Basic Introduction to Android Trojan
This article introduces Android-based mobile malware as a basic introduction. It provides an analysis and Tool Guide for beginners. The Trojan Horse to be analyzed is the syssecapp.apk in 2013. The Trojan Horse analysis can give a rough idea of Android malware.
Basics:
1-Android Application Basics
Android is an open-source mobile phone operating system developed by google based on Linux kernel. Applications are written and converted into Dalvik virtual machines in JAVA, while virtual machines provide an abstract and real hardware, you can run any program that complies with the operating system API. Applications require Linux users and groups for execution. Therefore, all malware currently requires permissions.
The Android application format is APK, which is a ZIP file containing AndroidManifest. xml. The actual code of the media file is classes. dex and some other optional files. XML provides important information about the Android system, such as the permissions required to start an application. Only the permissions listed in this file are provided to the application. Otherwise, an error or empty result is returned. Classes. dex is the logical part of the Android application implementation. It is a compilation code that can be executed by the Dalvik Virtual Machine and packaged into a jar to save some space on mobile devices.
2-analysis tools
2.1 Dexter
Dexter can upload the Android app for analysis and provides the package and application metadata introduction. The package dependency diagram shows the relationship between all packages. You can quickly open the list to display all the classes and functions.
2.2 Anubis
Anubis is also a WEB service that runs applications in the sandbox. Each sample is independent of each other to analyze file and network activities. It also provides some static analysis, including permission XML changes in the call process.
2.3 APKInspector
Apkinspector provides many tools. After the APK is loaded, you can select a tag to execute the functions. It has a Java anti-compiler JAD that can decompile most classes, but often reports errors.
2.4 Dex2Jar
Tools that convert dex files into Java files can be considered even if you are an experienced reverse engineer.
3-instance analysis
3.1 Anubis
Anubis provides a large list of permissions required by the application:
Includes some permissions of the application. INTERNET permissions are common game requirements for online statistics and tracking, enabling sharing or advertising. Some other functions such as WAKE_LOCK and READ_PHONE_STATE are used to read the mobile phone status and prevent lock screen in the game. But READ_CONTACTS and READ_HISTORY_BOOKMARKS seem strange, not like what a game should do. The connection to 127.0.0.1: 53471 also looks strange. Analysis link: http://anubis.iseclab.org /? Action = result & task_id = 1a6d8d21d7b0c1a04edb2c7c3422be72f & format = html
3.2 Dexter
A total of four dependency diagrams are displayed. You can ignore de. rub. syssec, which only contains the default constructor of the empty class.
De. rub. syssec includes a game called Amazed. In particular, the onCreate method of amazedactiviy is set to repeat the alarm every 15 seconds.
The 3rd classes contain many events. OnBoot starts with an alarm. SmsReceiver and alarmReceiver are real Trojans. When any text message arrives, SmsReceiver checks whether there is a "bank" in them ", if yes, use abortBroadcast to discard the text message.
This means that the text message is invisible on the mobile phone. De. rub. syssec. neu has six classes. The most important one is "Runner", which is the actual malicious code. "Work" calls alarmReceiver to check whether the device is connected to the Internet.
If it is online, call "steal ()" to collect information and add it to a pseudo variable in XML help.
Based on the API call list, information such as IMSI, SIM card serial number, name, device ID, and user dictionary is collected (auto-completion), contacts, call records, calendars, browser search records, browser favorites, sent and received text messages, location information.
3.3 Emulator
Emulator confirms that this APK does have a game about the maze. However, in the output log, we can find that it actually does a lot of things and tries to send the following content:
Some additional information includes the Android version, IMEI, local time, and total steal () Running amount.
3.3 analyze websites used
Http://anubis.iseclab.org/
Http://dexter.dexlabs.org/
Https://www.virustotal.com/
Http://www.apk-analyzer.net/
Http://www.visualthreat.com/
Http://androidsandbox.net/reports.html
Https://hackapp.com/
A game is not just a game. Check your game.