Improving dynamic analysis coverage in Android with DroidBot

23 Feb 2016 Roberto Tanara android droidbot droidbox gsoc
Hi there, my name is Li Yuanchun and I’m glad to introduce DroidBot, a tool to improve the coverage of dynamic analysis. As it is the case for malware targeting the desktop, static and dynamic analysis are also used for detection of Android malware. However, existing static analysis tools such as FlowDroid or DroidSafe lack accuracy because of specific characteristics of the Android framework like ICC (Inter-Component Communication), dynamic loading, alias, etc.

ARTDroid: an easy-to-use framework for hooking under ART

02 Feb 2016 Cong Zheng android art dynamic-analysis gsoc hook malware
During Google Summer of Code 2015, in the Honeynet Project open-source org, Valerio Costamagna and Cong Zheng (mentor) worked on ARTDroid, an easy-to-use framework for hooking virtual-method under latest Android runtime (ART). Introduction We propose ARTDroid, a framework which allows to analyze Android apps without modifications to both Android framework and apps. The core technology is the library injection and virtual methods hooking by vtable tampering after getting the root privilege.

Interview with Hugo Gonzalez, Android expert and trainer at the Honeynet Workshop 2015

22 Apr 2015 Roberto Tanara android workshop
Hugo Gonzalez is a full member of the Honeynet Project, and now is pursuing his PhD at University of New Brunswick, working at the Information Security Centre of Excellence. His research interest include Malware Authorship Attribution, Android Malware and Application Layer DoS attacks. What was your motivation to enter Information Security field, and who inspired and helped you along the way? I started in the Linux world because a speaker in a local conference.

Malware-serving theaters for your android phones - Part 2

10 Jan 2014 Andrea De Pasquale android
In this post I will analyze the Android APK files that my friend Pietro Delsante from the Honeynet Project Sysenter Chapter talks about in his previous post (thank you Pietro). The files are all named “video.apk” and these are the MD5 and SHA256 hashes: video.apk 10859e82697955eb2561822e14460463 a36ecd528ecd80dadf3b4c47952aede7df3144eb9d2f5ba1d3771d6be2261b62 video.apk 91f302fd7c2d1b8fb54248ea128d19e0 8e0a2f6b7101e8caa61a59af4fdfc5b5629b8eac3a9aafcc1d0c8e56b4ddad15 video.apk f6ad9ced69913916038f5bb94433848d 4c7c0bd7ed69614cb58908d6a28d2aa5eeaac2ad6d03cbcad1a9d01f28a14ab9 The three APKs are almost identical: they share the same certificate and much more (I will cover the differences later).

Is Android malware served in theatres more sophisticated?

09 Jan 2014 Felix Leder android apk decompilation malware reverse-engineering sandbox-evasion thug
Pietro wrote a nice post about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: f6ad9ced69913916038f5bb94433848d. Virus Total already provides some nice information for Android. The SEND_SMS permissions already gives a solid hint that this application is probably sending to premium numbers.

Malware-serving theaters for your android phones - Part 1

07 Jan 2014 Pietro Delsante android apk exploit malware thug
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site ( urging me to update my Flash Player.

AREsoft-updater Released

26 Aug 2012 Adnan Mohd Shukor android are
AREsoft-updater is a simple updater script for Android Reverse Engineering Software belongs to Android Reverse Engineering (A.R.E.) Virtual Machine from the Honeynet Project AREsoft-updater will check for the latest available version of each individual project/tool listed above and compare it with the local (installed) version in A.R.E. If newer version is available, AREsoft-updater will automatically download and install the update for your A.R.E AREsoft-updater also support the latest (recently released) DroidBox for Android 2.

Beta Release of DroidBox for Android 2.3 and APIMonitor

23 Aug 2012 Kun Yang android apimonitor dalvik droidbox dynamic gsoc
I’m announcing the new features of Android dynamic analysis tool DroidBox as GSoC 2012 approaches the end. In this release, I would like to introduce two parts of my work: DroidBox porting and APIMonitor. DroidBox for Android 2.3 Based on TaintDroid 2.3, I’ve ported DroidBox to support Android 2.3 and fixed some bugs. Download bata version: Source code repository: Usage is same with the previous version. You can check the project page.

Android Reverse Engineering (A.R.E.) Virtual Machine available for download now!

01 Nov 2011 Christian Seifert android
The Honeynet Project is happy to announce the release of the Android Reverse Engineering (A.R.E.) Virtual Machine. Do you need to analyze a piece of Android malware, but dont have all your analysis tools at hand? The Android Reverse Engineering (A.R.E.) Virtual Machine, put together by Anthony Desnos from our French chapter, is here to help. A.R.E. combines the latest Android malware analysis tools in a readily accessible toolbox. Tools currently found on A.

DroidBox: beta release

02 Sep 2011 Patrik Lantz android droidbox dynamic-analysis sandbox
Beta version is out and the install instructions are available at the project webpage. The new features are: Prevent some emulator evasion techniques Added visualization of analysis results Automated app installation and execution Displaying analysis information about the APK Static pre-check extracts the app’s registered Intents The following figures show the new visualization added to the beta version. Image to the left is a PoC for classifying malwares and their similarity.