Transcript Sample Analysis of Android Malware

Android Malware Case Studies
Yuanhao Lyu
2013-06-03
Overview
• 1. introduction of Android app
• 2. goal of analysis
• 3. tools
• 4. malware sample
• 5. Step by step
• 6. the pattern
• 7. food for thought
• 8. References
Intro of Android app
• AndroidManifest.xml——Configuration files for Android programs which can
rule the permission, program entry points and so on.
• Intent: A message Class used as a communication among Activity, Service
and Receiver
• Three ways into the program(Each of below should be registered in .xml)
1. Activity
2. Service
3. Broadcast Receiver(used once a system event happens, it can revoke an
activity or service too)
Android app entry points
Broadcast Receiver
running steps：
Service running
steps:
onReceive()
startService() calls:
onCreate() ->
onStartCommand()
-> onDestroy()
startService() ->
onStartCommand()
Goal of analysis
extracting one malware behavior
pattern!
Tools
Dex2jar:Convert
class.dex in apk to
jar files which
include .class files
Jd-gui: Convert java
jar to java files
Apktool:Converted
byte code xml to
readable xml files
Finally we get the
complete java
Android project
files!
Sample——— live.photo.savanna.apk
A tool software for downloading other Applications
Step by step
• First let’s have a look at the global xml files
Step by step
• Then comes to the BootReceiver files
Recalling…
• Broadcast Receiver running steps：
onReceive()
• Service running steps:
onCreate() -> onStartCommand() -> onDestroy()
• startService() -> onStartCommand()
Step by step
Step by step
Step by step
Step by step
Step by step
Step by step
• Downloading apks to local directory with the information uploaded
above!
Conclusion
Get Phone
Information in
the functions
establish the
connection
send to some
URL
download
other bad
things from
some URL
install or log
bad
information
Food for thought
1.Core malware behaviors in one method.
2.Focus on key Android APIs
3.Concentrated on one most likely to behave bad and it worth thinking
4.Handling types will be tricky, as variable can be force casted. So how
to get a reasonable typing system within our analysis tool worth
thinking, as well.
Food for thought
• Analysis based on java is not efficient at all!
• Try to use tools called “Cerbero Profiler” converting the byte code to
Assemble language like mov a,b
URL: http://icerbero.com/profiler/
What we will work on…
• To collect and analysis as much as patterns of malware
• When encountering these patterns, warn the user and give the action
• So how to recognize these patterns?
Grasping keywords or fixed data flows such as new thread.start()
Information sending, downloading and so on
References
Analysing Android/BadNews.A
--- http://www.xchg.info/?cat=16
Android APK反编译详解
---http://blog.csdn.net/sunboy_2050/article/details/6727581
Android Training for Service
---http://developer.android.com/training/index.html
Thank you and longing for advices!
E-mail: [email protected]
Phone: 18801970690