my image

my image

Saturday, February 16, 2013

Security Analyze for Android APK

I am happy to share my second post, in this post I am going to show the existing threat of malwares on mobile devices, the focus is on Android operation system about SMS steal malware that I wrote, I hope you will enjoy it.

Every one of us could be exposed to malware, virus, by downloading and installing an App, the expectation of each App is to do what you think it should do, but actually it will do other unwanted things (like steal SMS's from your phone).

Users always asking:
How can I protect myself from any cyber threat, phishing, viruses? 

The answer is very simple, is to be caution when downloading and installing any App into the device, especially when you have rooted device (device with super user permissions), and to be aware from any phishing trap.

I wrote malware called "Kim0z", the only functionality that could be done by the malware is to steal SMS's and then to send the data to my server at home :), I didn't hide the process of stealing SMS's, because the App target is to show you how to face malwares.

We can see the button in the App above, when touch the button then: 
  1. All the SMS's text and sender information will be saved into file on the device (sms.txt)
  2. Connection to my home FTP server will be established
  3. The data will be sent through the internet to my computer at home

Find part of the code:

Let's try to understand how we could find out if the App is malicious software:
I will show some ways to analyze the application before and after installing: 
  • Traffic capture: Capture all network traffic between the device and outside servers
  • Auditing: Check if files was added/deleted/changed on the device while using the App
  • Reverse engineering: Decompile the App to be able reading the code before compile 
  • Manifest file: The manifest presents essential information about the application to the android system
Traffic capture:
Start the App and listen to the transport layer, using WireShark or tcpdump, then press the button:
According to the above network transport we could see that ftp protocol connection was established between the device and an FTP server, and we can also find the Malicious target IP (my FTP server).

Now, let's check what files were written on file system, in this test we will find if any new suspicious files were added to the system, I am going to use a nice tool from AndroidAuditTools, some of the functionality of the tool is to compare operation system files before and after a point of time, for example, we can check what files were added/modified.deleted from file system after installing new App.

To run my test I used "fsdiff.rb" to find out what files were added, deleted or modified after using my Malware App:
  1. Install the malware on top of new device or Android image (emulator) 
  2. Check all files on system before running the malware
  3. Perform the required action (in my case is to run the malware App)
  4. Re check all files on system after running the malware
([+]), deleted ([-]) and modified ([c])

"fsdiff.rb" scan all files on system, when start the tool all files on system will be scanned (2) and then the tool will pause asking you to do the change on the device(3), in my case I started the malware and clicked on the button, then I pressed "Enter"(4) to stop the pause and to continue scan all files again, the result was:
new file named "sms.txt" was created [+] sign mean new file was added.

Reverse engineering:
Our next step is to decompile the APK (App), you can use android-apktool package, or any other reverse engineer tools, by decompile the APK: "java -jar apktool.jar d Kim0zMalware.apk"

New folder will be created after the decompile, the folder include all the source code of the App before compile.

After fast scan the folder I was able to find the class, this class should be the main view of the App, at least in my case (most of my code inside this class, in other cases we should open more than the MainActivity class) after decompile :
Note the Function named "saveStringInFile" this save the SMS'a data into file "sms.txt" on the device.

In the same decompiled class, I found function named "sendByFTP", the function responsible to send "sms.txt" file to my FTP server, the function contain Server address, User name, and Password:

Every application must have an AndroidManifest.xml file in the root directory, the file presents essential information about the application to the Android system.

By scanning the folder after decompile I found the file:

Some important information in the manifest file could be very helpful, for example "Permissions", it declares which permissions the application must have in order to access protected parts of the API and interact with other applications.

In the above screenshot I can see that "READ SMS", "INTERNET" and "WRITE EXTERNAL STORAGE" permissions are allowed and it is very obvious that the App can read my SMS's :)

end of the post.

No comments:

Post a Comment