際際滷

際際滷Share a Scribd company logo

Mobile malware analysis with the a.r.e. vm

Jimmy Shah
Jimmy Shah

This document describes tools included in the Android Reverse Engineering (A.R.E.) virtual machine from the Honeynet Project for analyzing Android malware. The A.R.E. VM includes tools for decompiling Android apps, disassembling Dalvik bytecode, inspecting app files and permissions, and monitoring apps dynamically in an instrumented Android virtual machine. It allows static and dynamic analysis of Android apps to identify malicious behavior and understand app functionality.

1 of 16
Downloaded 14 times
LA2600 Android Malware Analysis with the Android Reverse Engineering(A.R.E.) LA2600.org VM Jimmy Shah
LA2600 2 Android Reverse Engineering(A.R.E.) VM LA2600.org VM from the Honeynet Project Includes a full set of tools for reverse engineering Android apps Conversion tools Dex2jar Classes.dex Classes.dex.dex2jar.jar AXMLprinter2.jar binary XML Human readable XML Disassembler Baksmali Dalvik bytecode Jasmin-like assembly language GUI APKInspector GUI includes baksmali, dex2jar, APKtool
LA2600 3 Android Reverse Engineering(A.R.E.) VM, cont. LA2600.org More tools Conversion tools APKTool smali/baksmali Disassembler Baksmali Dalvik bytecode Jasmin-like assembly language
LA2600 LA2600.org Android for Reverse Engineers
LA2600 5 LA2600.org Android for Reverse Engineers Android apps are distributed as APKs(zip files) what's inside? Files AndroidManifest.xml Stored as binary XML Permissions requested Registered intents Entry points classes.dex bytecode for the Dalvik VM App code is in classes.dex files. resources.arsc compiled resource table
LA2600 6 LA2600.org Android for Reverse Engineers, cont. Android apps are distributed as APKs(zip files) what's inside? Directories META-INF Public Keys Signatures for each component in the APK res Images, strings, etc. assets libraries other executables Other JARs
LA2600 Java vs. Android .JAVA javac .CLASS JAR dx 7 LA2600.org Android for Reverse Engineers, cont. JJAARR .C.CLLAASSSS .C.CLLAASSSS .C.CLLAASSSS .CLASS .CLASS main() main() AAPPKK cclalasssseess.d.deexx
LA2600 8 LA2600.org Processing a suspicious sample 1) Get sample 2) Begin analysis Static Identify known and active files File formats Executables Data fies Archives active files Executables and all files that can have an effect on the system Dynamic Run in Android VM
LA2600 LA2600.org What's in the A.R.E.?
LA2600 LA2600.org Overview GNU strings You need strings, use strings. Ascii is default, unicode with option '-el' for 16 bit little-endian strings Why? Function calls Interesting Strings Messages Errors Debug To analysts/press/etc. Shout-outs
LA2600 11 LA2600.org Conversion - AXMLPrinter2 Java tool to convert AndroidManifest.xml to human readable XML
LA2600 12 LA2600.org Decompilers - JAD Java Decompiler Feed it a JAR and get back decompiled .java source code. One of the few currently available java decompilers Useful but may no longer be updated by the author. Fails on some JAR files, classes Easy to run
LA2600 13 LA2600.org Decompilers - ded Android decompiler Newer academic project designed specifically for mobile apps Optionally uses the Soot Java optimization framework to provide better results. Combines translation to JVM bytecode , optimization and decompilation Takes a while,but the success rate is higher than other tools.
LA2600 14 LA2600.org VM - DroidBox Instrumented Android VM Monitors Network activity Opened connections Outgoing traffic Incoming traffic DexClassLoader Broadcast receivers Started services Enforced permissions Permissions bypassed Information leakage Sent SMS Phone calls
LA2600 15 LA2600.org VM - DroidBox, cont. Running VM ./startemu.sh Android21 ./droidbox.sh <sample.apk> Ctrl-C to end logging/analysis
LA2600 16 LA2600.org GUI - APKInspector Useful for analyzing APKs in one place Static analysis only Strings, Methods, Disassembly, CFGs,etc.

More Related Content

Mobile malware analysis with the a.r.e. vm

  • 1. LA2600 Android Malware Analysis with the Android Reverse Engineering(A.R.E.) LA2600.org VM Jimmy Shah
  • 2. LA2600 2 Android Reverse Engineering(A.R.E.) VM LA2600.org VM from the Honeynet Project Includes a full set of tools for reverse engineering Android apps Conversion tools Dex2jar Classes.dex Classes.dex.dex2jar.jar AXMLprinter2.jar binary XML Human readable XML Disassembler Baksmali Dalvik bytecode Jasmin-like assembly language GUI APKInspector GUI includes baksmali, dex2jar, APKtool
  • 3. LA2600 3 Android Reverse Engineering(A.R.E.) VM, cont. LA2600.org More tools Conversion tools APKTool smali/baksmali Disassembler Baksmali Dalvik bytecode Jasmin-like assembly language
  • 4. LA2600 LA2600.org Android for Reverse Engineers
  • 5. LA2600 5 LA2600.org Android for Reverse Engineers Android apps are distributed as APKs(zip files) what's inside? Files AndroidManifest.xml Stored as binary XML Permissions requested Registered intents Entry points classes.dex bytecode for the Dalvik VM App code is in classes.dex files. resources.arsc compiled resource table
  • 6. LA2600 6 LA2600.org Android for Reverse Engineers, cont. Android apps are distributed as APKs(zip files) what's inside? Directories META-INF Public Keys Signatures for each component in the APK res Images, strings, etc. assets libraries other executables Other JARs
  • 7. LA2600 Java vs. Android .JAVA javac .CLASS JAR dx 7 LA2600.org Android for Reverse Engineers, cont. JJAARR .C.CLLAASSSS .C.CLLAASSSS .C.CLLAASSSS .CLASS .CLASS main() main() AAPPKK cclalasssseess.d.deexx
  • 8. LA2600 8 LA2600.org Processing a suspicious sample 1) Get sample 2) Begin analysis Static Identify known and active files File formats Executables Data fies Archives active files Executables and all files that can have an effect on the system Dynamic Run in Android VM
  • 9. LA2600 LA2600.org What's in the A.R.E.?
  • 10. LA2600 LA2600.org Overview GNU strings You need strings, use strings. Ascii is default, unicode with option '-el' for 16 bit little-endian strings Why? Function calls Interesting Strings Messages Errors Debug To analysts/press/etc. Shout-outs
  • 11. LA2600 11 LA2600.org Conversion - AXMLPrinter2 Java tool to convert AndroidManifest.xml to human readable XML
  • 12. LA2600 12 LA2600.org Decompilers - JAD Java Decompiler Feed it a JAR and get back decompiled .java source code. One of the few currently available java decompilers Useful but may no longer be updated by the author. Fails on some JAR files, classes Easy to run
  • 13. LA2600 13 LA2600.org Decompilers - ded Android decompiler Newer academic project designed specifically for mobile apps Optionally uses the Soot Java optimization framework to provide better results. Combines translation to JVM bytecode , optimization and decompilation Takes a while,but the success rate is higher than other tools.
  • 14. LA2600 14 LA2600.org VM - DroidBox Instrumented Android VM Monitors Network activity Opened connections Outgoing traffic Incoming traffic DexClassLoader Broadcast receivers Started services Enforced permissions Permissions bypassed Information leakage Sent SMS Phone calls
  • 15. LA2600 15 LA2600.org VM - DroidBox, cont. Running VM ./startemu.sh Android21 ./droidbox.sh <sample.apk> Ctrl-C to end logging/analysis
  • 16. LA2600 16 LA2600.org GUI - APKInspector Useful for analyzing APKs in one place Static analysis only Strings, Methods, Disassembly, CFGs,etc.