Android malware analysis

workshop
Laura Garcia
Helia Estevez
 About us

Laura Garcia Helia Estevez

Managing Security Consultant at Security Consultant at NCC Group
NCC Group

@lain7z @pusha2popa
 Index

1 Brief introduction to Android architecture

and features

2 Android malware categories

3 Hands-on: analysing 3 malware APKs

4 Obfuscation and Packers

 Android architecture
System Apps
Apps included
with the Android
platform. Android runtime
Android version 5.0
(API level 21) or higher.
Java API framework Predecessor: Dalvik.
Provides the entire
feature-set on Android HAL
OS. Provides interfaces
to expose device
hardware
Native C/C++ Libraries capabilities.
Support libraries to
developers.

Linux kernel
Android kernel is
based on Linux kernel
(LTS).
Platform Architecture | Android Developers
 Google Play Protect
Report PHA: https://developers.google.com/android/play-protect/pha-reporting

https://developers.google.com/android/play-protect/cloud-based-protections https://developers.google.com/android/play-protect
Android manifest APKs
Main package

Other packages

Resources
 Android Manifest

● Application components
● Permissions
● Hardware and software requirements

App Manifest Overview | Android Developers

 Permissions

Apps requests permissions from the

operating system and defines custom
permissions.

https://developer.android.com/reference/android/Manifest.permission
 Android components

● Activity: Activity | Android Developers

● Service: Service | Android Developers
● Receiver: BroadcastReceiver | Android Developers
● Provider: ContentProvider | Android Developers
 Intents

● Launch an activity
● Launch a service
● Share information

https://developer.android.com/reference/android/content/Intent
Definition of Malware (PHA)

PHA
Potentially Harmful Applications (PHAs) are apps that could
put users, user data, or devices at risk

NOT PHA

Harmful action is not possible

App has a disclosure of its activity

Malware categories | Play Protect | Google

Developers
 Malware categories

SPYWARE ROOTING
Collect PII, read
permissions, no Exploits a vuln,
disclosure root the device

BACKDOOR SPAM
Request excessive
Send msg to a list
permissions,
of contacts, may
listen for cmd
include malicious
from C2 and
link
perform actions

SMS FRAUD PHISHING

Request SEND_SMS, Collects
premium numbers credentials and
send data to a C2

Malware categories | Play Protect | Google

Developers
 Malware categories
HOSTILE
TROJAN DOWNLOADER
Hides its Downloads and
malicious installs malicious
functionalities app

TOLL FRAUD RANSOMWARE

Prevent access to
SMS or
use data, stay on
notification
top, request
interception
ransom

CALL FRAUD PRIV ESC

Request Compromise the
CALL_PHONE, make integrity of the
calls to premium system. Tries to
numbers make itself
uninstallable
Malware categories | Play Protect | Google
Developers
Tools

STATIC DYNAMIC
Examines the file for
Analyze its behavior
signs of malicious
during run time
intent

● Jadx-GUI ● Device/Emulator
● APKTool ● Traffic inspection
● Ghidra ● ADB
● Androguard ● Frida
● Objection

Koodous
Automated APKLab.io
 Static analysis

Java DEX
code files
d8 https://github.com/skylot/jadx
 Static analysis
Ghidra ARM disassembler/decompiler functionality to statically analyze the native libraries

https://ghidra-sre.org/
 Dynamic analysis
● Testing device or Emulator
● Traffic inspection (Burp Suite)
● Android Debug Bridge (ADB)
● Frida
● Objection
 Methodology

Network
Entry Points
activity
What do the Find the C2
services Inspect HTTP(S)
triggered by traffic for PII
receivers data
API calls and
Permissions Exfiltration
keywords
Make sense Search code for
regarding the Does the app
common
functionality of collect PII,
keywords and
the app secrets, keys,
APIs
etc.
Let’s play!

Hands-on: analysing 3 malware APKs

 SPYWARE & STALKERWARE
Code that transmits personal data off the device without sufficient disclosure or consent

SIGNALS INTERESTING APIs & Keywords

● Contact list
● Photos or other files from the SD
● A lot of READ permissions card or that aren't owned by the app
(READ_CONTACT, READ_SMS, ● Content from user email
READ_CALL_LOG, ● Call log
RECORD_AUDIO, ● SMS log
READ_CALENDAR…) ● Web history or browser bookmarks
● Collects PII of the default browser
● No user disclosure ● Information from the /data/
directories of other apps.
 BACKDOOR
Code that allows the execution of unwanted, potentially harmful, remote-controlled operations on
a device.

SIGNALS

● Request excessive amount of permissions (READ_CONTACTS, READ_SMS,

RECORD_AUDIO, READ_CALL_LOG, CAMERA…)
● Dynamically Code Loading (DexClassLoader API)
● “switch” or “if/else” in source code
● Hide its icon from the Launcher
● Listen for commands from C2 and perform actions
 SPAM
Code that sends unsolicited messages to the user's contacts or uses the device as an email spam
relay

SIGNALS

● Send messages to contacts

● May include URLs
● No consent from the user
● No initiated by the user
● READ_CONTACTS, SEND_SMS permission
● No disclosure
 RANSOMWARE
Code that takes partial or extensive control of a device or data on a device and demands that the
user make a payment or perform an action to release control

SIGNALS

● Tries to stay on top of other apps

● Prevents access to user data
● Locks the screen or encrypt data files
● Demands ransom payment to release
● BIND_DEVICE_ADMIN (prevents the user to uninstall the app)
● WRITE_EXTERNAL_STORAGE
● SYSTEM_ALERT_WINDOW (show on top)
 Sample 1

Entry point Can you tell which is the entry point?

Manifest Can you pinpoint any suspicious permission?

Has the sample connect to any external host?

Network Does it send or receive any data?

Category Can you categorise the sample?

 Sample 1

VirusTotal - File - e8ce4c487f3b5706cff0004f0dc4eecbc4470010323f0de627f1196bfaf31d71

Manifest: permissions
Manifest: entry points
 Deceived user

ic_launcher ic_launcher_alt
Persistence in code
Backdoor behaviour
Dynamic analysis
 PHISHING
Code that pretends to come from a trustworthy source, requests a user's authentication credentials
or billing information, and sends the data to a third-party

SIGNALS INTERESTING APIs & Keywords

● Use Bank or financial institution

● JavaScript injection for stealing
logos
credentials (“javascript”)
● Collect credentials
● HTML content in “assets” folder
● Send collected data to a C2
impersonation
● RECEIVE_SMS, READ_SMS
● Load fake login using
● Obtain OTPs
WebView.loadURL
(BIND_NOTIFICATION_LISTENER_S
● Phishing URL
ERVICE)
● “login”, “password”, “paraphrase”,
● Obtain text from Activity
“mnemonic”
(BIND_ACCESIBILITY_SERVICE)
 TROJAN
Code that appears to be benign, such as a game that claims only to be a game, but that performs
undesirable actions against the user

SIGNALS

● Appears genuine (game app), hides it malicious functionality

● Hidden cryptocurrency mining (damage device battery, sell mining as service)
● Use cryptocurrency library (JS or native (.so))
● Hidden proxying
● Socket connection to some server and bind it to C2
 PRIV ESCALATION
Code that compromises the integrity of the system by breaking the app sandbox, gaining elevated
privileges, or changing or disabling access to core security-related functions

SIGNALS INTERESTING APIs & Keywords

● Prevents user for accessing

settings to disable/uninstall ● AccessibilityService.onAccessibility
● BIND_DEVICE_ADMIN (prevents Event API (read button labels or
user to uninstall the app) uninstall the app)
● BIND_ACCESIBILITY_SERVICE ● DeviceAdminReceiver.onDisableR
(interact with buttons on the equested
screen) ● Runtime.getRuntime().exec
● Install the app on “/system” ● "setenforce 0", "selinux"
● Enables “apk” from unknown ● "/system", "su -c", "root"
sources
 ROOTING
Code that roots the device

SIGNALS INTERESTING APIs & Keywords

● Exploits an existing vulnerability in

● “mkdir /system” (checking write
Android
permissions)
● Root the device
● “mount -o remount ,rw /system”
● Exploit code in native (.so)
● "/system",
● Tries to re-mount the system
● "setenforce 0", "selinux"
partition in write mode
● "su", "root"
● Tries to disable SELinux
 Sample 2

Entry point Can you tell which is the entry point?

Has the sample connect to any external

Network suspicious host? Does it send any data?

Can you tell when the app exfiltrate the seed

Code phrase?

Category Can you categorise the sample?

 Sample 2

VirusTotal - File - 83dec763560049965b524932dabc6bd6252c7ca2ce9016f47c397293c6cd17a5

 Dynamic analysis

$ objection --gadget "org.toshi" explore --startup-command "android sslpinning disable"

 Dynamic analysis

Seed phrase is exfiltrated to a suspicious external host `https[:]//colnbase.homes` which is flagged

as malicious in VirusTotal
 Static analysis

XMPMetaData class exfiltrates the seed phrase in the body parameter of the HTTP Request
Static analysis

C2 encoded in base64 in the

saveMnemonicToStorage
class

The seed phrase is exfiltrated

when it is to be saved in the
Storage
 CALL FRAUD
Code that charges users by making calls to premium numbers without user consent.

SIGNALS

● CALL_PHONE, PROCESS_OUTGOING_CALL permissions

● Mute phone calls to premium numbers
● New activity created on top to hide call screen
● Removes calls history
 SMS FRAUD
Code that charges users to send premium SMS without consent

SIGNALS

● Request SEND_SMS permission

● Premium numbers (can be obtain from remote server)
● No disclosure (check strings.xml file)
 TOLL FRAUD
Code that tricks users into subscribing to or purchasing content via their mobile phone bill

SIGNALS

● Forces or wait for data connection (CHANGE_WIFI_STATE,

ACCESS_NETWORK_STATE…)
● SMS or notification interception (BIND_NOTIFICATION_LISTENER_SERVICE or
RECEIVE_SMS)
 Sample 3

Entry point Can you tell which is the entry point?

Manifest Can you pinpoint any suspicious permission?

Has the sample connected to any external host?

Network Does it send or receive any data?

Category Can you categorise the sample?

 Sample 3

VirusTotal - File - 7a91ec8ac2834b2f41fc7a65f2053e566d507a3f524beba08ed4402b41cee474

Manifest: permissions
Manifest: permissions
Manifest: entry points
Manifest: entry points
PhongReceiver: SMS_RECEIVED
PhongReceiver: subscription services
Dynamic analysis
 Obfuscation and Packers

CODE OBFUSCATION PACKERS

The process of modifying an Encrypt original dex files, decrypt the

executable so that it is no longer dex file to memory at runtime.
useful to unauthorized parties but ● Qihoo360
remains fully functional. ● Ijimai
● SecShell
● Encode (Base64, Hex, Unicode)
● LIAPP (prerelease demo)
● Encryption (AES, 3DES)
● Bangcle (SecNeo)
● Java Reflection
● Cloaking
● Rename, reorder

https://github.com/strazzere/android-unpacke
https://gchq.github.io/CyberChef/ r/tree/master/native-unpacker
 Packers
Android Packers are able to encrypt an original classes.dex file, use an ELF binary to decrypt the
dex file to memory at runtime, and then execute via DexClassLoader.

FRIDA-DEXDump Frida script that hooks on an application and dumps dex files from memory.
 Dynamic Code Loading (DCL)
DCL allows an app to loads code (.DEX, JAR or APK) that can be retrieved from a remote location
and executed at runtime. DCL is not permitted in Google Play.
Dynamic Code Loading (DCL)
 Sample 4

VirusTotal - Sample4 - aad80d2ad20fe318f19b6197b76937bf7177dbb1746b7849dd7f05aab84e6724

 Medusa
Medusa Extensible and Modularised framework that automates processes and techniques
practiced during the dynamic analysis of Android Applications.
 Medusa

medusa> use spyware/spyware_hooks

 Medusa
medusa> use encryption/cipher_1
 Medusa
medusa> use backdoor/backdoor_calls
 Thank you!
Any question?