The main goal is to give you an overview of the tools used and provide you with a starting point for next work.
We will use some webservices that provide a good overview of the malware and later specialized tools to understand the details
Analysis Tools
1 - Dexter
Dexter is a webservice that allows the upload of Android applications which will then be statically analysed. It provides a quick overview of the metadata of the application and the included packages.
The package dependency graph shows all packages and its interconnections with the ability to quickly open the method list of each one. The method list shows all classes and its functions.
When looking at a function all API calls will be listed which allows a basic understanding of the purpose of the function. By clicking on BBL graph the Smali representation of the code will open. Smali is a Disassembly format for Dalvik code which lists the commands executed by the virtual machine.
2 - Anubis
Anubis is a webservice that allows the execution of Windows and Android binaries in a sandbox. Each sample is run independently of each other.
The resulting report lists any activities of the application including file system and network activity. Also some static analysis results are provided including the permissions with the distinction between permissions specified in the XML and the ones used via API-calls during the execution. Usually a screenshot and, if applicable, a tcpdump of the traffic is provided.
3 - APKInspector
APKInspector is a collection of many tools in one user interface. After the .apk has been loaded you can load the Smali representation of functions by selecting the function in the Methods tab in the side view.
APKInspector comes with Jad , a Java decompiler. It should be able to decompile most classes, but regularly creates mistakes that either prevent a recompilation or sometimes make the class very hard to understand. Also it might fail completely in some cases, then the Smali representation must be used.
4 - Dex2Jar
Dex2Jar provides a way to transform the classes.dex of an Android application into the jar format which can be read by other Java reversing tools.
For example Dex2Jar is used by APKInspector to transform the given jar into a format understood by Jad before the decompilation is started.
If you are experienced with Java Reverse Engineering and have some favourite tools you can still use them after running Dex2Jar, even though specialized tools might provide more information on the used APIs.
My suggestion is APK to Java RC2: http://forum.xda-developers.com/showthread.php?t=1910873
0 comments:
Post a Comment