The Android platform is evolving. As more users of a product increase, malicious code writers write malicious code for the new platform. There have been many reports on Android malware recently. In reverse engineering, we use the following two methods to analyze malicious code:
---- Static Analysis
---- Dynamic Analysis
First, we get an Android malware named "videopalyer,
File: videoplayer.apk
MD5: fdb84ff8125b00000011b83cc85adce16
APK indicates the Android Application file. Each Android Application is compiled and packaged into a separate file, including all application code (Dex file), resources, assets, and manifest files. The application package name can be retrieved at any time, but the suffix is .apk.
The. Dex file is the compiled Android application code file. The android program is compiled into a. Dex (Dalvik execution program) file, and then packaged into an APK file together with resoueces. The Java code is compiled into a class file, and the class file is compiled into a DEX file. Therefore, the DEX file contains the required Java code.
The directory structure of videoplayer.apk is as follows:
Using 7zip decompression, you can get the DEX file, you can use dex2jar to convert. Dex into A. jar file, and then use the JD-GUI to decompile the. jar file. JD-GUI see (http://java.decompiler.free.fr /? Q = jdgui );
Helloworld and movieplayer need to be focused.
Things that look worth examining are 'helloworld' and 'movieplayer '.
The following code and Russian text are available in 'helloworld:
Super. oncreate (parambundle );
Textview localtextview = new textview (this );
Localtextview. settext("Zookeeper ");
The Russian text means: 'Press OK for access to the videotape library'
In the next part of the Code, following was discovered:
Localsmsmanager. sendtextmessage ("3353", Null,"798657", Null, null );
Str1 ="3354";
Try
{
Localsmsmanager. sendtextmessage (str1, str2, "798657", localpendingintent1, localpendingintent2 );
Str1 = 3353 ″;
The analysis code found that after searching for '123' and '123' on Google, this program tried to send a short message (SMS) with the content of '123' and '123' as '123 ), they belong to a Russian company called 'incoremedia Ltd. These SMS numbers are called 'high premium rate' numbers. It has also been used in more scams.
The above Code also appears in the movieplayer class.
For dynamic analysis, Android SDK toolkit and its dependent components must be installed. After creating a virtual device, you can install videoplayer.apk on the virtual device.
Click the movie player icon, and no exception is observed. However, you can see through static analysis that after activating this app, it will try to send SMS messages.
Http://securitybananas.com /? P = 574