Android OS is getting popular than ever before , so is Android malware. To analyse android malware or any malware we start with static analysis techniques before jumping into dynamic analysis. In this post we will discuss about important android malware static analysis techniques and tools. Let us list all the tools while discussing what and how to work with them. All the Android applications are packaged as APK . APK is nothing but ZIP file, To see contents of the zip use your standard unarchiver on windows and unzip on Linux OS. Android Application (APK) contains several files inside its archive, two of the important files which will aid in application analysis are AndroidManifest.xml and Classes.dex.
AndroidManifest file is an encoded binary XML file which contains several vital information required for running an application. For example, package name, permissions, activities etc. As it is encoded in binary XML you can convert it to readable text using apktool, apktool is provided as part of Android SDK. The command "apktool d apkfile
Next and very important part of APK is Classes.dex. Classes.dex is compressed form of all the code of the application, Classes.dex is the class file in dex format understandable by Dalvik VM. Most of the applications are written in Java, i.e .Java file is converted to .Class file using Java compiler and then .Class file is converted .dex file. Since dex( Dalvik Executable) is originally written in java we can convert them back to Java code by decompiling them. To convert Dex file into Java you need two tools, one is dex2jar and another is jd-gui decompiler. First step is to use "dex2jar
There are certain techniques which can add anti Analysis code to avoid decompiling dex files. Like for example, some applications protected by dexguard and apkprotect packers fail to decompile using dex2jar, In those cases use smali/baksmali to decompile dex file to dalvik byte code , you can also use"dexdump d
That's it for today, I'll write more posts about android analysis when i find time.