Professional Documents
Culture Documents
2.1 Malware-Book
2.1 Malware-Book
2.1 Malware-Book
A GUIDE TO
GETTING STARTED
REVERSE
ENGINEERING
Perfect for future mobile malware
analysts, penetration testers, and reverse
engineers...
JAMES STEVENSON
TABLE
OF CONTENTS
1 COPYRIGHT NOTICE 10 ANDROID MALWARE
3 INTRODUCTION 21 CHALLENGES
James Stevenson
UK
Trademarked names, logos, and images may appear in this book. Rather than
use a trademark symbol with every occurrence of a trademarked name, logo,
or image we use the names, logos, and images only in an editorial fashion
and to the benefit of the trademark owner, with no intention of infringement
of the trademark.
The use in this publication of trade names, trademarks, service marks, and
similar terms, even if they are not identified as such, is not to be taken as an
expression of opinion as to whether or not they are subject to proprietary
rights.
While the advice and information in this book are believed to be true and
accurate at the date of publication, neither the authors nor the editors nor
the publisher can accept any legal responsibility for any errors or omissions
that may be made. The publisher makes no warranty, express or implied, with
respect to the material contained herein.
AUTHOR
Vulnerability Researcher
AN INTRODUCTION
TO ANDROID APPS
ANDROID MALWARE
A GUIDE TO GETTING STARTED REVERSE
ENGINEERING
James Stevenson
MAKING AND TAKING
APART ANDROID
APPLICATIONS
Android application’s are commonly written in either Java or Kotlin. When a software
engineer wants to create an APK (the Android pacKage), that contains the code and
materials that are run on an Android device, they will need to compile that Java or Kotlin
source code to a Dalvik executable/ bytecode.
While it is the Dalvik bytecode that needs to be run on a device, this is not human
readable and so if we are to reverse engineer an application we’ll need to decompile it
back into a human readable form. Using Jadx we can decompile the Dalvik bytecode back
into Java. This is often called pseudo Java, as it is not a one for one representation of what
the original source code would have been, and instead is the decompiler’s best guess.
RETRIEVE AN ANDROID
PACKAGE FROM
EXTERNAL
Depending on the source where the APK (Android Package)
is being downloaded from there may be additional
download steps involved. However, as a whole most malware
repositories will include the files as an APK and is
compatible with all tools discussed in this book. Some
download sources include:
https://m.apkpure.com
https://www.apkmirror.com
https://github.com/ashishb/android-malware
ASSETS
A directory for application assets. This is for
arbitrary storage; anything provided by the
application creator can be stored here.
RES
A directory with all resources that are not
compiled into resources.arsc (icons, images,
etc.).
LIB
ANDROID
A directory for native libraries used by the
application. Contains multiple directories for
each supported CPU architecture that the
APPLICATIONS
application has been compiled for.
META-INF
A directory for APK metadata – including In Android, the application is an APK, an
signatures.
instance of a JAR file, and in turn an archive
of multiple files. These archives can be
ANDROIDMANIFEST.XML renamed to a zip file, decompressed, and
The application manifest in a binary XML
have their contents extracted. In some
formatted file that contains application
metadata — for example, its name, version, cases, this is not the best approach for
permissions, etc. reverse-engineering the files, so custom
tools exist for proper extraction.
CLASSES.DEX
The classes.dex file contains the compiled Inside these archives contains the actual file
application code in the Dex file format. There that is to be run. As Android uses the Java
can be additional .dex files (named runtime, these files are classes.dex files
classes2.dex, etc.) when the application uses (compiled Dalvik assembly).
multidex.
RESOURCES.ARSC
This file contains precompiled resources—such
as strings, colours, or styles.
APPLICATION
COMPONENTS WHAT IS THE
INTENT FILTERS ANDROID
ICONS AND LABELS
MANIFEST?
As noted above, Android APK files include a
INFORMATION file detailing the application configuration,
the AndroidManifest.xml file. The Android
manifest includes a plethora of application
PERMISSIONS information - some of the most important
are detailed here.
DEVICE COMPATIBILITY
INFORMATION
UNDERSTANDING
ANDROID
MALWARE
ANDROID MALWARE
A GUIDE TO GETTING STARTED REVERSE
ENGINEERING
James Stevenson
TYPES OF ANDROID
MALWARE
Applications that send Gains partial or full control Similar to rooting, this is
unsolicited messages to over a device and in turn where code compromises
the user's contacts without offers to relinquish that system integrity in ways
adequate consent from the control for a performed such as breaking the
user. action such as payment. application sandbox.
This is where code Code that does not provide This category covers
masquerades as a a direct threat to the applications and code that
legitimate piece of device or user, and instead are utilised to download
software and requests user leverages the device to other malware.
authentication credentials. target other platforms.
1
Malware activity consists of an
action and a target
For example; steal photos, steal banking account passwords, etc
2
Loss of 'fame' is greater than loss of
wealth
This principle comes from the fact that it's assumed money is easier to
make back than it is to build a reputation.
3 Arithmetic Sequence
Weigh the penalties of each action. Where categories and actions are
defined their own score and risk.
4
The later the stage, the more certain
the event can be predicted
Each malware activity consists of a sequence of behaviours. These
behaviours can be categorised into stages and placed in order. This
is seen in more detail on the next page.
Permission requested
TOOLS
ANDROID MALWARE
A GUIDE TO GETTING STARTED REVERSE
ENGINEERING
James Stevenson
APKTool
www.ibotpeaches.github.io/Apktool
REASSEMBLE AN APK:
Jadx is a gui and command line tool for decompiling Android applications to human
readable Java pseudo code. Jadx can also be used to deobfuscate code and run the
Quark Engine.
Quark is used inside of several wider tools including JadX, APKLab, Kali Linux, Ghidra-
Quark, and many more. It can be used to identify and categorise potntial malware
activity inside of an application.
While other tools, like JadX, can perform basic deobfuscation of an application, the
decompiled Java can still be quite complex. Simplify attempt to tackle this by
dynamically running the code and reconstructing an identical cleaner version of the
application which can be used for analysis.
WWW.VIRUSTOTAL.COM/GUI/HOME/UPLOAD
CASE STUDIES,
EXAMPLES, AND
CHALLENGES
ANDROID MALWARE
A GUIDE TO GETTING STARTED REVERSE
ENGINEERING
James Stevenson
MALICIOUS SKYPE
APPLICATION
https://github.com/ashishb/android-
malware/tree/master/rouge_skype
https://www.JamesStevenson.me/androidbook/
Learn Reverse
Engineering
Through Android
Games
www.Udemy.com/course/learn-reverse-engineering-
through-android-games/?
referralCode=CBA24934A92B1E58B76C
Android and iOS
Cheat Sheets
www.ko-fi.com/jamesstevenson/shop
Join my mailing list
to hear about my
new books and
courses!
www.jamesstevenson.me/books
PERFECT FOR FUTURE MOBILE
MALWARE ANALYSTS,
PENETRATION TESTERS, AND
REVERSE ENGINEERS...
www.JamesStevenson.me