2.1 Malware-Book

ANDROID MALWARE
A GUIDE TO
GETTING STARTED
REVERSE
ENGINEERING
Perfect for future mobile malware
analysts, penetration testers, and reverse
engineers...
JAMES STEVENSON
TABLE
OF CONTENTS
1 COPYRIGHT NOTICE 10 ANDROID MALWARE
2 ABOUT THE AUTHOR 14 TOOLS
3 INTRODUCTION 21 CHALLENGES
4 AN INTRODUCTION 24 OTHER RESOURCES

TO ANDROID APPS
Android Malware | A Reverse Engineers Pocket Guide
James Stevenson
UK
Copyright © 2022 by James Stevenson

This work is subject to copyright. All rights are reserved by the Publisher,
whether the whole or part of the material is concerned, specifically the rights
of translation, reprinting, reuse of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other physical way, and transmission or
information storage and retrieval, electronic adaptation, computer software,
or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than
use a trademark symbol with every occurrence of a trademarked name, logo,
or image we use the names, logos, and images only in an editorial fashion
and to the benefit of the trademark owner, with no intention of infringement
of the trademark.
The use in this publication of trade names, trademarks, service marks, and
similar terms, even if they are not identified as such, is not to be taken as an
expression of opinion as to whether or not they are subject to proprietary
rights.
While the advice and information in this book are believed to be true and
accurate at the date of publication, neither the authors nor the editors nor
the publisher can accept any legal responsibility for any errors or omissions
that may be made. The publisher makes no warranty, express or implied, with
respect to the material contained herein.
Author: James Stevenson | www.jamesstevenson.me
For information on translations, reprint, paperback, or audio rights, please

communicate with the author directly, at www.jamesstevenson.me.
ANDROID MALWARE | A GUIDE TO 01

GETTING STARTED REVERSE
ENGINEERING - JAMES STEVENSON
ABOUT
THE JAMES STEVENSON
AUTHOR
Vulnerability Researcher
James Stevenson has been working in the

programming and computer security
industry for over 5 years. Most of that has
been working as an Android software
engineer and vulnerability researcher. Before
this, James graduated with a BSc in
computer security in 2017. James has
previously published the book Android
Software Internals Quick Reference, with
Apress publishing in 2021.
At the time of writing, James is a full-time

security researcher, part-time Ph.D. student,
and occasional conference speaker. Outside
of Android internals, James’ research has
also focused on offender profiling and
cybercrime detection capabilities.
For more information and contact details,

visit https://JamesStevenson.me.

INTRODUCTION
Reverse Engineering is the action of REVERSE ENGINEERING IN UK LAW

A question that comes up a lot when it
disassembling and examining or
comes to reverse engineering and one
analysing in detail a product or device that should be addressed sooner rather
to discover the concepts involved in than later is if reverse engineering is
manufacture, usually to produce legal. In UK copyright law:
·There is no provision for
something similar. decompilation and no fair use
defense if the reverse engineering
Reverse engineering comes in many flavours, is for commercial research or
from the operating system involved (i.e. iOS, study.
Android, Embedded, etc) to the reason behind ·There is also no fair use for
the reversing (from offensive security to copying during decompilation.
malware analysis). Irrespective of the why, the ·However, reverse engineering for
how of reverse engineering is often similar, interoperability purposes is
and can be applied across all of these unique allowed.
disciplines.
So in actuality, the law isn’t especially
This short pocket guide serves as a handy field clear. However, in practice, the answer
manual, cheat sheet, and study guide for all is yes, to a degree, if you own the
those working in, or looking to work in, the program locally. Just be smart about it,
mobile malware analysis field. and try not to breach any T&Cs.
However, please note that I am not a
lawyer; this is my opinion and not legal
advice.

CAPTER ONE
AN INTRODUCTION
TO ANDROID APPS
ANDROID MALWARE
A GUIDE TO GETTING STARTED REVERSE
ENGINEERING
James Stevenson
MAKING AND TAKING
APART ANDROID
APPLICATIONS
PROCESS FOR CREATING THEN DISSASEMBLING

OR DECOMPILING AN APK.
Android application’s are commonly written in either Java or Kotlin. When a software
engineer wants to create an APK (the Android pacKage), that contains the code and
materials that are run on an Android device, they will need to compile that Java or Kotlin
source code to a Dalvik executable/ bytecode.
While it is the Dalvik bytecode that needs to be run on a device, this is not human
readable and so if we are to reverse engineer an application we’ll need to decompile it
back into a human readable form. Using Jadx we can decompile the Dalvik bytecode back
into Java. This is often called pseudo Java, as it is not a one for one representation of what
the original source code would have been, and instead is the decompiler’s best guess.

RETRIEVING
APKS RETRIEVE AN ANDROID
PACKAGE FROM DEVICE
Retrieving Android applications is a trivial method, as can be
seen below:
Ensure adb is enabled on the device by accessing
developer settings and configuring adb.
Developer settings can be enabled by going to
Settings, then About Phone, Software Info, and
tapping the device Build Number seven times.
Ensure adb is installed on the host (comes with Android
Studio) and is on your path.
Connect to the devices shell with adb shell.
List all package IDs with pm list packages | grep
<application name>.
Retrieve the path to the base APK with pm path
<Package ID>.
Exit adb with exit and pull the previously acquired apk
file with adb pull <package base APK path> .
RETRIEVE AN ANDROID
PACKAGE FROM
EXTERNAL
Depending on the source where the APK (Android Package)
is being downloaded from there may be additional
download steps involved. However, as a whole most malware
repositories will include the files as an APK and is
compatible with all tools discussed in this book. Some
download sources include:
https://m.apkpure.com
https://www.apkmirror.com
https://github.com/ashishb/android-malware

REVERSE
ENGINEERING
THE BASICS OF REVERSE
ENGINEERING AN APK
Different tools and techniques will be discussed throughout
this book, however, for now, it's important to be able to take
apart an APK in it's most simplest form.
Android applications are not encrypted on disk and, in turn,

are readily available to be retrieved even if the device isn’t
rooted. This being the case, adb will need to be enabled on
the device so that the device can be communicated with (as
discussed earlier in this book).
Android applications are stored in an archive-like format

where they can be unzipped, similarly to other archive
formats. While this is the case, some information, such as the
manifest file, will be incomprehensible unless un-bundled
properly. Tooling such as the following exists for the purpose
of reverse engineering Android applications:
OPTION ONE, VIA APKTOOL:

Run: apktool d <application name>
Optionally use the -s or --no-src parameters to
disassemble the classes.dex file to SMALI. This can
then be used for patching the APK, as described
earlier in this chapter[1].
Run cd <new folder with application name>
Run dex2jar classes.dex
Open the new jar file in JDGui
OPTION TWO, VIA JADX-GUI:

·Run jadx-gui <apk name>
The below steps are optional:
Select File, then save as gradle project
Open the new gradle project in Android Studio

WHAT IS AN
APK?
ASSETS
A directory for application assets. This is for
arbitrary storage; anything provided by the
application creator can be stored here.
RES
A directory with all resources that are not
compiled into resources.arsc (icons, images,
etc.).
LIB
ANDROID
A directory for native libraries used by the
application. Contains multiple directories for
each supported CPU architecture that the
APPLICATIONS
application has been compiled for.
META-INF
A directory for APK metadata – including In Android, the application is an APK, an
signatures.
instance of a JAR file, and in turn an archive
of multiple files. These archives can be
ANDROIDMANIFEST.XML renamed to a zip file, decompressed, and
The application manifest in a binary XML
have their contents extracted. In some
formatted file that contains application
metadata — for example, its name, version, cases, this is not the best approach for
permissions, etc. reverse-engineering the files, so custom
tools exist for proper extraction.
CLASSES.DEX
The classes.dex file contains the compiled Inside these archives contains the actual file
application code in the Dex file format. There that is to be run. As Android uses the Java
can be additional .dex files (named runtime, these files are classes.dex files
classes2.dex, etc.) when the application uses (compiled Dalvik assembly).
multidex.
RESOURCES.ARSC
This file contains precompiled resources—such
as strings, colours, or styles.

THE ANDROID
MANIFEST
PACKAGE NAME AND

APPLICATION ID
APPLICATION
COMPONENTS WHAT IS THE
INTENT FILTERS ANDROID
ICONS AND LABELS
MANIFEST?
As noted above, Android APK files include a
INFORMATION file detailing the application configuration,
the AndroidManifest.xml file. The Android
manifest includes a plethora of application
PERMISSIONS information - some of the most important
are detailed here.
DEVICE COMPATIBILITY
INFORMATION

CAPTER TWO
UNDERSTANDING
ANDROID
MALWARE
ANDROID MALWARE
ENGINEERING
James Stevenson
TYPES OF ANDROID
MALWARE
Trojan Spyware Stalkerware
Usually appearing as Spyware transmits A subset of spyware and is

something it is not, in turn personal information to a often seen used as a
performing undesirable third party without commercial/ spyware-as-a-
actions against the user. adequate control, notice, or service alternative.
consent.
Spam Ransomware Elevated privilege abuse
Applications that send Gains partial or full control Similar to rooting, this is
unsolicited messages to over a device and in turn where code compromises
the user's contacts without offers to relinquish that system integrity in ways
adequate consent from the control for a performed such as breaking the
user. action such as payment. application sandbox.
Phishing Non-Android threat Hostile downloaders
This is where code Code that does not provide This category covers
masquerades as a a direct threat to the applications and code that
legitimate piece of device or user, and instead are utilised to download
software and requests user leverages the device to other malware.
authentication credentials. target other platforms.
Denial of service (DoS) Billing fraud Backdoor
An application or code that This is commonly broken Often allowing for a

performs a denial of down into: SMS, Call, and malicious actor to gain
service (DoS) / distributed Toll fraud. unauthorised remote
DoS attack against a third control of the target
party system or resource. device.

Principles To
Android Malware
Classification
1
Malware activity consists of an
action and a target
For example; steal photos, steal banking account passwords, etc
2
Loss of 'fame' is greater than loss of
wealth
This principle comes from the fact that it's assumed money is easier to
make back than it is to build a reputation.
3 Arithmetic Sequence
Weigh the penalties of each action. Where categories and actions are
defined their own score and risk.
4
The later the stage, the more certain
the event can be predicted
Each malware activity consists of a sequence of behaviours. These
behaviours can be categorised into stages and placed in order. This
is seen in more detail on the next page.
SOURCE: QUARK ENGINE – AN OBFUSCATION-NEGLECT ANDROID MALWARE SCORING SYSTEM

5 Stages Of Android
Malware Execution
Permission requested
Native API call
Certain combination of native API
Calling sequence of native API
APIs that handle the same register
SOURCE: QUARK ENGINE – AN OBFUSCATION-NEGLECT ANDROID MALWARE SCORING SYSTEM

CAPTER THREE
TOOLS
ANDROID MALWARE
ENGINEERING
James Stevenson
APKTool
www.ibotpeaches.github.io/Apktool
"A TOOL FOR REVERSE

ENGINEERING 3RD
PARTY, CLOSED, BINARY
ANDROID APPS. IT CAN
DECODE RESOURCES TO
NEARLY ORIGINAL FORM
AND REBUILD THEM
AFTER MAKING SOME
MODIFICATIONS."
Examples of using APKTool were given in previous chapters, and so not to much detail
will be repeated here, however, some coe snippets can be seen below:
DISASSEMBLE AN APK TO SMALI:
apktool -d <application path>
REASSEMBLE AN APK:
apktool -b <unbundled application folder>
UN-BUNDLE THE APK, WITHOUT

DISASSEMBLING:
apktool -d -s <application path>

Jadx
www.github.com/skylot/jadx
"COMMAND LINE AND GUI

TOOLS FOR PRODUCING
JAVA SOURCE CODE
FROM ANDROID DEX AND
APK FILES"
Jadx is a gui and command line tool for decompiling Android applications to human
readable Java pseudo code. Jadx can also be used to deobfuscate code and run the
Quark Engine.
DECOMPILE APK TO PSEUDO JAVA
jadx-gui <application path>

DEOBFUSCATE, RUN QUARK, AND
DEBUG - GUI OPTIONS
SAVE AS GRADLE PROJECT TO

EXPORT TO ANDROID STUDIO

Quark Engine
www.github.com/quark-engine/quark-
engine
"QUARK ENGINE IS OPEN SOURCE SOFTWARE FOR

AUTOMATING ANALYSIS OF SUSPICIOUS ANDROID
APPLICATION. TO DO SO IT MAKES USE OF CUSTOM
DALVIK BYTECODE LOADER AND UNIQUE SCORING
SYSTEM THAT DETECT MALICIOUS BEHAVIORS AND
CALCULATE THREAT LEVEL WITHIN SECONDS."
Quark is used inside of several wider tools including JadX, APKLab, Kali Linux, Ghidra-
Quark, and many more. It can be used to identify and categorise potntial malware
activity inside of an application.
ANALYSE APK VIA CLI
quark -a <apk path> -d
USE QUARK IN JADX-GUI

Simplify
www.github.com/CalebFenton/simplify
"SIMPLIFY VIRTUALLY EXECUTES AN APP TO

UNDERSTAND ITS BEHAVIOR AND THEN TRIES TO
OPTIMIZE THE CODE SO THAT IT BEHAVES IDENTICALLY
BUT IS EASIER FOR A HUMAN TO UNDERSTAND. EACH
OPTIMIZATION TYPE IS SIMPLE AND GENERIC, SO IT
DOESN'T MATTER WHAT THE SPECIFIC TYPE OF
OBFUSCATION IS USED."
While other tools, like JadX, can perform basic deobfuscation of an application, the
decompiled Java can still be quite complex. Simplify attempt to tackle this by
dynamically running the code and reconstructing an identical cleaner version of the
application which can be used for analysis.
java -jar simplify/build/libs/simplify.jar -it "org/cf/obfuscated" -et "MainActivity"

simplify/obfuscated-app.apk

Androwarn
www.github.com/maaaaz/androwarn/
"ANDROWARN IS A TOOL THAT'SMAIN AIM IS TO DETECT

AND WARN THE USER ABOUT POTENTIAL MALICIOUS
BEHAVIOURS DERIVED FROM AN ANDROID APPLICATION.
THE DETECTION IS PERFORMED WITH THE STATIC
ANALYSIS OF THE APPLICATION'S DALVIK BYTECODE,
REPRESENTED AS SMALI, WITH THE ANDROGUARD
LIBRARY."
Similar to Quark Engine, and other tools, Androwar can be used to automatically derive
the actions of an APK - in the context of Malware activity.
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

VirusTotal
www.virustotal.com/gui/home/upload
"A TOOL FOR ANALYSING

SUSPICIOUS FILES,
DOMAINS, IPS AND URLS.
ALLOWS FOR TO DETECTION
OF MALWARE AND OTHER
BREACHES,AS WELL AS
AUTOMATICALLY SHARING
THEM WITH THE WIDER
SECURITY COMMUNITY"
VirusTotal is a free tool that allows for, among

other things, the uploading of files for analysis.
During analysis these files will be analysed by a
suite of anti-malware and anti-virus providers.
After analysis the uploaded file will be given a

score based on the findings from the individual
providers.
It's also possible for the community to add

comments and provide a community score for
these uploaded files.
WWW.VIRUSTOTAL.COM/GUI/HOME/UPLOAD

CAPTER FOUR
CASE STUDIES,
EXAMPLES, AND
CHALLENGES
ANDROID MALWARE
ENGINEERING
James Stevenson
MALICIOUS SKYPE
APPLICATION
https://github.com/ashishb/android-
malware/tree/master/rouge_skype
The below are several starting points,

hints, and properties of this piece of
Android malware. CHALLENGE
MALWARE AGE
First identified back in 2015.
Use some time now to download this APK
PURPOSE in an air-gapped virtual machine, and begin

your analysis.
A skype clone.
By the end of this challenge you should:

CODE OBFUSCATION Know what permissions the application
Obfuscated. requests.
A general purpose behind the
PURPOSE application.
Dynamically runs a jar file in it's assets folder If the application has any malicious
at runtime. intent (hint: it does)
What category of malware the
application falls into.

DENDROID REMOTE
ACCESS
https://github.com/ashishb/android
-malware/tree/master/Dendroid
The below are several starting points,

hints, and properties of this piece of
Android malware.
CHALLENGE
KNOWN MALWARE
Identified by APKLab as Dendroid.
Use some time now to download this APK

MALWARE AGE in an air-gapped virtual machine, and begin
First identified in 2014 by Symantec your analysis.
PERMISSIONS By the end of this challenge you should:

Know what permissions the application
Suspicious permissions, url strings, and
requests.
generated files.
A general purpose behind the
application.
NETWORK ACTIVITY If the application has any malicious
Performs suspicious network activity and an
intent (hint: it does)
emulator check for known build properties.
What category of malware the
application falls into.

Android Software
Internals Quick
Reference
https://www.JamesStevenson.me/androidbook/
Learn Reverse
Engineering
Through Android
Games
www.Udemy.com/course/learn-reverse-engineering-
through-android-games/?
referralCode=CBA24934A92B1E58B76C
Android and iOS
Cheat Sheets
www.ko-fi.com/jamesstevenson/shop
Join my mailing list
to hear about my
new books and
courses!
www.jamesstevenson.me/books
PERFECT FOR FUTURE MOBILE
MALWARE ANALYSTS,
PENETRATION TESTERS, AND
REVERSE ENGINEERS...
This book sits under 30 pages and serves as an

engaging cheat sheet, reference guide and
introduction to reverse engineering when it
comes to Android malware analysis. Learn:
The fundamentals of Android application
architecture
What defines malware on Android
Tools used for reverse engineering and
malware analysis
Case studies, examples, and challenges
www.JamesStevenson.me

2.1 Malware-Book

Uploaded by

Copyright:

Available Formats

You might also like

2.1 Malware-Book

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2.1 Malware-Book

Uploaded by

Copyright:

Available Formats

ANDROID MALWARE

2 ABOUT THE AUTHOR 14 TOOLS

4 AN INTRODUCTION 24 OTHER RESOURCES

Copyright © 2022 by James Stevenson

Author: James Stevenson | www.jamesstevenson.me

For information on translations, reprint, paperback, or audio rights, please

ANDROID MALWARE | A GUIDE TO 01

James Stevenson has been working in the

At the time of writing, James is a full-time

For more information and contact details,

ANDROID MALWARE | A GUIDE TO 02

Reverse Engineering is the action of REVERSE ENGINEERING IN UK LAW

ANDROID MALWARE | A GUIDE TO 03

PROCESS FOR CREATING THEN DISSASEMBLING

ANDROID MALWARE | A GUIDE TO 05

ANDROID MALWARE | A GUIDE TO 06

Android applications are not encrypted on disk and, in turn,

Android applications are stored in an archive-like format

OPTION ONE, VIA APKTOOL:

OPTION TWO, VIA JADX-GUI:

ANDROID MALWARE | A GUIDE TO 07

ANDROID MALWARE | A GUIDE TO 08

PACKAGE NAME AND

ANDROID MALWARE | A GUIDE TO 09

Trojan Spyware Stalkerware

Usually appearing as Spyware transmits A subset of spyware and is

Spam Ransomware Elevated privilege abuse

Phishing Non-Android threat Hostile downloaders

Denial of service (DoS) Billing fraud Backdoor

An application or code that This is commonly broken Often allowing for a

ANDROID MALWARE | A GUIDE TO 11

SOURCE: QUARK ENGINE – AN OBFUSCATION-NEGLECT ANDROID MALWARE SCORING SYSTEM

ANDROID MALWARE | A GUIDE TO 12

Native API call

Certain combination of native API

Calling sequence of native API

APIs that handle the same register

SOURCE: QUARK ENGINE – AN OBFUSCATION-NEGLECT ANDROID MALWARE SCORING SYSTEM

ANDROID MALWARE | A GUIDE TO 13

"A TOOL FOR REVERSE

DISASSEMBLE AN APK TO SMALI:

apktool -d <application path>

apktool -b <unbundled application folder>

UN-BUNDLE THE APK, WITHOUT

apktool -d -s <application path>

ANDROID MALWARE | A GUIDE TO 15

"COMMAND LINE AND GUI

DECOMPILE APK TO PSEUDO JAVA

jadx-gui <application path>

SAVE AS GRADLE PROJECT TO

ANDROID MALWARE | A GUIDE TO 16

"QUARK ENGINE IS OPEN SOURCE SOFTWARE FOR

ANALYSE APK VIA CLI

quark -a <apk path> -d

USE QUARK IN JADX-GUI

ANDROID MALWARE | A GUIDE TO 17

"SIMPLIFY VIRTUALLY EXECUTES AN APP TO