to send commands to the

terminal from a command and control (C&C).

Build Your Own Sandbox

At this point and helped by open source tools, you will be able to start

your own sandbox with a little eort and taking advantage of the ser-

vices and the software, which are oered by the open source com-

munity. For this, we will take a look at tools we employ to build an

environment where you may easily analyze samples and obtain a simple

and understandable reporting. ese will be classied in two sections:

static analysis tools and dynamic analysis tools. We use this separation

to summarize in an orderly way the execution process in the sandbox

environment we are going to develop. en we detail the tools that may

be obtained from open repositories on the Internet. To facilitate the

task, http://androidrisk.com maintains a private tool archive including

options for this sandbox for registered owners of this book.

Tools for Static Analysis

For the sandbox development you will have to employ some of the

tools mentioned in this section. Some tools, such as VirusTotal and

APKTool, have already been mentioned in the book and are not

duplicated here. Others, like Androguard, have already been intro-

duced but are further matured in this chapter.

Androguard

Androguard is not only a tool for malware analysis in Android, but

also a complete framework developed in Python that allows you to

interact directly with malicious code, read its resources, access code,

and even compare dierent threats to nd similarities or dierences

in their methods, classes, and resources. Moreover, it is also possible

to incorporate every Androguard functionality to personalized scripts

on Python to obtain detailed information about a le in an easy way.

All the information contained in the malicious code may be accessed

145

Building your own sandBox

through the interface provided by Androguard, as well as reading the

source code of the application.

en, we can see some of the available methods:

In [1]: a.show()

FILES :

META-INF/MANIFEST.MF ASCII text, with CRLF line

terminators 4d14f203

META-INF/SHIYI.SF ASCII text, with CRLF line

terminators -51be4c70

META-INF/SHIYI.RSA data -77df883f

[....]

PERMISSIONS : {‘android.permission.READ_SYNC_

SETTINGS’: [‘normal’, ‘read sync settings’, ‘Allows an

application to read the sync settings, such as whether

sync is enabled for Contacts.’],

‘android.permission.WRITE_APN_SETTINGS’: [‘dangerous’,

‘write Access Point Name settings’, ‘Allows an

application to modify the APN settings, such as Proxy

and Port of any APN.’], ‘com.android.launcher.

permission.UNINSTALL_SHORTCUT’: [‘dangerous’, ‘Unknown

permission from android reference’, ‘Unknown

permission from android reference’], ‘android.

permission.READ_SECURE_SETTINGS’: [‘dangerous’,

‘Unknown permission from android reference’, ‘Unknown

permission from android reference’], [...]}

ACTIVITIES : [‘com.bwx.bequick.EulaActivity’, ‘com.

bwx.bequick.ShowSettingsActivity’, ‘com.bwx.bequick.

DialogSettingsActivity’, ‘com.bwx.bequick.

MainSettingsActivity’, ‘com.bwx.bequick.

LayoutSettingsActivity’, ‘com.bwx.bequick.preferences.

CommonPrefs’, ‘com.bwx.bequick.preferences.

BrightnessPrefs’, ‘com.bwx.bequick.preferences.

MobileDataPrefs’, ‘com.bwx.bequick.preferences.

AirplaneModePrefs’, ‘com.bwx.bequick.flashlight.

ScreenLightActivity’, ‘com.google.android.smart.

FcbakeLauncherActivitcy’, ‘com.google.android.smart.

AcbppInstallActivitcy’]

SERVICES : [‘com.google.android.smart.McbainServicce’]

RECEIVERS : [‘com.bwx.bequick.flashlight.

LedFlashlightReceiver’, ‘com.bwx.bequick.receivers.

StatusBarIntegrationReceiver’, ‘com.google.android.

smart.WcbakeLockReceivecr’, ‘com.google.android.smart.

BcbootReceivecr’, ‘com.google.android.smart.

146

android Malware and analysis

ScbhutdownReceivecr’, ‘com.google.android.smart.

LcbiveReceivecr’, ‘com.google.android.smart.

PcbackageAddedReceivecr’]

PROVIDERS : []

As you can imagine the extent that this framework provides for

analysis of malicious codes in Android is excellent and allows you to

obtain a better understanding of the threat as well as better knowl-

edge of its internal structure and its functionalities. Also, Androguard

has le comparison tools, nding of similarities with other known

threats, visualization functionalities, and much more.

Androguard incorporates a very interesting module for malware

analysis. You may employ androlyze.py as an analysis for suspicious

patterns through an interactive shell.

Radare2

Radare was born in 2006 as a forensic tool, a 64-bit hexadecimal edi-

tor to do searches on hard drives. Soon, the project was growing and

allowing one to disassemble the machine code of multiple architec-

tures, debugging on Windows, Linux, Mac, and scripting.

After 4 years of growth, it was decided to rewrite it from scratch,

just to overcome several limitations implied in the monolithic design

of the rst version. us was born Radare2, implemented on a set of

libraries, allowing complete scripting through the APIs, with a better

performance and code quality.

Radare2 is a framework that oers:

• Assembler/disassembler

• 64-bit hexadecimal Editor

• Calculating checksums for blocks

• Transparently manages processes, disks, les, ram, etc.

• Mounting File Systems (fat, ntfs, ext2, etc.)

• Analyze binaries Windows, Linux, Mac, Java, Dalvik, etc.

• Debugger (w32, Linux, Mac, iOS)

• Dierent binary search

• Tools for creating shellcodes

• Support for multiple scripting languages (Python, JS, etc.)

147

Building your own sandBox

A simple command line use of the tool generates output of interest:

radare2 -a dalvik classes.dex -s 0x00035b0c

[0x00035b0c]> pd 20

,=< 0x00035b0c 32000900 if-eq v0, v0, 9

| 0x00035b10 260003000000 fill-array-data v0,

50331648

| 0x00035b16 0003 nop

| 0x00035b18 0100 move v0, v0

| 0x00035b1a c600 add-float/2addr v0, v0

| 0x00035b1c 0000 nop

-> 0x00035b1e 2205c301 new-instance v5,

class+451

0x00035b22 7010e40b0500 invoke-direct {v5},

0xd904

0x00035b28 6e103e0c0700 invoke-virtual {v7},

sym.method.244.getApplicationContextodsosByText0

0x00035b2e 0c06 move-result-object v6

0x00035b30 6e1058000600 invoke-virtual {v6},

sym.method.19.getFilesDir

0x00035b36 0c06 move-result-object v6

0x00035b38 6e20ea0b6500 invoke-virtual {v5,

v6}, 0xd934

0x00035b3e 0c05 move-result-object v5

0x00035b40 1a06a700 const-string v6, str.

temp

0x00035b44 6e20eb0b6500 invoke-virtual {v5,

v6}, 0xd93c

0x00035b4a 0c05 move-result-object v5

Dex2Jar and JD-GUI

Dex2Jar is a lightweight package that provides four components to

help you to work with Java Class and .dex les. Dex-reader is designed

to read the Dalvik executable format (DEX/ODEX). It has a similar

lightweight API to ASM (Figure8.7).

Dalvik Code

*.java Compiler *.class dx classes.dex

Source Code Byte Code

Figure 8.7 Android application compiling process.

148

android Malware and analysis

Dex-translator is designed to make the conversion work. It reads

the Dex instructions in DEX-IR, and after some optimizations, it

turns to ASM format. DEX-IR is employed by dex-translator, and is

designed to represent the Dex instructions and the Dex tools to work

with .class les.

Java Classes compile libraries into byte code, so there is a limited

set of instructions that increases the execution speed of the code in the

virtual machine. Accessing the source code is dicult, although not

impossible, due to decompilers as JD-GUI (Figure8.8).

JD-GUI extracts the source code included in precompiled classes and

JAR packages. It is as simple as dragging the les to the window. e

code is loaded into tabs with line numbering and syntax highlighting.

APKInspector

APKInspector is a project of the Honeynet Project. Actually, this is

in alpha version. We mention this project because it clusters several of

the mentioned programs. Nowadays, it is not very stable, but it might

be a future desk graphical tool.

• CFG

• Call Graph

• Static Instrumentation

• Permission Analysis

• Dalvik codes

• Smali codes

• Java codes

• APK Information

Keytool

One of the processes that a developer must perform, when an already

completed application is ready to be submitted to the Google Play

Classes.dex

Dalvik Code

jd-gui *.java

Source Code

Classes.jar

Byte Code

dex2jar

Figure 8.8 Android application decompiling process.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 8: Building Your Own Sandbox (4/10)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 8: Building Your Own Sandbox (4/10)