i s o l a t e d - t h r e a t: Android Analysis

For a number of months now, the threat of mobile malware has been shifting from limited occurences to full scale mass infections across Android Market. One of the most pervasive of these is known as “DroidKrungFu”. This malware has appeared in numerous games packages under various malicious users. The post details one such application and looks at what makes up such an attack.

Analysis of Android malware is similar to that of Java malware. Android runs on the Dalvik VM, which is similar to the JVM. Applications consist of .DEX files that are essentially class files. A complete application consists of an APK file (like a jar) or archive containing dex files and other resources required for an application to run. As with Java there are various to tools to unpack the archives and disassemble the dex files to dalvik bytecode or Java source code making analysis extremely simple. The remainder of the post details the analysis of the sample obtained from Contagio..

Unpacking the Archive
The APK file is essentially an archive that can be unzipped using WinRar or 7zip. The resulting folders are the in the required structure for Android.

The manifest XML file is a binary XML file containing information about the package and configuration information. The file is also reponsible for launching various classes within the package. As it is in a binary format, it is necessary to decode to a readable format. Using AXMLprinter2.jar we can output it to a readable file. The code is shown below that illustrates the permissions required by the application. A number of unusual permissions are required by the application which should raise suspicion.

Now, it is possible to reverse the DEX files usign a number of techniques. We can use baksmali to revert the code to assembly like bytecode, which is readable but not as intuitive as Java sourcecode. An example of baksmali output is shown:

In this instance, a number of commands are visible such as the chmod and killall commands. This portion of code is reponsible for the setup of folder structures and exploits. Also shown is a URL and some captured phone variables like IMEI. The URL is a known maliciou URL associated with this family of malware. The most effective way to analyse this malware is to convert the files to Java class files and decompile using a Java decompiler such as JDGui. Using the dex2jar application available from http://code.google.com/p/dex2jar/ it is possible to convert the dex files within the apk file to Java class files. Simply run dex2jar.bat with the apk files as an argument and it will convert the file to a JAR file. JDGui may then be used to decompile all of the files to viewer more user friendly source code for review. Some of the resulting code is shown below in the screenshots. These areas of code are responsible for the exploitation and theft of data that KungFu is known for: