Today, I will introduce you two methods of decompilation used in the analysis malware on android.
Now, let’s go!
What is reverse engineering?
Reverse engineering is the process of analyzing the code of the software to detect and detect software vulnerabilities or defects. Reverse engineering is the process of generating source code from executable code. This technique is used to test the functionality of the program or be done to bypass the steps to check security mechanisms, etc. Hence, the reverse engineering is also used in the process of modifying the source code for the program to follow the intent of the decompiler wishes.
The reverse engineering process is used to analyze malware for Android applications. This is a process of reverse engineering an application to understand how the application works and functions by analyzing the source code and debugging it.
In static analysis I will use two ways reverse engineering an android app:
– Use ApkTool to disassemble the Android app and perform smali code analysis using Sublime Text 3.
– Use Dex2Jar to convert the source code from .dex file into java code and then use JDGui to parse the java code.
Method 1: Use ApkTool
You can download ApkTool in here.
Go to the directory containing ApkTool and run the tool with the command:
java -jar apktool.jar
We get all the information about the options provided by ApkTool.
To reverse apk file we execute the following command:
*java -jar apktool.jar d *
The analysis file is taken in here.
I: Using Apktool 2.2.2 on com.app.lotte.auth-1.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: C:\Users\AppData\Local\apktool\framework\1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files...
When the command was executed successfully, there was no error, the folder named application, or in my case the malware name would be created in the same directory.
Res: This folder contains folders XMLs defined layouts, drawables, attributes (attributes), language (langgues), … etc.
Android Manifest: This file is one of the most important XML files containing information about the permissions that an application needs or accesses. In other words, this file contains large information related to the application.
Smali: This directory contains the source code of the application that has been converted to smali. You can use Sublime Text to view this source code.
We can repack the app with the help of ApkTool with the command:
*java -jar apktool.jar b *
I: Using Apktool 2.2.2 I: Checking whether sources has changed... I: Smaling smali folder into classes.dex... I: Checking whether resources has changed... I: Building resources... I: Building apk file... I: Copying unknown files/dir...
You can download file in here.
Use ApkTool to reverse engineering .apk files.
Use Sublime Text view file AndroidManifest.xml.
android.permission.SYSTEM_ALERT_WINDOW android.permission.ACCESS_NETWORK_STATE android.permission.READ_PHONE_STATE android.permission.READ_CONTACTS android.permission.WRITE_EXTERNAL_STORAGE android.permission.INTERNET android.permission.GET_TASKS android.permission.READ_LOGS
Analyzing the smali file we obtained the following information:
The application takes the path information about the internal memory and the files downloaded by the user.
Try to get information about memory.
Make a new directory
Create new file
Get information: DeviceId, SubscriberId, SimSerialNumber, Line1Number, NetworkType.
Write the information collected into memory in the form of key: value
In file MobclickAgen.smali:
App crawl:version_code), package, appkey, update
The application tries to delete the log.
By analysis results we can see the application is a trojan. When performing the installation on the application machine will do some work as follows:
– Obtain information about victim: DeviceId, SubscriberId, SimSerialNumber, Line1Number, NetworkType.
– Perform file creation to store the collected information. Get information on applications such as version code, package, appkey and update status of the application.
– After getting information the application tries to access the log and performs log removal to remove the traces.
– With the information obtained the application may send them to the hacker’s server to collect the user’s information for the purpose of their attacks.
Method 2: Use Dex2Jar
You can read more about dex2jar in here.
Download dex2jar in here.
Save the file for analysis in dex2jar’s directory. The .apk file is actually a compressed file. You can use WinZip or other file decompression software to extract the .apk file. In this case I use the download file in the above path. Extract a file.apk we obtain:
The next step is to open cmd and move to the Dex2Jar root directory. The malware classes.dex file must also be in the same directory as the dex2jar.bat file. So we will copy the classes.dex file to the directory containing the dex2jar.bat file. We will execute the following command:
We will obtain the file classes-dex2jar.jar if the execution of the command does not occur error. We use JD-Gui to open the classes-dex2jar.jar file.
In this post I have guided you two methods that used to use for reverse engineering the source code of android application.
Hope you guys find something funny on it.