Android Malware and Analysis
Android Malware and Analysis
Android Operating
System and Threats
Android is the most popular mobile operating system, based on the
Linux kernel, primarily designed for touchscreen mobile devices at the
time this book was written. Google became involved with the financial
backing of Android Inc. in 2005, with smartphones using the operating
system, which debuted in 2008 (HTC Dream). The operating system
is open source, distributed under the Apache License, leading to rapid
development by many globally. According to AppBrain, over 1.1 million
Android apps exist in the market as of February 13, 2014, with
22 percent identified as low-quality apps.
Android operating system versions are named after consumables
starting with version 1.5. The version where each platform name was
first provided is in parenthesis: Cupcake (1.5), Donut (1.6), Eclair (2.0),
Froyo (2.2), Gingerbread (2.3), Honeycomb (3.0), Ice Cream Sandwich
(4.0), Jelly Bean (4.1), and KitKat (4.4), with Key Lime Pie (5.0) expected
in the future. There is a pattern in the naming of each version, can you
spot it? Each version introduces new functionality and requirements.
For example, KitKat, the most recent release, is designed to streamline
memory usage for maximum compatibility with all devices in party by
introducing new application programming interface (API) solutions,
such as “ActivityManager.isLowRamDevice()”, and tools like meminfo
for developers. Back to the teaser above, each version of Android is
named after a sequential letter in the English alphabet, with versions
Cupcake through KitKat representing versions C, D, E, F, G, H, I,
J, and K. The next major version following Key Lime Pie should start
with the letter L and be a dessert item such as Ladyfingers, Lemon
Meringue Pie, or Licorice. Are Android flavors becoming responsible
for our obsession with desserts and food?
2 Android Malware and Analysis
The architecture of the Android operating system is well published,
involving the Linux kernel, libraries, an application framework, applications,
and the Dalvik Virtual Machine (DVM) environment. This is
further expanded upon later in the book. To gain “root” on a device one
must gain access to the core Linux kernel running an Android device.
Most Android malware do not attempt to perform exploits to get to
root, as that is not required for nefarious motives. Rather, apps are commonly
modified to add in a hidden Trojan component so that when a
user installs an app the Trojan is also installed. Once installed and run,
Android malware may employ a wide variety of permissions enabled for
the app to then send text messages, and phone and geolocation information
to manage and intercept all types of communications and more.
When obtaining root access to the Linux kernel on an Android
operating system, several methods may be employed. This can be helpful
for an analyst in several situations but may also involve legal considerations
for the analyst and country of work requiring discernment and
legal review before performing such actions on a device. For example,
some Android malware attempt to perform an exploit to achieve root
on a device, forcing an analyst to be familiar with all such exploits and
how to research and respond to such a threat. Additionally, a researcher
or law enforcement may employ an exploit to gain access to a device that
is otherwise inaccessible. Take for example a device that is password
protected by a deceased person where family members may want to
obtain photographs and other information off the device. Some commercial
packages include rooting exploits as part of a solution to support
forensic access and research on a phone. Rooting typically only
works for specific devices or operating systems and configurations that
are commonly patched quickly to limit risk exposure. Well-known
Android exploits used to obtain root for various versions of the Android
operating system include RageInTheCage, Exploid (CVE-2009-1185),
GingerBreak (CVE-2011-1823), and ZergRush (CVE-2011-3874).
Android Development Tools
Researchers commonly leverage Android development tools as part
of analyzing and working with Android malware. Naturally a Java
runtime environment (JRE, Java Downloads) needs to be installed
on a machine to work with Java-based components of development,
debugging, and malware analysis.
Introduction to the Android Op erating System 3
The Android Software Development Kit (SDK, Get the Android
SDK) contains a variety of tools for creation, compiling, and packing
of an Android app. By installing SDK into a Linux analysis environment
a variety of tools and capabilities exist for an analyst.
The Android Debug Bridge (ADB) is a command line utility that
is included within the SDK. This is an important tool that can be used
for accessing and managing data on an Android device with the intent
of supporting debugging of an app.
Two additional integrated development environments (IDEs) also exist
to support additional development functionality: Android Developer
Tools (ADT) and Android Studio. ADT is a set of plug-ins, or components,
extending the functionality of the Eclipse IDE development and
debugging environment. Android Studio is based upon the IntelliJ IDE.
Such tools are options for advanced research and development work but
are not commonly required for Android malware research and response.
Risky Apps
With the rapid adoption and development of apps and solutions using
the Android operating system, a massive amount of assets now exist on
such mobile devices. These assets are of high interest to malicious actors
for a variety of means and motives. Many users of such devices enjoy the
functionality but do not realize or stop to consider how much information
is actually on a mobile device. Readers of this book may benefit by
asking the question, “What is the most important thing on my phone
that I wouldn’t want someone else to know, see, or steal?” The following
are a few possible answers from users of Android-supported devices.
Sensitive Information?
USER TYPE RESPONSE
Average consumer “My selfies and maybe my banking stuff?”
Executive “My contacts and proprietary information for business crown jewels.”
Law enforcement “Evidence collection including dates, times, and geolocation of images.”
Teenager “Texts and pics.”
Pulled over in a car “Any evidence that I was just texting or using my phone while driving.”
Baby in the womb “Ultrasound selfies, my lullaby ring tone, and texting Mom.”
Traveler “Do I have privacy while traveling abroad? What about countries that might
be trying to track me by my unique IMEI (International Mobile Equipment
Identity) number?”
4 Android Malware and Analysis
With a little tongue in cheek in the list, it is clear that just about
everyone uses a mobile device, with the majority using Android.
Applications exist to reconstruct three-dimensional renderings of a
room, prayer reminders, recipes, music, and more. Mobile devices are
so powerful and integrated that far more information is available on
such a device than what most users realize. Just imagine your device
being compromised, taking photos of you, and everything it sees
without your knowledge or consent. This helps to illustrate the tip
of the iceberg in terms of the type of information, and profiling and
sensitive data one can obtain from a mobile device typically attached
at the hip to a user as they live their life.
Different types of malicious actors have a wealth of assets to access
on a mobile device. For example, eCrime actors can make money
through calls and text made to premium lines and subvert two-factor
banking authentication. Espionage actors can track the physical location
of a target and access a massive amount of sensitive information
and contacts on a mobile device. Hacktivists can stay in touch with
other activists as well as quickly ramp up protests by using mobile
devices. Consumers in countries where freedom of speech and human
rights are oppressed often find that a mobile device is their only primary
means through which they can communicate with one another
and the free world en masse. These are a few of the many possible
applications and abuse employed by various nefarious groups and
interests linked back to Android-supported devices.
An interesting development is how advertisers collect information
to track user habits. For example, Latest Nail Fashion Trends 3.1
tracks the geolocation of users. What does geolocation and tracking
of a user have to do with nail fashion trends? Around 7 percent or
more of Android apps also read the contacts list such as Longman
Contemporary English 1.81. Again, why would such a program need
to read your contact list? Even more apps may leak a device ID/IMEI
such as Football Games—Soccer Juggle 1.4.2. Don’t forget e-mail,
with Logo Quiz Car Choices 1.8.2.9 leaking that information to the
author of the software. Next is the phone number, and so on—so
many apps with so many permissions that are not necessary and frequently
unrealized by consumers that install such apps.
Introduction to the Android Op erating System 5
Looking Closer at Android Apps
Code authored in Java is converted into what is known as DEX bytecode
(Dalvik EXecutable classes.dex) or an Android package (APK).
For this reason, downloads of an “app” to a device are commonly of
a file using the APK extension containing classes.dex, manifest file,
No comments:
Post a Comment