Growth of mobile malware was slow up until 2010, despite the industry constantly predicting it would increase. What change in 2010-2012 saw an explosion in malware?
Android was released
For mobile worms – name 3 main ways that they can spread from device to device
- Bluetooth
- MMS
- other vulnerable protocol (e.g. SSH) on the provider netblock
Apart from “normal” spyware features that are common between Windows and Mobile malware (infostealing of passwords) – name 3 features that are generally unique to mobile malware
Anything with SMS, or Phone Calls, Geolocation
Briefly (1-2 lines) explain how a Banking Mobile Trojan tends to work
They are normally designed to intercept 2 factor – by intercepting SMS or a proprietary protocol
You have found an Android malware sample that you believe to be exfiltrating data to a number starting with +353. Give a general overview of how to do Android malware analysis by treating it as Java code (as opposed to Dalvik assembly). In your description list:
- The main tools you would use
- 1-2 lines to describe the major steps you would carry out in order to analyse the sample and identify where the code sending the message is located
- Tools: Winzip, Dex2Jar, JD-GUI
- Desc of using these 3 tools in order, and then searching in the decompiled Java for +353.
Name ways how a malicious APK file can make its way onto a target phone?
- 3rd Party App Stores
- Official Android PlayStore
- Driven By Downloads
- Phising
- QR codes
- Mobile Worm
What are three common malware motives?
- Worms (just spread for the sake of spreading)
- Malicious destructive Trojans
- Financially motivated malware
- Banking trojans like Zitmo
- Ransomware
- SMS Trojans to high cost numbers
- SPAM Trojans
- Spyware
How is an APK being created?
- Programmer write code in Java
- Compiler compiles files into Class files
- Class files gets converted to dex files (Bytecode for Dalvik VM)
- Classes.dex + AndroidManifest.xml + Resources (media files) = APK file
How can you analyse Android Malware?
- WinZip: Extract content => Manifest + DEX file
- Dex2Jar: Convert classes.dex into JAR
- JD-GUI: Use Java Decompiler to analyse code inside JAR.
Why increased malware on Android that much?
- A Platform / OS with enough market share to make good business sense to attack
- Good development support
- Relatively poor lack of security protection
What is the AndroidManifest.xml?
The XML file AndroidManifest.xml describes the application (e.g. The permissions needed). These are the same permissions that are presented to a user when they wish to install an app
Name some other Android analysis tools?
- AndroGuard
- Joes Sandbox
- APK-Analyzer.net
- Genymotion
- AppUse
What can you do if the some parts are coded directly in the Dalvik language?
Use SMALI / BAKSMALI
