static android malware analysis - max kersten€¦ · the goal and strategy of the analysis...
TRANSCRIPT
![Page 1: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/1.jpg)
Static Android Malware AnalysisBY MAX ‘LIBRA’ KERSTEN
![Page 2: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/2.jpg)
Table of contentso Who am I?
o What is the workshop about?
o The Android operating system
o The lay-out of an Android PacKage
o The analysis of an APK
o Decompiling an APK
o Platforms to find samples
o The goal and strategy of the analysis
o Statically analysing malware samples
o Takeaways
o Evaluation
© MAX 'LIBRA' KERSTEN - BOTCONF2019 2
![Page 3: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/3.jpg)
Who am I?o Max ‘Libra’ Kersten (@LibraAnalysis)
o Graduated my bachelor cum laude in January
o Worked for ThreatFabric as an Android malware analyst
o I write blogs about reverse engineeringo Including my own Binary Analysis Course
o Custom tools are released open-source on my Githubo AndroidProjectCreator is featured in this workshop
© MAX 'LIBRA' KERSTEN - BOTCONF2019 3
![Page 4: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/4.jpg)
Who am I?o Employed at ABN AMROo Cyber Threat Intelligence & Analytics team
o Red Team
o Focus on outside threats to provide timely and actionable intelligence to internal departments
o Research focused projects, with the aim to also givesomething back to the community
© MAX 'LIBRA' KERSTEN - BOTCONF2019 4
Copyright © ABN AMRO 2019
![Page 5: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/5.jpg)
What is the workshop about?o Provides insight in Android malware analysis
o Teaches core concepts of reverse engineering
o Purely focused on static code analysiso What is the difference?
o Duration is between 3 and 4 hourso Hence the approximation on the online schedule
Copyright © Max ‘Libra’ Kersten 2017
© MAX 'LIBRA' KERSTEN - BOTCONF2019 5
![Page 6: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/6.jpg)
The Android operating systemo Applications require permissions, before certain actions can be executed
o Applications are sandboxed, making direct process interaction impossible
o System updates are not pushed aggressively
o Multiple phone vendorso Fragment the updates even more
o Have a different ‘code base’
Copyright © Google 2019
© MAX 'LIBRA' KERSTEN - BOTCONF2019 6
![Page 7: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/7.jpg)
The lay-out of an Android PacKageo The AndroidManifest.xml fileo Contains all required permissions
o Services and intent filters are declared in here as well
o The classes.dex fileo Contains the compiled classes
o Multiple versions can exist, using classesN.dex as naming scheme
o The resources.arsc fileo Contains embedded resources, such as the used views
o The META-INF foldero Certificate information, can be used to identify the developer
o Also usable in Yara rulesCopyright © Google 2019
© MAX 'LIBRA' KERSTEN - BOTCONF2019 7
![Page 8: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/8.jpg)
The lay-out of an Android PacKageo The lib foldero Contains native ELF libraries that the application uses
o Libraries are present in multiple architectures
o x86, x86_64, armeabi-v7a, arm64-v8a
o The assets folderoContains arbitrary files that are used within the application
o Malware uses this folder to store an encrypted classes.dex file
o The res foldero Contains resources that are used within the application
o Examples are background images in different sizes Copyright © Google 2019
© MAX 'LIBRA' KERSTEN - BOTCONF2019 8
![Page 9: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/9.jpg)
The analysis of an APKo Where do I start?
o Do I need an additional phone?
o Should I install an emulator?
o Do I need to use a Linux distribution to work on?
© MAX 'LIBRA' KERSTEN - BOTCONF2019 9
![Page 10: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/10.jpg)
Decompiling an APK
© MAX 'LIBRA' KERSTEN - BOTCONF2019 10
Decode APKConvert DEX to
JAR
Decompile JARto Java code
Merge code and resources
![Page 11: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/11.jpg)
Decode APKConvert DEX to Java code
Merge code and resources
Decompiling an APK
© MAX 'LIBRA' KERSTEN - BOTCONF2019 11
![Page 12: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/12.jpg)
o APKTool to obtain the manifest, resources and Dalvik bytecode
o Dex2Jar to convert the Dalvik bytecode to Java bytecode
o A Java decompiler to obtain Java codeo JD-GUI
o Fernflower
o JAD-X
o CFR
o Procyon
Decompiling an APK
© MAX 'LIBRA' KERSTEN - BOTCONF2019 12
![Page 13: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/13.jpg)
o Direct decompilation/disassemblyo Radare2 (with r2dec)
o Ghidra
o JEB
o Combine multiple tools using AndroidProjectCreatoro Converts the APK into an Android Studio project
o Leverages the power of Android Studio to analyse to code, including existing plug-ins
Decompiling an APK
© MAX 'LIBRA' KERSTEN - BOTCONF2019 13
![Page 14: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/14.jpg)
Platforms to find sampleso APKLab
o APKDetect
o Koodous
o VirusBay
o VirusTotal
© MAX 'LIBRA' KERSTEN - BOTCONF2019 14
![Page 15: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/15.jpg)
The goal and strategy of the analysiso Determine the goal of the analysis o Is this application malicious?
o What applications are being targeted by this malware sample?
o The Command & Control traffic of the bot is encrypted, can you decrypt it?
o It is suspected that the malware uses a domain name generation algorithm, can you figure out how the domains are generated and provide a list of the first hundred domains?
o Determine the strategyo Dynamic analysis
o Static analysis
© MAX 'LIBRA' KERSTEN - BOTCONF2019 15
![Page 16: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/16.jpg)
Breako Take a break, chat with your neighbours, and share some tips if you have them!
© MAX 'LIBRA' KERSTEN - BOTCONF2019 16
![Page 17: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/17.jpg)
Statically analysing malware sampleso Two analysis methodso Loading a new classes.dex file
o Finding the command switch
o Three common techniqueso Default application replacement
o Overlay attacks
o Logging keystrokes
© MAX 'LIBRA' KERSTEN - BOTCONF2019 17
![Page 18: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/18.jpg)
Loading a new classes.dex fileo The classes.dex file contains the compiled Java codeo Results in additional capabilities being loaded
o Or the original code only functions as a loader to evade detection systems
oCompared to the desktop platform, there are lesso Packers available
o Loading methods
© MAX 'LIBRA' KERSTEN - BOTCONF2019 18
LoaderEncrypted
botComplete
application
![Page 19: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/19.jpg)
Hands on tasko Analyse the given dropper to obtain the malicious classes.dex file
© MAX 'LIBRA' KERSTEN - BOTCONF2019 19
![Page 20: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/20.jpg)
Breako Take a break, chat with your neighbours, and share some tips if you have them!
© MAX 'LIBRA' KERSTEN - BOTCONF2019 20
![Page 21: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/21.jpg)
Finding the command switcho To avoid complicating code, classes are used
o Classes serve a single purpose
o Classes can be objects, interfaces, models, views, containers, and much more
o A class that refers to a lot of other classes is often observed as a handler
© MAX 'LIBRA' KERSTEN - BOTCONF2019 21
![Page 22: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/22.jpg)
Finding the command switch
© MAX 'LIBRA' KERSTEN - BOTCONF2019 22
Handler
A B C
![Page 23: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/23.jpg)
Hands on tasko Analyse the given the given malware to find the command switch
o Figure out which commands there are, and what they do
© MAX 'LIBRA' KERSTEN - BOTCONF2019 23
![Page 24: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/24.jpg)
Breako Take a break, chat with your neighbours, and share some tips if you have them!
© MAX 'LIBRA' KERSTEN - BOTCONF2019 24
![Page 25: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/25.jpg)
Default application replacemento Used to manage certain utilitieso Installing an improved SMS manager
o Often abused by malware as it grants valuable permissionso Steal Two Factor Authentication messages
o Send out texts that link to malware
o Obtain phone numbers
© MAX 'LIBRA' KERSTEN - BOTCONF2019 25
![Page 26: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/26.jpg)
Hands on tasko Analyse the given malware and explain what the malware is capable of
© MAX 'LIBRA' KERSTEN - BOTCONF2019 26
![Page 27: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/27.jpg)
Breako Take a break, chat with your neighbours, and share some tips if you have them!
© MAX 'LIBRA' KERSTEN - BOTCONF2019 27
![Page 28: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/28.jpg)
Overlay attacks – a synopsis o An attack that is used to obtaino Credentials
o Credit card information
o Time based attack based on user-input
o Different Android versions require different techniqueso Actors and defenders play a cat and mouse game
© MAX 'LIBRA' KERSTEN - BOTCONF2019 28
Copyright © Avast 2017
![Page 29: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/29.jpg)
Hands on tasko Find how and where the overlays are usedo Trick bonus question: where are all the banking applications located?
© MAX 'LIBRA' KERSTEN - BOTCONF2019 29
![Page 30: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/30.jpg)
Breako Take a break, chat with your neighbours, and share some tips if you have them!
© MAX 'LIBRA' KERSTEN - BOTCONF2019 30
![Page 31: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/31.jpg)
Logging keystrokeso Unable to hook the system like the desktop platform
o Can abuse the Accessibility Service to get information on keystrokeso Easily detected by Google on the Play Store
o Generic rules will find the sample
o Taking screenshots upon noticing a keypresso Password characters are shortly visible on the screen by default
o Getting more contextual information
o Touch based location keyloggingo Spotted in the wild and wrote about it
o Works based on the location where a keypress is made
© MAX 'LIBRA' KERSTEN - BOTCONF2019 31
![Page 32: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/32.jpg)
Hands on tasko Find out how the keylogger works in detail
© MAX 'LIBRA' KERSTEN - BOTCONF2019 32
![Page 33: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/33.jpg)
Breako Take a break, chat with your neighbours, and share some tips if you have them!
© MAX 'LIBRA' KERSTEN - BOTCONF2019 33
![Page 34: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/34.jpg)
Takeawayso Android application lay-out
o Decompiling an APK in various methods
o Determining the investigation’s goal and strategy
o Efficient analysis methods
o Common malicious techniques
© MAX 'LIBRA' KERSTEN - BOTCONF2019 34
![Page 35: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/35.jpg)
Evaluationo Please take a few minutes to fill in the evaluation sheet that is handed out
o Next iterations of this workshop will be improved based on your feedback
© MAX 'LIBRA' KERSTEN - BOTCONF2019 35
Copyright © GliderMaven 2019
![Page 36: Static Android Malware Analysis - Max Kersten€¦ · The goal and strategy of the analysis oDetermine the goal of the analysis oIs this application malicious? oWhat applications](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f268e9a8236616cbb2ccaa3/html5/thumbnails/36.jpg)
Surprise – platform accesso Please leave your name and email with me to get access too APKDetect by Witold Precikowski (@pr3wtd)
o APKLab by Avast
© MAX 'LIBRA' KERSTEN - BOTCONF2019 36