Analyzing Android Applications - UNAM...Android The platform Google purchased the initial developer...

Analyzing Android Applications

A. DesnosG. Gueguen

ESIEA - Operational Cryptology and Virology [email protected]@esiea.fr

CSC 2011

A. Desnos, G. Gueguen 1 /179

[email protected]

[email protected]

Current section

Android

Malware

AnalysisStatic AnalysisDynamic AnalysisVisualization

Tools

Conclusion


Android

The platform

� Google purchased the initial developer of the software,Android Inc., in 2005

� The unveiling of the Android distribution on November 5,2007

� October 2008: Android Market

� 295.000 applications on the Android Market, 6 billionsdownloads

� Percentage of apps that are free : 60%


Android

The platform

� Android runs 52% of smartphones sold (Gartner)


Android

The platform

� Third party applications written in Java, executed on theDalvik Virtual Machine

� Java bytecode converted in Dalvik bytecode (stack-basedmachine vs register based machine)

� Applications are packaged in the APK format

� A virtual machine (Linux user-based protection) perapplication

� Permissions per application


Android

APK

� ZIP format

� classes.dex: Dalvik Executable Format

� ressources: images, strings ...

� assets: raw ressources

� native libraries

� manifest file: what to do with all the top-levelcomponents (specifically activities, services, broadcastreceivers, and content providers) and specifies whichpermissions are required in an application


Android

Disassembling Dalvik bytecode

� Instructions use registers,

� Impossible to change the bytecode on the fly,

� Less than 0xff instructions,� Instruction format:

� nop, move*, invoke*, goto*, cmp*, *-switch, add*, sub* ...


Android

Dalvik bytecode


Android

Manifest file

� Activities, services, content providers, and broadcastreceivers

� Permissions:� Camera functions� Location (GPS) functions� Bluetooth functions� Telephony functions� SMS/MMS functions� Network functions

� Before the installation of an application, all permissionsare asked and detailed to the end user


Android

Proctecting Your Applications

� Obfuscators like ProGuard (GPL), Dasho,

� Works mainly at the java bytecode level,� Techniques:

� names obfuscation,� optimization,� CFG obfuscation.


Android

Application Licensing


Android

Application Licensing

� Justin Case: Breaking The Library (aka The TechnicalMumbo Jumbo),

� Diassemble the application with baksmali,

� Find the LicenseValidator class,

� Edit the "verify" method in the class, to return a validlicense,

� Reassemble the application with smali, and re-sign it withany valid key.


Android

Problem

� A major problem in the Android market is the theft ofapplications:

� download an application (free or not) on the officialAndroid Market

� crack/re-package/infect it by usingsmali/baksmali/apk-tool

� push it (free or not) on the market


Android

Is it your application ? :)

� Kevin Baker (an android developer, Neolithic Software),interviewed by The Guardian about his application:Sinister Planet

� "I have a game on the market called Sinister Planet whichwas released about eight months ago"

� "One of my customers emailed me three weeks ago, andinformed me that another company was selling a versionof my app - pirated and uploaded as their own. Of course Icontacted Google right away. It took Google two days totake the app down. This publisher was also selling otherversions of pirated games. [...] You’d think [Google] mighthave a hotline for things like that!"


Android



Android


� ElectricSleep (Jon Willis)


Android



Android


� HTCHEN


Android



AndroidIs it your application ? :)


Android



Current section

Android

Malware


Tools

Conclusion


Malware

Android malware

� New/Repackaged application :� Exploit embedded (native code) to gain root access,� Requested more permissions,� Execute dynamic code (DexClassLoader) (don’t break the

android permission system),� Install new applications,� Get private information,� Get (your) money,� Spyware,� Botnet like.


Malware

Exploit

� Embedded in a classical Android application,

� Execute native code (binary, shared library),

� No DVM exploit yet (to our knowledge),

� Mainly from "The Android Exploid Crew", Dan Rosenberg.


Malware

Exploit

� Exploid: "udev before 1.4.1 does not verify whether aNETLINK message originates from kernel space, whichallows local users to gain privileges by sending a NETLINKmessage from user space",

� Rageagainstthecage: "Exploits the Android Debug Bridgedaemon and the RLIMIT_NPROC value",


Malware

Exploit

� Zimperlich: "Its straight forward code just like the adbsetuid() one. Most of the time I spent getting the Makefileright and tricking zygote to spawn the right amount ofprocesses and calling setuid() once more when we arealready running.",

� GingerBreaker: "vold root exploit "mPartMinors[](NPARTS) out of bounds write (checked for upper limit butnot against negative values)",

� zergRush: "libsysutils root exploit use-after-free".


Malware

Exploit

� PowerVR SGX Privilege Escalation Exploit (Jon Larimer +Jon Oberheide):

� CVE-2011-1352 is a kernel memory corruptionvulnerability that can lead to privilege escalation. Anyuser with access to /dev/pvrsrvkm can use this bug toobtain root privileges on an affected device.

� CVE-2011-1350 allows leaking a portion of kernel memoryto user mode processes. This vulnerability exists becauseof improper bounds checking when returning data to usermode from an ioctl system call.

� Nexus S and Galaxy S, Android < 2.3.6


Malware

Exploit: Rooting the Motorola Droid 3 (Dan Rosenberg)

� "A vulnerability specific Motorola devices in the scriptparsed by the init thread":

� "The contents of /data/local are group shell andgroup-writable: modify the contents with ADB",

� "Replacing one of the sub-directories listed here with asymbolic link, then when the device reboots it will changethe ownership of the symlink target to group shell",


Malware


� "This can be used to edit property files to manipulate thebehavior of ADB to achieve root":


Malware


� Reboot the device by pressing the power button, and byusing adb shell:

� "ro.sys.atvc_allow_all_adb property is a Motorola-specificconfiguration that prevents ADB from dropping its rootprivilege".


Malware

Take my money

� Most common malware (russian/chinese markets),

� Send SMS to premium rate services,

� Use the SEND_SMS permission (it’s not hidden).


Malware

Take my money: Zsone (10.000 users affected)


Malware

Take my money: FakeInstaller (boxer)


Malware

Take my money: FakeInstaller (boxer)

� When the user opens the application, he will see amessage asking him if he agrees to the terms of thedownload (in order to install the real application),

� "1. To gain access to the Service http://depositmobi.com/content to make payment by sending up to 3 SMSmessages.",

� Changed the prefix of the number to send SMS by usingthe mobile country code.


Malware

Information leak

� Steal private information about the user:� Phone state (IMEI, IMSI, ...)� Contacts� History bookmarks� GPS location� Account information


Malware

Information leak: Hongtoutou


Malware

Information leak: Fakeneflic

� Fake Netflix application,

� Information stealing Trojan that targets accountinformation,

� No specific permissions (phishing).


Malware


Malware

Spyware: Geinimi (analyzed by Lookout)(1.000.000users affected)

� Infected real applications,

� Read and collect SMS messages,

� Send and delete selected SMS messages,

� Pull all contact information and send it to a remote server(number, name, the time they were last contacted),

� Silently download files,

� Launch a web browser with a specific URL.


Malware

Spyware: Nickispy.C (NickiBot)

� Collect the IMEI number and send it to a remote website,� Receives commands via SMS messages:

� phone calls monitoring,� SMS messages monitoring,� GPS location monitoring,� send contacts data,� record the sounds in the phone.


Malware

Spyware: GoneSixty


Malware

Political: Holy Fucking Bible (HFB)

� Send (SMS) private information,

� Register user to a political action committee calledColbertPAC,

� SMS the entire contact list,

� Reply back to any SMS.


Malware

Political: HFB

� May 21, 2011: send SMS to the entire contact list :� "Cannot talk right now, the world is about to end"� "Jebus is way over due for a come back"� "Its the Raptures,praise Jebus"� "Prepare to meet thy maker,make sure to hedge your bet

just in case the Muslims’ were right"� "Just saw the four horsemen of the apocalypse and man

did they have the worst case of road rage"� "Es el fin del mundo"


Malware

Political: HFB

� May 21, 2011: send SMS to the entire contact list,

� set your wallpaper with :


Malware

Political: HFB

� >= May 22, 2011: send SMS to the entire contact list :� "Looks like Jebus is a no show, maybe Judaism was on to

something"


Malware

Political: HFB

� >= May 22, 2011: send SMS to the entire contact list,

� set your wallpaper with:


Malware

Political: Dogwars

� Animal Rights protesters :� trojan in dog-fighting games� registration SMS to a animal protection organization

(PETA: People For the Ethical Threatment of Animals)� SMS to all contacts: "I take pleasure in hurting small

animals, just thought you should know that"


Malware

Botnet: AnserserBot (analyzed by Yajin Zhou, XuxianJian)

� Fake upgrade,

� Dynamical code loading (through the built-in Dalvik classloading capability),

� Anti-tampering to protect itself (check the currentsignature),


Malware

Botnet: AnserserBot (analyzed by Yajin Zhou, XuxianJian)

� Encrypts various types of data (modification of base64:custom index table),

� Detects the existence of three smartphone anti-virussoftware,

� Bot clients: public blog website to update the code,

� Receives premium numbers from remote C&C serversand dial calls or send out SMS messages to them,incurring fees for users.


DroidDream

Is it a dream ?

� 1s of March 2011 on the official Android market,

� malware writer(s) : "Kingmall2010", "we20090202", and"Myournet",

� spread the malware in more 50 official applications,

� it was the first time that a malware infects the officialandroid market.


DroidDream

Description

� Not specifically designed to infect users of Androidmarket (mainly due to how the exploits work),

� Around 260.000 devices have been infected1,

� Two stages malware : the first stage is a simple bootstrapinjected code, in order to root the telephone and to installa second (embedded) viral application.

1http://techcrunch.com/2011/03/05/android-malware-rootkit-google-response/


DroidDream

Analyze

� sample : Magic Hypnotik Spiral (sha1 :90f568425cfcdea3fe19b3de93601eddc6bdc0e5)

� analysis tool : Androguard(http://code.google.com/p/androguard)


DroidDream

Files

� Files in the application ( it’s a classical zip ).


DroidDream

Permissions

� Permissions used by the application


DroidDream

Entry Points

� Entry points of the application

� Activity, Receiver, Service


DroidDream

Entry Points

� com.android.root.main

� com.android.root.Setting

� com.android.root.AlarmReceiver


DroidDream

Com.android.root.Setting : onCreate

� decrypt a string which is the server destination,

� send private information to the remote server,

� try to gain root access with 2 exploits,

� install a new APK.


DroidDream

Com.android.root.adbRoot : crypt

� one parameter, field u, ([B), string of bytes

� Where and What is the value of this field ?


DroidDream


� 94, 42, 93, 88, 3, 2, 95, 2, 13, 85, 11, 2, 19, 1, 125, 19, 0,102, 30, 24, 19, 99, 76, 21, 102, 22, 26, 111, 39, 125, 2,44, 80, 10, 90, 5, 119, 100, 119, 60, 4, 87, 79, 42, 52

� The crypt method decrypts a string by using Xoring withthe field KEYVALUE which is the key


DroidDream


DroidDream


� The xor with the input string and the key gives us an url

� http://184.105.245.17:8080/GMServer/GMServlet

� Server located in USA


DroidDream

Com.android.root.Service$2

� A thread is started,

� The postURL from com.android.root.Service is called.


DroidDream

Com.android.root.Service

� This method is used to send private information (xmlformat) about the mobile phone to the previous remoteserver,

� IMEI : International Mobile Equipment Identification,

� IMSI : International Mobile Subscriber Identification,

� Device : The name of the industrial design,

� SDK_INT : The user-visible SDK version of the framework.


DroidDream

Com.android.root.udevRoot or exploid

� Gain root access !

� The runExploid launch the file exploid which is in factthe exploid exploit (need an event to be effective and thecode can obviously not ask the user to do that)

� The state (disable) of the wifi changeWifiState ischanged to raise an event !

� Source code (C and java) on internet :https://github.com/shakalaca/UniversalAndroot


DroidDream

Com.android.root.adbRoot or rageagainstthecage

� Gain root access !� The exploit is very limited.

� The mobile phone must have the usb debugging enabled(target : unofficial market)...

� ... and it has to be connected while the application is run.


DroidDream

Com.android.root.Setting : destroy

� Its responsibility is to infect the phone with theapplication stored in sqlite.db (it is not a sqlite databasebut a classical APK file),

� a new application DownloadProvidersManager.apk isinstalled and launched at the next boot of the phone,

� the current application exits.


DroidDream

sqlite.apk or DownloadProvidersManager.apk

� the analysis of second application has been very detailedby Lookout2,

� its role is only to silently install new applications from aremote server.

2http://blog.mylookout.com/droiddream/A. Desnos, G. Gueguen 76 /179

Current section

Android

Malware


Tools

Conclusion


Android

Reverse Engineering

� Reverse engineering tools like IDA Pro (not free),Baksmali (free), Androguard (free)

� Decompiler better than DED, jd-gui ...

Plagiarism

� It is very time consuming and inefficient

� =⇒ Automated approaches ?


Outline

Android

Malware


Tools

Conclusion


Analysis

Control Flow Graph

� In each method, you have a list of basic blocks� one entry point, meaning no code within it is the

destination of a jump instruction anywhere in theprogram;

� one exit point, meaning only the last instruction can causethe program to begin executing code in a different basicblock.

� Modification of the control flow :� "if*", "goto*", "return*", "packed*", "sparse*"� exceptions


Permissions

Where ?

� Useful to know where a specific permission is used in theapplication,

� You must search specific API in the bytecode,� Adrienne Porter Felt, Erika Chin, Steve Hanna, DawnSong, David Wagner (UC Berkeley): create a permissionmap:

� SEND_SMS: sendTextMessage


Permissions

Where ?


AndroidManifest.xml

What ?

� "Every application must have an AndroidManifest.xml file(with precisely that name) in its root directory",

� Essential information about the application :� activities, services, broadcast receivers,� permissions,� package name...

� XML file converted in a specific binary xml file.


AnalysisSignature

� Create a signature in order to identify a particularmethod in a set of methods (not exactly the samemethod, but also variants of this method),

� Based on a paper of Silvio Cesare: Fast AutomatedUnpacking and Classification of Malware,

� It’s a simple grammar which used: Control Flow Graph,Fields, Packages, Strings and Exceptions.


Analysis

Signature

� Severals signatures :� V0: no specific information about string, packages, fields,� V1: V0 + but with the size of strings,� V2: V0 + filtering android packages names,� V3: V0 + filtering java packages names,� V4: V0 + filtering android/java packages.


AnalysisSignature Example


Analysis

Signature Example


Analysis

Signatures Similarity

� How to know if two strings are similar ?

Signatures Similarity

� Hamming distance,

� Levenshtein distance,

� Jaccard distance,

� Cosine similarity,

� Locality sensitive hashing,

� Normalized compression distance.


Analysis

NCD

� Designed to be an effective approximation of thenoncomputable but universal Kolmogorov complexitybetween two strings.

� The NCD of two elements A and B is defined asdNCD(A,B). We can compute

� C(A) and LA = L(C(A));� C(B) and LB = L(C(B));� C(A|B) and LA|B = L(C(A|B));

� where A|B is the concatenation of A and B, C is thecompressor, and L is the length of a string.


Analysis

NCD

� Then dNCD(A,B) is defined by :

dNCD(A,B) =LA|B −min(LA, LB)

max(LA, LB). (1)


Analysis

NCD

� A compressor C is normal if the following four axioms aresatisfied up to an additive O(log n), where n is themaximal binary length of the elements involved in theinequalities:1. Idempotency: C(xx) = C(x), and C(ε) = 0, where ε is the

empty string.2. Monotonicity: C(xy) � C(x).3. Symmetry: C(xy) = C(yx).4. Distributivity: C(xy) + C(z) � C(xz) + C(yz).


Analysis

NCD

� If you take three elements:� X ("HELLO WORLD") and the length of the compression Y

= C(X) = 6,� X’ ("HELLO WOORLD") and the length of the compression

of Y’ = C(X’) = 7,� X” ("HI !!!") and the length of the compression of Y” =

C(X”) = 3.

� the compression of C(XX’) will be similar to C(X) whereasthe compression of C(XX”) will not be similar to C(X).


Analysis

NCD

� The compression rate is not a determining factor for thechoice of the compressor if it complies with the followingrules:1. C respects the four inequalities,2. C(x) is calculated within an acceptable amount of time.


Analysis

NCD: compressor ?

� Compressor: compressed datas, time (s)

� LZMA: 900, 1.45565796

� XZ: 1824, 0.72005010

� ZLIB: 894, 0.00037599

� BZIP2: 1294, 0.00088286

� Snappy: 1208, 0.00010705


Analysis

NCD: Snappy compressor

� Snappy is a compression/decompression library (Google),

� It does not aim for maximum compression, orcompatibility with any other compression library; instead,it aims for very high speeds and reasonable compression,

� Based on text by Zeev Tarantov,

� LZ77-type compressor with a fixed, byte-orientedencoding,

� Fast: Compression speeds at 250 MB/sec and beyond,with no assembler code,

� Stable: Over the last few years, Snappy has compressedand decompressed petabytes of data in Google’sproduction environment.


Analysis

Similarity

� Identify identical methods,

� Identify exact/similar methods,

� Identify new methods,

� Identify deleted methods.


Analysis

Similarity: attributes associated with a method

� the entropy, based on the raw binary data,

� a buffer which represents the sequence of instructions,with useless information removed from it,

� a unique checksum (or hash) based on the previousbuffer,

� a signature.


Analysis

Signature Example


Analysis

Similarity: remove identical methods by using hash


Analysis

Similarity: find exact/similar methods between twoapplications


AnalysisSimilarity: Identify new methods between twoapplications


Analysis

Plagiarism/Rip-Off indicator

� By using previous algorithms:� we can calculate an indicator (between 0.0 to 100.0) to

indicate whether the application has been stolen

� 0.0 to a perfect identical method,

� value of the NCD for a partial identical method,

� value of the NCD for the general information of theapplication (strings, constants, etc.).


Analysis

Plagiarism/Rip-Off indicator: two different applications


Analysis

Plagiarism/Rip-Off indicator: identical applications


Analysis

Plagiarism/Rip-Off indicator: quite identical applications


Analysis

Plagiarism/Rip-Off indicator: stolen application


Analysis

Plagiarism/Rip-Off indicator: The Wars


AnalysisPlagiarism/Rip-Off indicator: DailyMoney(HTCHEN)

� Timothy Armstrong (Kasperksy Lab):� Pay-Per-Install library was added to the original code,� The library comes as part of an SDK from a company

called AirPush.


Analysis

Plagiarism/Rip-Off indicator: DailyMoney(HTCHEN)

� Timothy Armstrong (Kasperksy Lab):� different types of advertisements to end users

� The developer is paid every 1.000 impressions (CPM: CostPer Mille, "It is used in marketing as a benchmark tocalculate the relative cost of an advertising campaign oran ad message in a given medium").


Analysis



Analysis

Evaluation of Android obfuscators

� Problem: transformation of the source code in bytecode,

� Android developers use obfuscators frequently such asproguard or dasho to prevent the reverse engineering oftheir software,

� It can be easily reversed by using a classical decompilerlike jad, jd-gui or dava, with varying degrees of reliability,

� Moreover virtual machines do not allow code modificationon the fly (but dynamic code loading) and it is a realproblem for classical packers.


Analysis


� the obfuscator can use several techniques to protect aJava/Android application:1. change names of classes, methods, fields,2. modify the control flow,3. code optimization,4. dynamic code loading,5. change instructions with metamorphic technique.


Analysis


� Blackbox evaluation with our previous similarityalgorithms

� If this distance is close to 100 then the obfuscator did apoor job ...


Analysis



Analysis

Malware

� We can extract automatically new methods: it is the caseof an injected malware in the Android official or unofficialmarkets,

� The malware writer injects his "evil" code in theapplication and propagates the new application indifferent markets.

� It is possible to isolate the malware quickly if we know theoriginal application, which is an easy task because themalware writer does not generally modify it.


Analysis

Malware


Analysis

Axelle Apvrille(Fortinet): Clarifying Android DroidKungFuvariants


Analysis

Diffing

� Calculate the differences between two versions of anapplication to identify modifications:

� security bugfix,� reverse engineering.

� The idea is to detect classical modifications in a methodincluding:

� modification of codes in a basic block,� addition of new basic blocks.

� Bindiff, patchdiff2, ...


Analysis

Diffing

� Isomorphism problem: graph comparing� Find identical/similar methods in order to extractmodifications of instructions from basic blocks

� Identification of identical basic blocks by using NCD,� Extraction of added/removed instructions by using the

longest common subsequence algorithm.


Analysis

Diffing: Identification of basic blocks

� It is the similarity algorithms but it is just a different levelof granularity


Analysis

Diffing: Find exactly/partially the same basic blocksbetween two methods


Analysis

Diffing: Find new basic blocks between two methods


AnalysisDiffing: Find added/removed instructions from a basicblock


Analysis

Diffing: Skype android application

� The 15th April 2011, AndroidPolice released a newsecurity vulnerability in Skype (version 1.0.0.831) forAndroid,

� This vulnerability exposes the users’ name, phonenumber, and chat logs to all installed applications,

� The security bug is very simple, it is an incorrect usage ofpermissions to open files,

� A few days after this vulnerability, Skype release a newversion (1.0.0.983) which fixed this security bug.


Analysis


� exactly identical: 8038,

� partialy identical: 165,

� new: 14,

� delete: 7.


Analysis


� searching methods related to file permissions (by usingthe Java API or directly with chmod program)

� most of them are related to simple constant modificationbut we can identify a method really close to another one(with the same name) which manipulate files:

� Lcom/skype/ipc/SkypeKitRunner; run ()V withLcom/skype/ipc/SkypeKitRunner; run ()V 0.269383959472


Analysis


� This method has four modified basic blocks, but onlythree basic blocks merit further investigation.


Analysis


� An integer value (it is the operating mode) of the methodopenFileOutput, public abstract FileOutputStreamopenFileOutput (String name, int mode) has beenchanged from 3 to 0


Analysis


� In another basic block, the first argument of chmod hasbeen changed from 777 to 750


AnalysisDiffing: Skype android application

� And in the last modified basic block, there is a new call toa new method which fixes all files in the context directoryof the application:

� Lcom/skype/ipc/SkypeKitRunner; ([Ljava/io/File;) VfixPermissions]

� which fixes all permissions (patch permissions from theprevious version) to:

� RWX — — for a directory,� RW- — — for a file.


Analysis

Decompilation

� Current ways to decompile are not good enough.

� Source code unreadable

� Doesn’t compile back

� Decompilation fail


Analysis


Analysis

DecompilationDifferent phases (optimizations/compilation) :

� Intermediate representation

� Semantic analysis� CFG generation

� each node represent a basic block

� Dataflow analysis

� Control flow analysis

� Code generation


AnalysisControl flow analysis

� Number nodes of graph in reverse post-order:� number given when visited for the last time


Control flow analysis

� Goal of control flow : identify structures

� Build intervals to detect loops

� Switch and Conditionnal structures detected bytraversing the graph in reverse (from last to first node)


Analysis


Analysis

� Need to find the next element of a structure� E.g: next of a conditionnal structure is the first common

node of both branches� Special case with short circuit

� Write the code of the nodes by traversing it� nodes are flagged : type of node, of loop, head of loop, . . .


Analysis

Extending algorithms of similarity

� Detecting a piece of code in a set of applications (withvariants):

� Antivirus� Plagiarism


Analysis

Antivirus: Open Source database of android malwares

� NCD is very time consuming even if the compressor isvery fast

� You must reduce the number of comparisons� N Methods� S Signatures� O(N * S)� example: 10.000 * 1000 = 10.000.000

� Clustering: entropies on the signature (android/javapackages, binary raw, exceptions, signatures),

� Similarity distance (NCD) on each cluster with thesignature (thresholds).


Analysis


� Signature can be done on methods, classes,

� Choose correctly a signature (length, entropy ...),

� Boolean expression.


Analysis


� Description (JSON format) of a signature:


Analysis


� Signature is extracted and written in the database:


Analysis


� Check a repository of applications:


Analysis

Android Antivirus: Clamav

� Clamav supports Android malware ?


Analysis



Analysis

Android Antivirus: Clamav vs Androguard


Outline

Android

Malware


Tools

Conclusion


Analysis

Dynamic Analysis

� Patrik Lantz (Honeynet project, google summer of code2011, GPL)

� Modification of the Dalvik Virtual Machine forinterception:

� Incoming/outgoing network data,� File read and write operations,� Loaded classes through DexClassLoader,� Information leaks via the network, file and SMS,� Cryptography operations performed using Android API,� Sent SMS and phone calls.


Outline

Android

Malware


Tools

Conclusion


Application

Control Flow Graph

� Export like a classical graphviz picture,

� Export the CFG in Cytoscape.


ApplicationControl Flow Graph


Application

Control Flow Graph


Application

Methods Call Graph

� Export methods call graph in .gexf format:� Information about each node� Add specific nodes (permissions, activities, ...)


Application

Methods Call Graph


ApplicationMethods Call Graph


Application

Methods Call Graph


Diffing� Aureliano Calvo: Showing differences betweendisassembled functions


Diffing


Current section

Android

Malware


Tools

Conclusion


Tools

� IDA Pro, support of Dalvik,

� Smali/Baksmali,

� Dex2jar,

� DED,

� Androguard,

� Droidbox,

� =⇒ Virtual Machine for Android Reverse Engineering(Honeynet).


Current section

Android

Malware


Tools

Conclusion


Conclusion

Androguard

� LGPL framework/tools3

� Python/C(++)

� You’re Welcome !

3http://code.google.com/p/androguard/A. Desnos, G. Gueguen 177 /179

Conclusion

Future Works

� Improve DroidBox Project,

� Improve plagiarism algorithm,

� Emulation of android bytecodes,

� Data tainting,

� Optimization phases of the decompiler.


Conclusion

!

� Thanks to "Congreso Securidad en Computo" 2011,Ruben Aquino Luna and Celica Martinez Aponte

� Questions ?


Analyzing Android Applications - UNAM...Android The platform Google purchased the initial developer...

Documents

Transcript of Analyzing Android Applications - UNAM...Android The platform Google purchased the initial developer...