0xploit.com

Malware Analysis Description of malware on Android

Everything related to malware analysis.

CyberGod

Administrator
Staff member
2.0
Joined
Dec 23, 2021
Messages
750
Location
Hell
Website
hellofhackers.com
Hellcoins
♆25,889
Profile Music
McAfee's Threat Potential Status Report in the first quarter of this year indicated that there were 6 million unique malware samples identified. In this sense, the 1st quarter of 2011 turned out to be the most productive in terms of the number of detected malicious programs compared to the same periods of all previous years. The McAfee report noted that Android devices are increasingly becoming carriers of malware. According to experts, Android in the first quarter of this year became the second most popular mobile target for intrusion among malefactors after Symbian.

In this article, we are going to take you through the different steps of software analysis, thereby allowing you to understand what exactly are the vulnerabilities of the Android platform and how attackers use them. First of all, we will start by discussing the history of Android development, and then we will move on to the basics of how platform configuration packages work. At the same time, we will analyze in detail all the malware that we encounter specifically for Android.

Introduction to the Android platform

Android is an operating system for cell phones, communicators, tablet computers and other devices based on the Linux kernel. Developers write applications for Android mainly in the Java language, providing for device control using the Java library developed by Google. The Android Java compiler compiles a set of developer files into class files, and then the class files are converted into dex files. These files have bytecode specifically used to recognize the Dalvik Virtual Machine, which is a Java Application (JVM) bytecode execution environment that runs on a dedicated Android application. XML files are converted to a binary format that is optimized for creating small files. .dex files, XML binaries, and other resources needed to run applications, packaged in an android package file. These files have an .apk extension but are standard ZIP files. Once the apk package is generated, it is digitally signed by the developer and uploaded to the Android Market via the Google website, from where the user can download these apk files and install them on their Android device. There are currently over 2 million apps available for download in the Android Apps Central Store, and besides that, don't forget that Google Android apps can be downloaded from other third-party sites as well. from where the user can download these apk files and install them on their Android device. There are currently over 2 million apps available for download in the Android Apps Central Store, and besides that, don't forget that Google Android apps can be downloaded from other third-party sites as well. from where the user can download these apk files and install them on their Android device. There are currently over 2 million apps available for download in the Android Apps Central Store, and besides that, don't forget that Google Android apps can be downloaded from other third-party sites as well.

Requirements
* Tool for decompressing apk files - Winzip
* Tool for converting .dex files to .jar files :.. Dex2jar
* Graphical Java decompilation tool: JD-GUI
* Android-targeted malware samples for analysis

Detailed Steps

Step I:


To initiate the malware analysis procedure, you first need to download a malware sample targeting the Android platform. In this case, we will be downloading iCalendar.apk, which has become one of the 11 suspicious apps removed from the Android Market because it was found to contain malware in Gadget Media. Checking the request on VirusTotal showed a detection rate of 46.5%, as shown in the figure below.

and-1-big.png



Rice. 1

Step II:
Extract the iCalendar.apk file with Winzip, then you can view the contents of the .apk file

and-2.png



Rice. 2. .dex and. The XML files discussed earlier in this article are shown in Fig. 2.

Step III:

The next step is to execute the code using the "dex2jar" tool. The dex2jar toolkit converts Dalvik executable .dex files to Java .class files. "Classes.dex" - the file from our application goes into the "dex2jar" directory and is converted using the following command: dex2jar.bat classes.dex.

android-malware-3-big.jpg



Rice. 3 Create "classes.dex.dex2jar.jar" files in one directory.

android-malware-4-big.jpg



Rice. 4

Step IV:


We used the JD-GUI to view the .class files. Open "Classes.dex.dex2jar.jar" file using JD-GUI.

android-malware-5-big.jpg



Rice. 5: Full source code for Android applications shown.

Step V:
After obtaining the source code of the application, you can analyze the actual source and check for problems. It has been noted that the file with the class name "SmsReceiver.class" looks a little strange, because it is an application calendar and SmsReceiver is not required in this case. Upon further inspection of the source code of "SmsReceiver.class", it was found that it contained three numbers 1066185829, 1066133 and 106601412004, which looked rather suspicious. In particular, the situation is similar to an attempt to block messages sent from specified numbers to an Android device when this application was installed and running.

android-malware-6-big.jpg



Rice. 6

After searching these numbers through Google, it was found that these are the numbers of the SMS service owned by China Mobile (Fig. 7).

android-malware-7-big.jpg



Rice. 7

We tried to analyze why the application is trying to block delivery reports from the above numbers in the follow-up.

Step VI:

After finishing the analysis of the "SmsReceiver.class" file, we proceed to the analysis of the code of the next .class file, i.e. "iCalendar.class". The first one looks the most suspicious. In particular, we noticed that
a certain sendSms() function was present in the showImg() function.

android-malware-8-big.jpg



Rice. 8

So, we initiated a file check "sendSms ()" to see the peculiarities in the execution of commands. As shown in the figure below, we can see that when the sendSms() function is activated, an SMS with the text 921X1 is automatically sent to the number 1066185829.

android-malware-9-big.jpg



Rice. 9

Step VII:

At the end of the sendSms() function, we noticed the presence of the save function command. Thus, we looked for the save() function inside the code and found its direct relationship with the sendSms() function.

android-malware-10-big.jpg



Rice. 10

After doing the proper analysis and finding out various aspects of the save() function, it was found that the string "Y" is traversed every time the save() function is executed. In addition, it was concluded that the sendSms() function can only be called once, but no more, since there is an "if" loop set for the sendSms() function.

Step VIII:
Combining the results of all the analysis carried out, a clear idea can be obtained about the full functioning of various kinds of malicious programs.

The application sends an SMS to the premium number 1066185829 with the text 921X1. In parallel, any incoming message delivery reports to this number are blocked, and as a result, the victim will not receive any signal about the existence of such an SMS sent by the application in the background. In addition, the SMS is sent only once, and the victim actually cannot suspect in any way what actually caused the debiting of funds from the account.

android-malware-11.jpg



Rice. Figure 11: Complete iCalendar.apk Loop Malware

Conclusion Conclusion:

A rooted malware not only has the ability to read any data stored on it, but is also capable of transferring it to absolutely any location. This information may include contact information, documents, and even account passwords. With root access, it is possible to install other components that are not visible in the user interface of the phone, so they cannot be easily removed. The main ways to protect applications from malware for the Android platform are as follows:

* Download the application only from trusted sources;
* Check relevant ratings and reviews before downloading the application;
* Careful assessment of the permissions of specific applications;
* Installing Android OS updates, as they are ready;
* Installation of programs to protect mobile applications.

The document provides an example of the damage that malware causes to unsuspecting users. If a person is not aware of its existence, then such programs become available to perform almost any unauthorized action in the background. The operation of malicious programs can lead to financial losses for the user by writing off funds from his balances, as well as stealing passwords. In addition, they can cause damage to the phone itself. As you can see, it is very important to take adequate precautions in time to prevent these kinds of applications from getting into your phone. It is better to be safe once than to regret it ten times later.
 
Top