today I am going to explain how to approach the analysis of the new malware (md5: fdb84ff8125b3790011b83cc85adce16) that is targeting the Android platform.
What is Android ?
“Android is an operating system for mobile devices such as cellular phones, tablet computers and netbooks. Android was developed by Google and is based upon the Linux kernel and GNU software”
A bit of Glossary.
.apk file. Android application package file. Each Android application is compiled and packaged in a single file that includes all of the application’s code (.dex files), resources, assets, and manifest file. The application package file can have any name but must use the .apk extension. For example: myExampleAppname.apk. For convenience, an application package file is often referred to as an “.apk”.
.dex file.Compiled Android application code file.Android programs are compiled into .dex (Dalvik Executable) files, which are in turn zipped into a single .apk file on the device. .dex files can be created by automatically translating compiled applications written in the Java programming language.
Tools of the trade.
are you ready?
Time to meet the first sample.
Extracting the Apk.
The malware comes inside an apk pakage, so let’s extract its content:
Once you have located the .dex file, use baksmali on it and then browse to the following directory org\me\androidapplication1\:
Pointing to the Malware brain.
Once you have extracted the bytecode from the dex file, the malware analisys is trivial. For instance in this case if you pay attention at the code contained in the MoviePlayer class file, you can quickly discover the purpose of this malware:
As you can see, this Android malware acts as a normal Java malware that sends SMS to a Russian premium rate number.
Reversing this kind of malware affecting the Android platforms is not different than reversing Java mobile malware, except that the Android class has no CAFEBABE ;]