Project 6 - Static Analysis of Android Malware

Primary mentor: Ryan W Smith (US)
Student: Cong Zheng

Project Overview:
In this project, we will provide a powerful tool for analyzers to analyze the Android malware samples manually. To implement a prototype GUI to aide static analysis, I’d like to use PyQT as the framework of the prototype. Because PyQT provides a complete interface to QT applications and python can interact with androguard easily. We can reuse some androguard’s codes.

Project Links: http://code.google.com/p/apkinspector

Features:
* Show the CFG (control flow graph) for a given method.
* Show the Dalvik codes for a given method.
* Show the Smali codes by apktool.
* Show the Java codes for a given java file.
* Show the bytecodes for a given method.
* Show all strings, methods and classes.
* Show the APK's related information.
* Show each permission and where a permission is used in an application.
* Show the AndroidManifest of an application.
* Drag and zoom in/out the CFG.
* Modify the content of nodes in the CFG.
* Show a hint when users move the cursor over the node of CFG.
* Specify a method and then show its call in/out methods.
* Users can select any method in the method tab to look its call in/out methods. Moreover, users can click the “Tools” in the menu and select the “Call in/out” item. Then there’s a dialog popping up and waiting for users to fill the inquired method’s class name, name and its descriptor. Users can choose to view call in or call out, even both of them.
* Interaction between the CFG and Dalvik.
* From CFG tab to Dalvik tab, users can select a node of CFG and press the space bar. Then the view will be located in the corresponding codes. From Dalvik tab to CFG tab, users can place the cursor on any line and click with the right button of the mouse to select the “Goto CFG” item. And then the view will be located in the corresponding node of the CFG.
* Syntax hightlighting for Dalvik codes.
* Search words or sentences in each text tab.
* Annotation. Users can add some annotations or notes for any line of codes.
* Users could click the right button of the mouse and select the “Add Annotation” item. Then an annotation dialog will pop up at the bottom of the main view.
* Renaming. Users can rename any variables or others of codes.
* Users could select what they want to rename and then click the right button of the mouse to select the “Renaming”. A renaming dialog will pop up for users filling the new name.
* Search and filter strings, classes and methods.
* A configuration module to choose whatever modules you’d like to use.
* Show a progress bar when opening and loading an apk.

Project Plan:

May 1st – May 23th: Being familiar with the pyQT and SVG’s script. Determining detailed technical approaches through with the mentor and development of the PoC.
May 23th – July 11th: Main code implementation. Building a basic framework and implementing basic modules. This version needs to implement from module 1 to 4 at least.
July 11th – July 15th: Preparing for the midterm evaluation.
July 15th – Aug 10th: Implementing others modules and adding some extra modules for improving this project.
Aug 10th – Aug 26th : Testing and improving documentation. Then preparing for the final evaluation.

Updates:

Done in May 23rd - May 29th:
1. Find a great solution to draw the CFG graph without implementing the layout algorithm by myself, but by the graphviz instead.
2. Build the developing environment: PyQt with Eric4.
3. Design the framework of UI and define the feature list.

Plan in May30th - June 5th:
1. build a basic framework with less consideration about the art designing.

Done in May30th - June 5th:
1. I have drew a initial framework of UI, which is pasted in my honeynet blog.
2. I'm coding for the first function that opens a apk file and show it's information in the widget of APKInfo. This should invoke the Androguard's module to do. I have not finished it yet.

Plan in June 6th - 8th:
1. I will continue to finish the first function.

Done in June 6th - 8th:
1. I have finished the feature1. You can see more about it in my blog.

Done in Jun 20th - 26th:
I have finished two modules:
1. When you open a apk file, all the methods are listed in a TreeWidget.
2. If you double click one method in the TreeWidget, then the corresponding smali code will be showed in the main view.

Plan in June 27th - July 2nd:
I will start to code for the module of CFG. Just show a corresponding CFG of a method in the main view. The first step is only showing the CFG with a zooming in/out feature.

Done in June 27th - July 2nd
The module about showing the CFG has been finished with some additional features, such as zooming in/out. dragging the graph, modifying the content of nodes after double clicking.
ps: there are still some bugs to be fixed.

Plan in July 3rd - July 10th
1. Fix the existing bugs.
2. Finish the modules about showing bytecode, java code.
3. Prepare for the midterm evaluation.

Done in July 3rd - July 10th
The module of showing the betecodes, java codes are finished
The midterm report is here: midterm report

Plan in July 11th - July 18th
1. Continue to fix some bugs.
2. Public an alpha release.

Done in July 11th - July 18th
1. I have designed the logo of our tool.
2. I have uploaded all codes to the mercurial and published the alpha release.

Plan in July 19th - July 26th
1. Add the icons to the QTreewidget view, which is in the Method and File Tab.
2. Show the bytecodes for each row.
3. Add the line number for each row at the margin of the editor.
4. Improve the CFG's showing.

Done in July 19th - July 26th
1. Add the icons to the QTreewidget view, which is in the Method and File Tab.
2. Show the bytecodes for each row.
3. Add the line number for each row at the margin of the editor.
4. Design the logo for our tool.
5. Add the module of searching and filtering.

Plan in July 27th - Aug 3rd
1. I will improve the CFG's module and pay more attention to the beautiful and concise graph view. For each node, It should be smaller to make the whole graph more compact. In addition, it will show the hint for each node when the user move the mouse over it.
2. To continue the user's interaction module, I will start to add some signals and slots on some widgets. This would be the most important work in the next phase.

Done in July 27th - Aug 3rd
1. I have added these features:
(1) show the hint for each node when the user move the mouse over it.
(2) translate the QGraphicisView.(Qt has a bug in the translate method, but I find a solution to implement this function)

Plan in Aug 4th - Aug 11th
I'll continue to implement the user's interaction module. Firstly, I will finish the interaction between the CFG tab and the smali tab.

Done in Aug 4th - Aug 11th
1. The interaction module between the smali and CFG has been finished. But it's not very perfect. If the user want to goto the CFG, he must select a line and click with the right button of the mouse. After that, the view of smali will change to CFG view.
Now it's a little coarse-grained, because it can only locate to the node of CFG, not the line of the node.

Plan in Aug 12th - Aug 19th
1. Finish the remain module:
(1) annotation module
(2) renaming module
(3) give in/out module
2. I'm plan to do a configuration module, in which the user can configure all optional functions and options.