Hi there, my name is Li Yuanchun and I’m glad to introduce DroidBot, a tool to improve the coverage of dynamic analysis.
As it is the case for malware targeting the desktop, static and dynamic analysis are also used for detection of Android malware. However, existing static analysis tools such as FlowDroid or DroidSafe lack accuracy because of specific characteristics of the Android framework like ICC (Inter-Component Communication), dynamic loading, alias, etc.
During Google Summer of Code 2015, in the Honeynet Project open-source org, Valerio Costamagna and Cong Zheng (mentor) worked on ARTDroid, an easy-to-use framework for hooking virtual-method under latest Android runtime (ART).
We propose ARTDroid, a framework which allows to analyze Android apps without modifications to both Android framework and apps. The core technology is the library injection and virtual methods hooking by vtable tampering after getting the root privilege.
Hugo Gonzalez is a full member of the Honeynet Project, and now is pursuing his PhD at University of New Brunswick, working at the Information Security Centre of Excellence. His research interest include Malware Authorship Attribution, Android Malware and Application Layer DoS attacks.
What was your motivation to enter Information Security field, and who inspired and helped you along the way?
I started in the Linux world because a speaker in a local conference.
In this post I will analyze the Android APK files that my friend Pietro Delsante from the Honeynet Project Sysenter Chapter talks about in his previous post (thank you Pietro). The files are all named “video.apk” and these are the MD5 and SHA256 hashes:
video.apk 10859e82697955eb2561822e14460463 a36ecd528ecd80dadf3b4c47952aede7df3144eb9d2f5ba1d3771d6be2261b62 video.apk 91f302fd7c2d1b8fb54248ea128d19e0 8e0a2f6b7101e8caa61a59af4fdfc5b5629b8eac3a9aafcc1d0c8e56b4ddad15 video.apk f6ad9ced69913916038f5bb94433848d 4c7c0bd7ed69614cb58908d6a28d2aa5eeaac2ad6d03cbcad1a9d01f28a14ab9
The three APKs are almost identical: they share the same certificate and much more (I will cover the differences later).
Pietro wrote a nice post about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: f6ad9ced69913916038f5bb94433848d.
Virus Total already provides some nice information for Android.
The SEND_SMS permissions already gives a solid hint that this application is probably sending to premium numbers.
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player.
AREsoft-updater is a simple updater script for Android Reverse Engineering Software belongs to Android Reverse Engineering (A.R.E.) Virtual Machine from the Honeynet Project
AREsoft-updater will check for the latest available version of each individual project/tool listed above and compare it with the local (installed) version in A.R.E. If newer version is available, AREsoft-updater will automatically download and install the update for your A.R.E
AREsoft-updater also support the latest (recently released) DroidBox for Android 2.
I’m announcing the new features of Android dynamic analysis tool DroidBox as GSoC 2012 approaches the end. In this release, I would like to introduce two parts of my work: DroidBox porting and APIMonitor.
DroidBox for Android 2.3 Based on TaintDroid 2.3, I’ve ported DroidBox to support Android 2.3 and fixed some bugs.
Download bata version: http://droidbox.googlecode.com/files/DroidBox23.tar.gz Source code repository: https://github.com/kelwin Usage is same with the previous version. You can check the project page.
The Honeynet Project is happy to announce the release of the Android Reverse Engineering (A.R.E.) Virtual Machine.
Do you need to analyze a piece of Android malware, but dont have all your analysis tools at hand? The Android Reverse Engineering (A.R.E.) Virtual Machine, put together by Anthony Desnos from our French chapter, is here to help. A.R.E. combines the latest Android malware analysis tools in a readily accessible toolbox.
Tools currently found on A.
Beta version is out and the install instructions are available at the project webpage. The new features are:
Prevent some emulator evasion techniques Added visualization of analysis results Automated app installation and execution Displaying analysis information about the APK Static pre-check extracts the app’s registered Intents The following figures show the new visualization added to the beta version.
Image to the left is a PoC for classifying malwares and their similarity.