Information Technology / Security & Auditing Q D u u ANDROID MALWARE in n t h anMam The rapid growth and development of Android-based devices has resulted in a s •or • wealth of sensitive information on mobile devices that offer minimal malware Straales Har AND ANALYSIS protection. This has created an immediate demand for security professionals zz tm e a that understand how to best approach the subject of Android malware threats re n and analysis. A In Android Malware and Analysis, Ken Dunham, renowned global malware N expert and author, teams up with international experts to document the best tools and tactics available for analyzing Android malware. The book covers D both methods of malware analysis: dynamic and static. R O This tactical and practical book shows you how to use to use dynamic malware I analysis to check the behavior of an application/malware as it has been executed D in the system. It also describes how you can apply static analysis to break apart M the application/malware using reverse engineering tools and techniques to recreate the actual code and algorithms used. A L The book presents the insights of experts in the field, who have already sized up W the best tools, tactics, and procedures for recognizing and analyzing Android A malware threats quickly and effectively. You also get access to an online library of tools that supplies what you will need to begin your own analysis of Android R malware threats. Tools available on the book’s site include updated information, E tutorials, code, scripts, and author assistance. A N This is not a book on Android OS, fuzzy testing, or social engineering. Instead, it is about the best ways to analyze and tear apart Android malware threats. D After reading the book, you will be able to immediately implement the tools and tactics covered to identify and analyze the latest evolution of Android threats. A N A L Y S K23862 I S 6000 Broken Sound Parkway, NW Suite 300, Boca Raton, FL 33487 ISBN: 978-1-4822-5219-4 Ken Dunham • Shane Hartman 711 Third Avenue 90000 New York, NY 10017 an informa business 2 Park Square, Milton Park Jose Andre Morales www.crcpress.com Abingdon, Oxon OX14 4RN, UK 9 781482 252194 Manu Quintans • Tim Strazzere www.auerbach-publications.com K23862 cvr mech.indd 1 9/18/14 1:23 PM ANDROID MALWARE AND ANALYSIS OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Anonymous Communication Networks: PRAGMATIC Security Metrics: Applying Protecting Privacy on the Web Metametrics to Information Security Kun Peng W. Krag Brotby and Gary Hinson ISBN 978-1-4398-8157-6 ISBN 978-1-4398-8152-1 Conducting Network Penetration and Responsive Security: Be Ready to Be Secure Espionage in a Global Environment Meng-Chow Kang ISBN 978-1-4665-8430-3 Bruce Middleton ISBN 978-1-4822-0647-0 Securing Cloud and Mobility: A Practitioner’s Guide Cyberspace and Cybersecurity Ian Lim, E. Coleen Coolidge, Paul Hourani George Kostopoulos ISBN 978-1-4398-5055-8 ISBN 978-1-4665-0133-1 Security and Privacy in Smart Grids Developing and Securing the Cloud Edited by Yang Xiao Bhavani Thuraisingham ISBN 978-1-4398-7783-8 ISBN 978-1-4398-6291-9 Security for Service Oriented Architectures Ethical Hacking and Penetration Walter Williams Testing Guide ISBN 978-1-4665-8402-0 Rafay Baloch Security without Obscurity: ISBN 978-1-4822-3161-8 A Guide to Confidentiality, Guide to the De-Identification of Authentication, and Integrity Personal Health Information J.J. Stapleton Khaled El Emam ISBN 978-1-4665-9214-8 ISBN 978-1-4665-7906-4 The Complete Book of Data Anonymization: Industrial Espionage: Developing a From Planning to Implementation Counterespionage Program Balaji Raghunathan Daniel J. Benny ISBN 978-1-4398-7730-2 ISBN 978-1-4665-6814-3 The Frugal CISO: Using Innovation and Information Security Fundamentals, Smart Approaches to Maximize Your Security Posture Second Edition Kerry Ann Anderson Thomas R. Peltier ISBN 978-1-4822-2007-0 ISBN 978-1-4398-1062-0 The Practical Guide to HIPAA Privacy and Information Security Policy Development for Security Compliance, Second Edition Compliance: ISO/IEC 27001, NIST SP 800-53, Rebecca Herold and Kevin Beaver HIPAA Standard, PCI DSS V2.0, and AUP V5.0 ISBN 978-1-4398-5558-4 Barry L. Williams Secure Data Provenance and Inference ISBN 978-1-4665-8058-9 Control with Semantic Web Investigating Computer-Related Crime, Bhavani Thuraisingham, Tyrone Cadenhead, Second Edition Murat Kantarcioglu, and Vaibhav Khadilkar Peter Stephenson and Keith Gilbert ISBN 978-1-4665-6943-0 ISBN 978-0-8493-1973-0 Secure Development for Mobile Apps: Managing Risk and Security in Outsourcing How to Design and Code Secure Mobile IT Services: Onshore, Offshore and the Cloud Applications with PHP and JavaScript Frank Siepmann J. D. Glaser ISBN 978-1-4398-7909-2 ISBN 978-1-4822-0903-7 AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: [email protected] ANDROID MALWARE ANALYSIS AND Ken Dunham • Shane Hartman Jose Andre Morales Manu Quintans • Tim Strazzere CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2015 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20140918 International Standard Book Number-13: 978-1-4822-5220-0 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Preface xi acknowledgments xiii authors xv conventions xix chaPter 1 introduction to the android oPerating system and threats 1 Android Development Tools 2 Risky Apps 3 Looking Closer at Android Apps 5 chaPter 2 malware threats, hoaxes, and taxonomy 7 2010 7 FakePlayer 7 DroidSMS 8 FakeInst 8 TapSnake 8 SMSReplicator 9 Geinimi 9 2011 10 ADRD 10 Pjapps 11 BgServ 11 DroidDream 11 Walkinwat 12 zHash 13 DroidDreamLight 13 v vi Contents Zsone 14 BaseBridge 14 DroidKungFu1 15 GGTracker 16 jSMSHider 16 Plankton 17 GoldDream 18 DroidKungFu2 18 GamblerSMS 19 HippoSMS 19 LoveTrap 19 Nickyspy 20 SndApps 20 Zitmo 21 DogWars 21 DroidKungFu3 22 GingerMaster 22 AnserverBot 23 DroidCoupon 23 Spitmo 24 JiFake 24 Batterydoctor 24 2012 25 AirPush 25 Boxer 25 Gappusin 26 Leadbolt 26 Adwo 26 Counterclank 27 SMSZombie 27 NotCompatible 27 Bmaster 27 LuckyCat 28 DrSheep 28 2013 28 GGSmart 28 Defender 29 Qadars 29 MisoSMS 29 FakeRun 30 TechnoReaper 30 BadNews 31 Obad 31 2014 32 DriveGenie 32 Torec 32 OldBoot 33 DroidPack 33 Contents vii chaPter 3 oPen source tools 35 Locating and Downloading Android Packages 36 Vulnerability Research for Android OS 37 Antivirus Scans 37 Static Analysis 38 File Linux Command 38 Unzip the APK 38 Strings 39 Keytool Key and Certificate Management Utility 39 DexID 39 DARE 40 Dex2Jar 40 JD-GUI 41 JAD 41 APKTool 41 AndroWarn 41 Dexter 42 VisualThreat 43 Sandbox Analysis 43 AndroTotal 45 APKScan 45 Mobile Malware Sandbox 45 Mobile Sandbox 45 Emulation Analysis 45 Eclipse 45 DroidBox 46 AppsPlayground 46 Native Analysis 46 Logcat 46 Traceview and Dmtracedump 46 Tcpdump 47 Reverse Engineering 47 Androguard 47 AndroidAuditTools 48 Smali/Baksmali 48 AndBug 48 Memory Analysis 48 LiME 49 Memfetch 49 Volatility for Android 49 Volatilitux 49 chaPter 4 static analysis 51 Collections: Where to Find Apps for Analysis 52 Google Play Marketplace 52 Marketplace Mirrors and Cache 53 Contagio Mobile 53 viii Contents Advanced Internet Queries 53 Private Groups and Rampart Research Inc. 53 Android Malware Genome Project 54 File Data 54 Cryptographic Hash Types and Queries 55 Other Metadata 56 Antivirus Scans and Aliases 57 Unzipping an APK 57 Common Elements of an Unpacked APK File 57 Certificate Information 58 Permissions 59 Strings 60 Other Content of Interest within an APK 61 Creating a JAR File 62 VisualThreat Modeling 62 Automation 62 (Fictional) Case Study 63 chaPter 5 android malware evolution 71 chaPter 6 android malware trends and reversing tactics 77 chaPter 7 Behavioral analysis 91 Introduction to AVD and Eclipse 91 Downloading and Installing the ADT Bundle 92 The Software Development Kit Manager 93 Choosing an Android Platform 94 Processor Emulation 95 Choosing a Processor 95 Using HAXM 95 Configuring Emulated Devices within AVD 96 Location of Emulator Files 99 Default Image Files 100 Runtime Images: User Data and SD Card 100 Temporary Images 100 Setting Up an Emulator for Testing 101 Controlling Malicious Samples in an Emulated Environment 102 Additional Networking in Emulators 102 Using the ADB Tool 103 Using the Emulator Console 103 Applications for Analysis 104 Capabilities and Limitations of the Emulators 105 Preserving Data and Settings on Emulators 105 Setting Up a Physical Device for Testing 106 Limitations and Capabilities of Physical Devices 108 Network Architecture for Sniffing in a Physical Environment 109 Applications for Analysis 110
Description: