Table Of ContentInformation Technology / Security & Auditing Q D
u u ANDROID MALWARE
in n
t h
anMam
The rapid growth and development of Android-based devices has resulted in a s •or •
wealth of sensitive information on mobile devices that offer minimal malware Straales Har AND ANALYSIS
protection. This has created an immediate demand for security professionals zz tm
e a
that understand how to best approach the subject of Android malware threats re n
and analysis.
A
In Android Malware and Analysis, Ken Dunham, renowned global malware
N
expert and author, teams up with international experts to document the best
tools and tactics available for analyzing Android malware. The book covers D
both methods of malware analysis: dynamic and static. R
O
This tactical and practical book shows you how to use to use dynamic malware
I
analysis to check the behavior of an application/malware as it has been executed D
in the system. It also describes how you can apply static analysis to break apart
M
the application/malware using reverse engineering tools and techniques to
recreate the actual code and algorithms used.
A
L
The book presents the insights of experts in the field, who have already sized up W
the best tools, tactics, and procedures for recognizing and analyzing Android
A
malware threats quickly and effectively. You also get access to an online library
of tools that supplies what you will need to begin your own analysis of Android R
malware threats. Tools available on the book’s site include updated information, E
tutorials, code, scripts, and author assistance.
A
N
This is not a book on Android OS, fuzzy testing, or social engineering. Instead,
it is about the best ways to analyze and tear apart Android malware threats.
D
After reading the book, you will be able to immediately implement the tools and
tactics covered to identify and analyze the latest evolution of Android threats. A
N
A
L
Y
S
K23862 I
S
6000 Broken Sound Parkway, NW
Suite 300, Boca Raton, FL 33487 ISBN: 978-1-4822-5219-4 Ken Dunham • Shane Hartman
711 Third Avenue 90000
New York, NY 10017
an informa business 2 Park Square, Milton Park Jose Andre Morales
www.crcpress.com Abingdon, Oxon OX14 4RN, UK
9 781482 252194
Manu Quintans • Tim Strazzere
www.auerbach-publications.com
K23862 cvr mech.indd 1 9/18/14 1:23 PM
ANDROID MALWARE
AND ANALYSIS
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Anonymous Communication Networks: PRAGMATIC Security Metrics: Applying
Protecting Privacy on the Web Metametrics to Information Security
Kun Peng W. Krag Brotby and Gary Hinson
ISBN 978-1-4398-8157-6 ISBN 978-1-4398-8152-1
Conducting Network Penetration and Responsive Security: Be Ready to Be Secure
Espionage in a Global Environment Meng-Chow Kang
ISBN 978-1-4665-8430-3
Bruce Middleton
ISBN 978-1-4822-0647-0 Securing Cloud and Mobility:
A Practitioner’s Guide
Cyberspace and Cybersecurity
Ian Lim, E. Coleen Coolidge, Paul Hourani
George Kostopoulos
ISBN 978-1-4398-5055-8
ISBN 978-1-4665-0133-1
Security and Privacy in Smart Grids
Developing and Securing the Cloud
Edited by Yang Xiao
Bhavani Thuraisingham
ISBN 978-1-4398-7783-8
ISBN 978-1-4398-6291-9
Security for Service Oriented Architectures
Ethical Hacking and Penetration
Walter Williams
Testing Guide ISBN 978-1-4665-8402-0
Rafay Baloch
Security without Obscurity:
ISBN 978-1-4822-3161-8
A Guide to Confidentiality,
Guide to the De-Identification of Authentication, and Integrity
Personal Health Information J.J. Stapleton
Khaled El Emam ISBN 978-1-4665-9214-8
ISBN 978-1-4665-7906-4 The Complete Book of Data Anonymization:
Industrial Espionage: Developing a From Planning to Implementation
Counterespionage Program Balaji Raghunathan
Daniel J. Benny ISBN 978-1-4398-7730-2
ISBN 978-1-4665-6814-3 The Frugal CISO: Using Innovation and
Information Security Fundamentals, Smart Approaches to Maximize
Your Security Posture
Second Edition
Kerry Ann Anderson
Thomas R. Peltier
ISBN 978-1-4822-2007-0
ISBN 978-1-4398-1062-0
The Practical Guide to HIPAA Privacy and
Information Security Policy Development for
Security Compliance, Second Edition
Compliance: ISO/IEC 27001, NIST SP 800-53,
Rebecca Herold and Kevin Beaver
HIPAA Standard, PCI DSS V2.0, and AUP V5.0
ISBN 978-1-4398-5558-4
Barry L. Williams
Secure Data Provenance and Inference
ISBN 978-1-4665-8058-9
Control with Semantic Web
Investigating Computer-Related Crime,
Bhavani Thuraisingham, Tyrone Cadenhead,
Second Edition Murat Kantarcioglu, and Vaibhav Khadilkar
Peter Stephenson and Keith Gilbert ISBN 978-1-4665-6943-0
ISBN 978-0-8493-1973-0
Secure Development for Mobile Apps:
Managing Risk and Security in Outsourcing How to Design and Code Secure Mobile
IT Services: Onshore, Offshore and the Cloud Applications with PHP and JavaScript
Frank Siepmann J. D. Glaser
ISBN 978-1-4398-7909-2 ISBN 978-1-4822-0903-7
AUERBACH PUBLICATIONS
www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: orders@crcpress.com
ANDROID MALWARE
ANALYSIS
AND
Ken Dunham • Shane Hartman
Jose Andre Morales
Manu Quintans • Tim Strazzere
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2015 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20140918
International Standard Book Number-13: 978-1-4822-5220-0 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-
ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Contents
Preface xi
acknowledgments xiii
authors xv
conventions xix
chaPter 1 introduction to the android oPerating
system and threats 1
Android Development Tools 2
Risky Apps 3
Looking Closer at Android Apps 5
chaPter 2 malware threats, hoaxes, and taxonomy 7
2010 7
FakePlayer 7
DroidSMS 8
FakeInst 8
TapSnake 8
SMSReplicator 9
Geinimi 9
2011 10
ADRD 10
Pjapps 11
BgServ 11
DroidDream 11
Walkinwat 12
zHash 13
DroidDreamLight 13
v
vi Contents
Zsone 14
BaseBridge 14
DroidKungFu1 15
GGTracker 16
jSMSHider 16
Plankton 17
GoldDream 18
DroidKungFu2 18
GamblerSMS 19
HippoSMS 19
LoveTrap 19
Nickyspy 20
SndApps 20
Zitmo 21
DogWars 21
DroidKungFu3 22
GingerMaster 22
AnserverBot 23
DroidCoupon 23
Spitmo 24
JiFake 24
Batterydoctor 24
2012 25
AirPush 25
Boxer 25
Gappusin 26
Leadbolt 26
Adwo 26
Counterclank 27
SMSZombie 27
NotCompatible 27
Bmaster 27
LuckyCat 28
DrSheep 28
2013 28
GGSmart 28
Defender 29
Qadars 29
MisoSMS 29
FakeRun 30
TechnoReaper 30
BadNews 31
Obad 31
2014 32
DriveGenie 32
Torec 32
OldBoot 33
DroidPack 33
Contents vii
chaPter 3 oPen source tools 35
Locating and Downloading Android Packages 36
Vulnerability Research for Android OS 37
Antivirus Scans 37
Static Analysis 38
File
Linux Command 38
Unzip the APK 38
Strings 39
Keytool Key and Certificate Management Utility 39
DexID 39
DARE 40
Dex2Jar 40
JD-GUI 41
JAD 41
APKTool 41
AndroWarn 41
Dexter 42
VisualThreat 43
Sandbox Analysis 43
AndroTotal 45
APKScan 45
Mobile Malware Sandbox 45
Mobile Sandbox 45
Emulation Analysis 45
Eclipse 45
DroidBox 46
AppsPlayground 46
Native Analysis 46
Logcat 46
Traceview and Dmtracedump 46
Tcpdump 47
Reverse Engineering 47
Androguard 47
AndroidAuditTools 48
Smali/Baksmali 48
AndBug 48
Memory Analysis 48
LiME 49
Memfetch 49
Volatility for Android 49
Volatilitux 49
chaPter 4 static analysis 51
Collections: Where to Find Apps for Analysis 52
Google Play Marketplace 52
Marketplace Mirrors and Cache 53
Contagio Mobile 53
viii Contents
Advanced Internet Queries 53
Private Groups and Rampart Research Inc. 53
Android Malware Genome Project 54
File Data 54
Cryptographic Hash Types and Queries 55
Other Metadata 56
Antivirus Scans and Aliases 57
Unzipping an APK 57
Common Elements of an Unpacked APK File 57
Certificate Information 58
Permissions 59
Strings 60
Other Content of Interest within an APK 61
Creating a JAR File 62
VisualThreat Modeling 62
Automation 62
(Fictional) Case Study 63
chaPter 5 android malware evolution 71
chaPter 6 android malware trends and reversing
tactics 77
chaPter 7 Behavioral analysis 91
Introduction to AVD and Eclipse 91
Downloading and Installing the ADT Bundle 92
The Software Development Kit Manager 93
Choosing an Android Platform 94
Processor Emulation 95
Choosing a Processor 95
Using HAXM 95
Configuring Emulated Devices within AVD 96
Location of Emulator Files 99
Default Image Files 100
Runtime Images: User Data and SD Card 100
Temporary Images 100
Setting Up an Emulator for Testing 101
Controlling Malicious Samples in an Emulated Environment 102
Additional Networking in Emulators 102
Using the ADB Tool 103
Using the Emulator Console 103
Applications for Analysis 104
Capabilities and Limitations of the Emulators 105
Preserving Data and Settings on Emulators 105
Setting Up a Physical Device for Testing 106
Limitations and Capabilities of Physical Devices 108
Network Architecture for Sniffing in a Physical Environment 109
Applications for Analysis 110
Description:The rapid growth and development of Android-based devices has resulted in a wealth of sensitive information on mobile devices that offer minimal malware protection. This has created an immediate demand for security professionals that understand how to best approach the subject of Android malware thr
