andriod pentesting and malware analysis

Srinivasa Rao

Independent Security Researcher

Working for TCS

Co-Author of the book “HACKING S3CRETS”

What we discuss?

Android OS Basics

Understanding APK

Android Security Model

A Brief look into android malwares

Reversing android malwares

Pentesting on Android platform

Demos

Android Rooting

Android Architechture

What is Android?

It is initially developed by Android Inc in 2003 and later acquired by Google in 2005. 2007 – OHA(Open Handset Alliance)

Largest market share

HTC Dream – the first commercially available mobile phone based on android based operating system.

Android is a software stack for mobile devices. The stack consists of An Operating System, Middleware and Key mobile applications

Why Android?

Open source

Anyone can develop apps! No restrictions like Iphone

Runs on Linux 2.6.X kernel

Wherever you go it follows you!! (Tablets, mobile phones, TVs)

Uses SQLITE databases

Official market containing over 7,00,000 apps

Understanding the APK

Nothing but a zip file

Can be extracted with winrar or winzip.

Composed of components such as activities, services,

Broadcast Receivers etc.

Every app contains the extension .APK

Written in Java, with native libraries in C/C++

Understanding the APK

Understanding the APK

Components

Activity Screen to let users interact – Buttons, text view, image view etc.

Service Performs the work in the back ground – playing music

Broadcast receiver Receives and Responds to broadcast announcements

Intents

Content Providers

Binds individual components at runtime

Stores and retrieves the application data – SQLITE databases

Permissions – They Suck!!

Declared in AndroidManifest.xml

XML file contains all the components and permissions

App can only use the declared permissions

Permissions

ACCESSS_COARSE_LOCATION

ACCESS_FINE_LOCATION

CALL_PHONE

CAMERA

CHANGE_WIFI_STATE

READ_CALL_LOG

READ_CONTACTS READ_SMS

Android Security Model

Application 1 UID : 1000 Dalvik VM

Application 2 UID : 1001 Dalvik VM

Application 3 UID : 1002 Dalvik VM

Application 4 UID : 1003 Dalvik VM

Application 5 UID : 1004 Dalvik VM

SYSTEM PROCESS (UID : SYSTEM)

LINUX KERNEL

Dalvik Virtual Machine

It’s a virtual System to run the android apps

Register based instead of stack based

It runs the dex (Dalvik Executables) files

Created by Dan Bornstein

Some popular android malwares

Droid dream

Trojan fake player

iCalender

Geniemi

Making the APK

.java .class .dex .apk

Reversing the APK

.apk .dex .class .java

Reversing tools…

Tools used

APK TOOL. BAKSMALI

DEX2JAR.

JDGUI.

File System Access

•Android Debug Bridge (adb) command

Access a shell. Pull/push files.

Many more.

Greetzzzzz

cnuhackz@gmail.com