Dissecting Android Malware

Hello,

today I am going to explain how to approach the analysis of the new malware (md5: fdb84ff8125b3790011b83cc85adce16) that is targeting the Android platform.

What is Android ?
(wikipedia.org)

“Android is an operating system for mobile devices such as cellular phones, tablet computers and netbooks. Android was developed by Google and is based upon the Linux kernel and GNU software”

A bit of Glossary.
(developer.android.com/guide/appendix/glossary.html)

.apk file. Android application package file. Each Android application is compiled and packaged in a single file that includes all of the application’s code (.dex files), resources, assets, and manifest file. The application package file can have any name but must use the .apk extension. For example: myExampleAppname.apk. For convenience, an application package file is often referred to as an “.apk”.

.dex file.Compiled Android application code file.Android programs are compiled into .dex (Dalvik Executable) files, which are in turn zipped into a single .apk file on the device. .dex files can be created by automatically translating compiled applications written in the Java programming language.

Tools of the trade.

a] Something to unpack the .apk file: 7-zip.
b] Something to get the bytecode from the .dex file: baksmali.

are you ready?

Time to meet the first sample.

Thanks to malwaredatabase.net and contagiodump, I have the sample that I am going to analyze.

Extracting the Apk.

The malware comes inside an apk pakage, so let’s extract its content:

Once you have located the .dex file, use baksmali on it and then browse to the following directory org\me\androidapplication1\:

In red we have the interesting components while in blue…  :]

Pointing to the Malware brain.

Once you have extracted the bytecode from the dex file, the malware analisys is trivial. For instance in this case if you pay attention at the code contained in the MoviePlayer class file, you can quickly discover the purpose of this malware:

As you can see, this Android malware acts as a normal Java malware that sends SMS to a Russian premium rate number.

Final words.

Reversing this kind of malware affecting the Android platforms is not different than reversing Java mobile malware, except that the Android class has no CAFEBABE ;]

posted in Android, java, malware, reversing by Donato Ferrante ( ratsoul )

 
Copyright (c) 2010-2011 InREVERSE - All Right Reserved
Büyükçekmece Evden Eve Nakliyat Esenler Evden Eve Nakliyat Gaziosmanpasa Evden Eve Nakliyat Güngören Evden Eve Nakliyat Kadiköy Evden Eve Nakliyat Kartal Evden Eve Nakliyat Küçükçekmece Evden Eve Nakliyat Maltepe EvdenEve Nakliyat Sisli Evden Eve Nakliyat Tuzla Evden Eve Nakliyat Ümraniye Evden Eve Nakliyat Üsküdar Evden Eve Nakliyat Içerenköy Evden Eve Nakliyat Erenköy Nakliyat Etiler Evden Eve Nakliyat