Saturday, September 2, 2017
Tools for Android malware analysis
Tools for Android malware analysis
This post gives some tools for which I managed to find some info and think that can be useful for dynamic and static malware analysis.
When doing malware analysis, it is necessary to prepare safe and reliable environment for running the malware in order to observe its behavior or perform procedures of reverse engineering. Android malware, as much as other platforms, demands such environments which is bit hard to find. One reason is because malware analysis task demands high processor performance and memory capacity. Also, emulators provided by official Android SDK are very slow and we don�t want to run malware on real Android device. This makes dynamical malware analysis very annoying and tedious. Some tools like CopperDroid address this problem very nicely. Specifically CopperDroid provides web interface where you can upload apk file which is then analyzed and results of dynamic analysis are given. Downside of this approach is that it maybe won�t find all threats.
Following list enumerates some tools for Android malware reverse engineering, debugging, monitoring and emulating behavior of an Android device:
- Androguard � Tool written in Python which can be used to analyze android application. Some of the features are: disassembly/decompilation/modification of DEX/ODEX/APK format, diffing of Android applications, measure the efficiency of obfuscators,checking if an Android application is present in a database (malwares), risk indicator of malicious application
- APKinspector � Also written in Python but provides a GUI to aide analysis of APKs and their DEX code. APKinspector can help to generate reports for permissions used by the application, search and filter strings, classes and methods and more. Some of the current models used by APKinspector are based on Androguard
- Droidbox � Sandbox for dynamic analysis of Android applications. This tool gives hashes for the analyzed package, incoming/outgoing network data, file read and write operations, started services and loaded classes through DexClassLoader, information leaks via the network (files, SMS), circumvented permissions, cryptographic operations performed using Android API, listing broadcast receivers, sent SMS and phone calls.
- CopperDroid � out-of-the-box dynamic behavioral analysis of Android malware. To this end, CopperDroid presents a unified analysis to characterize low-level OS-specific (e.g., writing to a file) and high-level Android-specific behaviors (e.g., sending an SMS, placing a phone call). Based on the observation that such behaviors are however achieved through the invocation of system calls, CopperDroids VMI-based dynamic system call-centric analysis is able to faithfully describe the behavior of Android malware whether it is initiated from Java, JNI or native code execution. In addition, CopperDroid features a stimulation technique to improve code coverage, aimed at triggering additional behaviors of interest. Our initial experiments show that a proper malware stimulation strategy (e.g., sending SMS, placing calls) successfully discloses additional behaviors on a non-negligible portion of the analyzed malware.
- Android-apktool � Tool for reverse engineering Android APK format using Java runtime environment.
- Smali - assembler/disassembler for the DEX format used by Dalvik, Androids Java Virtual Machine implementation. Supports the full functionality of the DEX format, e.g. annotations, debug info, line info.
- Android-x86 - provides a ready-to-use virtual machine disk which can be simply mounted and used to run original Android on VirtualBox. The advantage of this method is that the experience is 99% like an actual Android device, but with higher processor performance, physical memory and storage.
download file now
