Scribd
Upload
130 views69 pages

Insomnidroid Reverse Engineering

The document discusses various tools for reversing engineered Android applications, beginning with examining the contents of an Android application package (APK) file. It provides tutorials on reversing specific Android malware samples, examining the Android manifest, application resources, Dalvik executable files, and Java/Smali source code. The document demonstrates tools for decompiling DEX files, including Apktool, dex2jar, and the DED decompiler. It also provides an example of reversing the Android/Spitmo.C!tr.spy malware sample to analyze its behavior and identify key components.

Uploaded by

metatron13
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
130 views69 pages

Insomnidroid Reverse Engineering

The document discusses various tools for reversing engineered Android applications, beginning with examining the contents of an Android application package (APK) file. It provides tutorials on reversing specific Android malware samples, examining the Android manifest, application resources, Dalvik executable files, and Java/Smali source code. The document demonstrates tools for decompiling DEX files, including Apktool, dex2jar, and the DED decompiler. It also provides an example of reversing the Android/Spitmo.C!tr.spy malware sample to analyze its behavior and identify key components.

Uploaded by

metatron13
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 69

Android Reverse Engineering Tools

From an anti-virus analyst's perspective


Axelle Apvrille
InsomniHack'12, March 2012

Agenda

Contents of an
APK: manifest,
.dex, resources...
Tutorial: reversing
Android/Spitmo.C!tr.spy
A few other tricks:
logs,
anti-emulator...
Miscellaneous tools

InsomniHack'12 - A. Apvrille

2/42

APK - Android Packages

InsomniHack'12 - A. Apvrille

3/42

Example: APK contents of Android/Spitmo.C!tr.spy

$ unzip criptomovil.apk
Archive: criptomovil.apk
inflating: res/layout/main.xml
inflating: AndroidManifest.xml
extracting: resources.arsc
extracting: res/drawable-hdpi/icon.png
extracting: res/drawable-ldpi/icon.png
extracting: res/drawable-mdpi/icon.png
inflating: classes.dex
inflating: META-INF/MANIFEST.MF
inflating: META-INF/CERT.SF
inflating: META-INF/CERT.RSA

InsomniHack'12 - A. Apvrille

4/42

Reading the AndroidManifest.xml


Binary manifest
$ hexdump
00000000
00000010
00000020

-C
03
3d
00

AndroidManifest.xml |
00 08 00 b0 1c 00 00
00 00 00 00 00 00 00
00 00 00 00 00 00 00

head
01 00 1c 00 8c 0d 00 00 |...........
00 00 00 00 10 01 00 00 |=..........
1a 00 00 00 34 00 00 00 |...........

Better with aapt


$ aapt dump xmltree criptomovil.apk AndroidManifest.xml
N: android=http://schemas.android.com/apk/res/android
E: manifest (line=2)
A: android:versionCode(0x0101021b)=(type 0x10)0x1
A: android:versionName(0x0101021c)="1.0" (Raw: "1.0")
A: package="com.antivirus.kav" (Raw: "com.antivirus.kav")
E: uses-permission (line=8)
A: android:name(0x01010003)="android.permission.
BROADCAST_STICKY"
(Raw: "android.permission.BROADCAST_STICKY")
InsomniHack'12 - A. Apvrille

5/42

Reading the AndroidManifest.xml (2)


AXMLPrinter
$ java -jar AXMLPrinter2.jar AndroidManifest.binary.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="4"
..

Other Swiss Knives


I Androguard: collection of Python tools

$ ./androaxml.py -i criptomovil.apk -o
AndroidManifest.human.xml

Apktool: re-engineering Android apps

$ java -jar apktool.jar d criptomovil.apk output

InsomniHack'12 - A. Apvrille

6/42

Reading package resources


I

I
I

Same as the manifest: they are not directly readable (for


humans...)
aapt dump resources works, but output not excellent
Use Apktool! Great tool :)

$ java -jar apktool.jar d criptomovil.apk output


...
$ cat output/res/layout/main.xml
<?xml version="1.0" encoding="UTF-8"?>
<LinearLayout android:orientation="vertical"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
...

InsomniHack'12 - A. Apvrille

7/42

Dalvik Executables (.dex)

Similar to Java .class: .class converted to .dex by "dx"


More at:

http://en.wikipedia.org/wiki/Dalvik_(software)
Opcodes: see http://pallergabor.uw.hu/androidblog/
dalvik_opcodes.html

Parse with a hex editor. 010 Editor has a Dex template


InsomniHack'12 - A. Apvrille

8/42

Dalvik bytecode - Android/Foncy.A!tr

InsomniHack'12 - A. Apvrille

9/42

Dissassembling DEX: you (probably) don't want to use


dexdump

I
I

InsomniHack'12 - A. Apvrille

10/42

Ships with the


Android SDK, in
platform-tools/
Always works (?)
Output dicult to
read: all classes
together etc.

Disassembling DEX
I

Apktool: produces
smali
Code syntax
highlight:
I Emacs: Nelson

Elhage or Tim
Strazzere
I Vim: Jon

Larimer
I Notepad++:

lohan+
I UltraEdit:

lohan+

InsomniHack'12 - A. Apvrille

11/42

Issues with disassembling


$ java -jar apktool.jar d fjcon.apk output
Exception in thread "main" brut.androlib.AndrolibException:
brut.directory.DirectoryException: java.util.zip.ZipException:
error in opening zip file
at brut.androlib.ApkDecoder.hasSources(Unknown Source)
...

Dedexer produces .ddx les


http://jasmin.sourceforge.net/about.htmlJasmin w/
Dalvik opcodes
$ mkdir ./dedexer
$ java -jar ddx1.18.jar -d ./dedexer/ ./classes.dex
...
$ cat ./dedexer/com/nl/MyService.ddx
...
.method public <init>()V
.limit registers 2
; this: v1 (Lcom/nl/MyService;)
.line 74
invoke-direct {v1},android/app/Service/<init> ; <init>()V
InsomniHack'12 - A. Apvrille

12/42

The DED Decompiler


Command line - Decompiling Android/RootSmart.A!tr
$./ded.sh suspect.apk -d ./ded-output -c
...
Soot finished on Fri Feb 10 14:05:46 CET 2012
Soot has run for 0 min. 2 sec.
./ded-output/optimized-decompiled/[..]/smart/y.java
Decompiled 144 classes out of 152
Retargeting time: 32.708s
Decompilation time: 945.141s

InsomniHack'12 - A. Apvrille

13/42

dex2jar + jd-gui
I

Dex2jar: Java-based tool converting .dex to .jar :)

$ ./dex2jar.sh criptomovil.apk
dex2jar version: reader-1.7, translator-0.0.9.6, ir-1.4
dex2jar criptomovil.apk -> criptomovil_dex2jar.jar
Done.
I
I

View the Jar with a Java Decompiler (jd-gui, jad, dj...)


"Java Decompiler" Pros: GUI, save source les, browse Jar,
jump from one class to another
Cons: not specically meant for Dalvik, a few bugs (but not
many)

InsomniHack'12 - A. Apvrille

14/42

Decompiled Java source code - at a glance

Figure: Android/Spitmo.C!tr.spy

InsomniHack'12 - A. Apvrille

15/42

Tutorial with Android/Spitmo.C!tr.spy


Step 1. Read the manifest
I Identify the entry points.
I Several permissions.

InsomniHack'12 - A. Apvrille

16/42

Tutorial with Android/Spitmo.C!tr.spy


Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service

InsomniHack'12 - A. Apvrille

16/42

Tutorial with Android/Spitmo.C!tr.spy


Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service
I SMS Receiver with high priority

InsomniHack'12 - A. Apvrille

16/42

Tutorial with Android/Spitmo.C!tr.spy


Step 1. Read the manifest
I Identify the entry points.
I Several permissions.
I A service
I SMS Receiver with high priority
I Main

InsomniHack'12 - A. Apvrille

16/42

Reversing MainActivity
I

onCreate() called when application is launched.

InsomniHack'12 - A. Apvrille

17/42

Reversing MainActivity
I
I

onCreate() called when application is launched.


Get 8th character of IMEI.

InsomniHack'12 - A. Apvrille

17/42

Reversing MainActivity
I
I
I

onCreate() called when application is launched.


Get 8th character of IMEI.
Display alert dialog with activation code "1"+8th char+"3"

InsomniHack'12 - A. Apvrille

17/42

Reversing MainActivity
I
I
I
I

onCreate() called when application is launched.


Get 8th character of IMEI.
Display alert dialog with activation code "1"+8th char+"3"
Exit dialog when button pressed

InsomniHack'12 - A. Apvrille

17/42

Reversing KavService
How to start a service
I startService() onCreate() onStartCommand() (or
onStart() for old SDKs)
I bindService() onCreate()
Not started?
$ grep -ri startService ./smali
$ grep -ri bindService ./smali
Not used (yet)?

InsomniHack'12 - A. Apvrille

18/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver with Java Decompiler

InsomniHack'12 - A. Apvrille

19/42

Reversing SmsReceiver
Things we know
I onReceive processes incoming SMS messages
I AntivirusEnabled is a ag, if not enabled, won't do much.
I Calls GetStaticDataString
I Retrieves SMS body and originating phone number
I Formats a string: &from=ORIGIN&text=BODY
I Calls GetRequest
I AntivirusEnabled true: don't forward SMS to others
Things which are unclear yet
I What does GetStaticDataString() do?
I The result of GetStaticDataString() is overwritten...?
I What is variable k?
I What does GetRequest() do?
InsomniHack'12 - A. Apvrille

20/42

GetStaticDataString

InsomniHack'12 - A. Apvrille

21/42

GetStaticDataString

InsomniHack'12 - A. Apvrille

21/42

Reversing SmsReceiver
Things we know
I onReceive processes incoming SMS messages
I AntivirusEnabled is a ag, if not enabled, won't do much.
I Calls GetStaticDataString: ?to=PHONE&i=IMSI&m=IMEI...
I Retrieves SMS body and originating phone number
I Formats a string: &from=ORIGIN&text=BODY
I Calls GetRequest
I AntivirusEnabled true: don't forward SMS to others
Things which are unclear yet
I The result of GetStaticDataString() is overwritten...?
I What is variable k?
I What does GetRequest() do?
InsomniHack'12 - A. Apvrille

22/42

A look into Smali

InsomniHack'12 - A. Apvrille

23/42

A look into Smali

InsomniHack'12 - A. Apvrille

23/42

A look into Smali

InsomniHack'12 - A. Apvrille

23/42

A look into Smali

InsomniHack'12 - A. Apvrille

23/42

A look into Smali

InsomniHack'12 - A. Apvrille

23/42

A look into Smali

InsomniHack'12 - A. Apvrille

23/42

Findings with Smali


I

Bad decompilation of rst initial test:


// WRONG
if (! intent.getAction().equals("OUTGOING_CALL") &&
! intent.getAction().equals("BOOT_COMPLETED")) {
}
// CORRECT
if (intent.getAction().equals("OUTGOING_CALL") {
...
} else if (! intent.getAction().equals("BOOT_COMPLETED")) {
}

Missing variable names: TotalHideSms (AntivirusEnabled ag)


and SendReport (k)
Wrong decompilation of string composition: GetString
initialized to GetStaticDataString() and then append
&from=ORIGIN&text=BODY
InsomniHack'12 - A. Apvrille

24/42

Reversing SmsReceiver
Things we know
I If OUTGOING_CALL, schedule KavService
I Build string, initialize it to: ?to=PHONE&i=IMSI&m=IMEI...
I Retrieves SMS body and originating phone number
I Append &from=ORIGIN&text=BODY to string
I Calls GetRequest if SendReport true
I AntivirusEnabled true: don't forward SMS to others
Things which are unclear yet
I What does GetRequest() do?

InsomniHack'12 - A. Apvrille

25/42

GetRequest: Decompilation failure

InsomniHack'12 - A. Apvrille

26/42

Solution? Use another tool!


I
I

Use another decompiler (e.g Jad)


Or read smali

InsomniHack'12 - A. Apvrille

27/42

Or read smali

Solution? Use another tool!

InsomniHack'12 - A. Apvrille

27/42

Solution? Use another tool!

InsomniHack'12 - A. Apvrille

27/42

GetRequest decompilation

I
I
I
I

LinkAntivirus(): obfuscated string

URL = de-obfuscated string + parameter


Open URL
Read HTTP response
If HTTP response is ok (200), read header ForgetMessages:
store in AntivirusEnabled ag

InsomniHack'12 - A. Apvrille

28/42

Spitmo: conclusion
What it does
I Displays a fake 3-digit activation code. 2nd digit is based on
IMEI
I KavService not used. Missing start command?
I SMS forwarded to a remote URL:

http://CENSORED?to=PHONE&i=IMSI&m=IMEI&aid=ACTIVATIONCODE&h=BOOLEAN&from=ORIGIN&text=BODY

Lessons learned
Read smali when decompilation fails

InsomniHack'12 - A. Apvrille

29/42

Understanding access$0
.method static synthetic access$0(Lcom/tapjoy/TJCOffersWebView;)
Landroid/widget/ProgressBar;
.locals 1
.parameter

.prologue
.line 28
iget-object v0, p0, Lcom/tapjoy/TJCOffersWebView;->progressBar:Landr
return-object v0
.end method

Compiler created
I Java: Inner classes can access private members of their
enclosing class.
I Byte-code: creates synthetic access$0
InsomniHack'12 - A. Apvrille

30/42

Anti-emulator tricks
Honeynet challenge 2011
// com.fc9.currencyguide.daemon.e.b:
if (a.a(Build.DEVICE).equalsIgnoreCase(
"46a808cfd5beafa5e60aefee867bf92025dc2849"))
localBoolean = Boolean.valueOf(1); // true
}
...
// com.fc9.currencyguide.fc9:
if (!com.fc9.currencyguide.daemon.e.b.a().booleanValue()) {
// MALICIOUS BEHAVIOUR
} else { // DO NOTHING }
I

46a808cfd5beafa5e60aefee867bf92025dc2849 =
sha1sum("generic")
5a374dcd2e5eb762b527af3a5bab6072a4d24493 =
sha1sum("sdk") ...
Dierent behaviour if on an emulator :(
InsomniHack'12 - A. Apvrille

31/42

Solution: modify the application


Modify the smali code
1. Fix the test

2. Recompile the smali les


$ ./apktool b -d ~/honeynet/smali-re modified.apk
$ jarsigner -verbose -keystore test.ks modified.apk test

InsomniHack'12 - A. Apvrille

32/42

Adding debug logs


I
I

Modify & recompile smali! No need to have source code :)


Example: Insert calls to Log.v
const-string v6, "AXELLE str: "
invoke-static {v6, v0}, Landroid/util/Log;->v(Ljava/lang/String;
Ljava/lang/String;)I

I
I
I

call = invoke-static
v0 = what to log
re-use variables with caution...

adb logcat:

..
V/AXELLE: str: (
..

407): CD2ACE300D6687D4

InsomniHack'12 - A. Apvrille

33/42

Customize Your Emulator

Patch

emulator-arm
I

Search for
+CGSN:
IMEI
Search for
+CIMI: IMSI

InsomniHack'12 - A. Apvrille

34/42

Customize Your Emulator

Patch

emulator-arm
I

Search for
+CGSN:
IMEI
Search for
+CIMI: IMSI

InsomniHack'12 - A. Apvrille

34/42

Who uses those permissions?


Androguard's androlyze
$ ./androlyze.py -i criptomovil.apk -x
PERM : READ_PHONE_STATE
Lcom/antivirus/kav/MainActivity; onCreate
(Landroid/os/Bundle;)V (@onCreate-BB@0x0-0x16)
---> Landroid/telephony/TelephonyManager;
getDeviceId ()Ljava/lang/String;
Lcom/antivirus/kav/SmsReceiver; GetStaticDataString
(Landroid/content/Context;) Ljava/lang/String;
(@GetStaticDataString-BB@0x0-0x10) --->
Landroid/telephony/TelephonyManager;
getLine1Number ()Ljava/lang/String;
...
PERM : INTERNET
Lcom/antivirus/kav/SmsReceiver; GetRequest
(Ljava/lang/String;)I (@GetRequest-BB@0x3c-0x3c)
---> Ljava/net/URL; openConnection ()
Ljava/net/URLConnection;
InsomniHack'12 - A. Apvrille

35/42

Similarities and dierences


Androsim
$ ./androsim.py -i com.christmasgame.balloon_v1.3.apk
plankton_sample1.apk
DIFF METHODS : 115
NEW METHODS : 5
MATCH METHODS : 0
DELETE METHODS : 318
[0.9955412745475769, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0,
..
1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0]
0.0038437288383

Conclusion: Those samples of Riskware/CounterClank and


Android/Plankton are not similar :)

InsomniHack'12 - A. Apvrille

36/42

Visualization of APK: Androguard + cytoscape


Is it usable?
$ ./androxgmml.py -i sample.apk -o output.xgmml -f

InsomniHack'12 - A. Apvrille

37/42

Visualization of APK: Androguard + cytoscape


Is it usable?
$ ./androxgmml.py -i sample.apk -o output.xgmml -f

InsomniHack'12 - A. Apvrille

37/42

Androguard + gephi
Powerful... but is it usable? - Ex: Android/BaseBridge
$ ./androgexf.py -i sendere.apk -o sendere.gexf

InsomniHack'12 - A. Apvrille

38/42

Androguard + gephi
Powerful... but is it usable? - Ex: Android/BaseBridge
$ ./androgexf.py -i sendere.apk -o sendere.gexf

InsomniHack'12 - A. Apvrille

38/42

APKInspector: a front-end

InsomniHack'12 - A. Apvrille

39/42

APKInspector: a front-end

InsomniHack'12 - A. Apvrille

39/42

DroidBox: when does it work?!

InsomniHack'12 - A. Apvrille

40/42

DroidBox: when does it work?!

InsomniHack'12 - A. Apvrille

40/42

DroidBox: when does it work?!

InsomniHack'12 - A. Apvrille

40/42

DroidBox: when does it work?!

InsomniHack'12 - A. Apvrille

40/42

Conclusion
I love
I Android Emulator
I Apktool
I baksmali
I dex2jar
I Java Decompiler
To investigate
I AndBug: a debugger,
not immediate to use
I AndroidAuditTools

InsomniHack'12 - A. Apvrille

I use from time to time


I Androguard: similarities,
dierences, manifest, permissions
I ded, IDA Pro and dedexer:
alternate disassemblers/decompilers
I never use
I Droidbox: bugs
I Androguard visualization: I
probably need training :)
I AXMLPrinter: included in other
tools
I APKInspector, Manitree: perhaps,
but never encountered a real use
case
41/42

Thank You !
Follow us on twitter:

@FortiGuardLabs

Axelle Apvrille
aka Crypto Girl
/mobile malware reverse engineering/
[email protected]

Slides edited with LOBSTER=L TEX+

InsomniHack'12 - A. Apvrille

Beamer + Editor

42/42

You might also like