Wednesday, 16 April 2014

Android Malware Static Analysis

Android OS is getting popular than ever before , so is Android malware. To analyse android malware or any malware we start with static analysis techniques before jumping into dynamic analysis. In this post we will discuss about important android malware static analysis techniques and tools. Let us list all the tools while discussing what and how to work with them. All the Android applications are packaged as APK . APK is nothing but ZIP file, To see contents of the zip use your standard unarchiver on windows and unzip on Linux OS. Android Application (APK) contains several files inside its archive, two of the important files which will aid in application analysis are AndroidManifest.xml and Classes.dex.

AndroidManifest file is an encoded binary XML file which contains several vital information required for running an application. For example, package name, permissions, activities etc. As it is encoded in binary XML you can convert it to readable text using apktool, apktool is provided as part of Android SDK. The command "apktool d apkfile " will create a directory with decoded AndroidManifest file, Resource file, smali code for dex file ( discussed later). Now If you open the Android manifest in any text editor, you should be able to read its contents.

Next and very important part of APK is Classes.dex. Classes.dex is compressed form of all the code of the application, Classes.dex is the class file in dex format understandable by Dalvik VM. Most of the applications are written in Java, i.e .Java file is converted to .Class file using Java compiler and then .Class file is converted .dex file. Since dex( Dalvik Executable) is originally written in java we can convert them back to Java code by decompiling them. To convert Dex file into Java you need two tools, one is dex2jar and another is jd-gui decompiler. First step is to use "dex2jar " , this will produce classes.dex.jar ( or jar file with whatever name your dexfile was called). Now open this jar file in jd-gui , Ayla, You can see the Java code now. 
 There are certain techniques which can add anti Analysis code to avoid decompiling dex files. Like for example, some applications protected by dexguard and apkprotect packers fail to decompile using dex2jar, In those cases use smali/baksmali to decompile dex file to dalvik byte code , you can also use"dexdump d " to see the disassembled view of the dex file, dexdump is provided as part of Android SDK( under build-tools).

That's it for today, I'll write more posts about android analysis when i find time.