How to Analyze an Android Bot
-
Upload
priyanka-aash -
Category
Technology
-
view
324 -
download
1
Transcript of How to Analyze an Android Bot
![Page 1: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Kevin McNamee
How to Analyze an Android Bot
MBS-R02
Nokia Threat Intelligence Lab@KevMcNamee
![Page 2: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/2.jpg)
#RSAC
Agenda
2
Introduction
Tools
The Lab
Demo
Q&A
![Page 3: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/3.jpg)
#RSAC
Why Analyze Android Malware
3
We monitor mobile traffic for malware infections
Malware C&C
Exploits
DDOS
Hacking
Need accurate detection rules
RAN
GGSN/PGW
Malware Detection
Sensor
Alert
Aggregation
& Analysis
MOBILE NETWORK SECURITY ANALYTICS
Forensic Analysis
SGSN
RNCNodeB
eNodeBSGW
Internet
![Page 4: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/4.jpg)
#RSAC
Developing Malware Detection Rules
4
MALWARE
SAMPLES
VIRUS VAULT
• 120K+ ANALYZED
PER DAY
• 30M+ Active samples
SANDBOX
MALWARE
TRAFFIC
LIBRARY
RULES REPOSITORY
QUALITY
TESTING
DEPLOYMENT-SPECIFIC
RULE SETS
RULE ACTIVATION
RULES
DEVELOPMENT RULES LIBRARY
FIELD TESTING IN
LIVE NETWORKS
FEEDBACK
FROM FIELD
TESTS
TRAFFIC
POLICY
ZERO DAY
BEHAVIORAL
RULES
![Page 5: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/5.jpg)
#RSAC
Android Malware Analysis
5
So, we built our own Android malware analysis lab
You will learn
What tools are required
How to set up the network environment
How they are used
Analysis allows you to:
Know what the malware does
Understand its threat level
Detect and remediate the infection
![Page 6: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/6.jpg)
#RSAC
Android App
6
Contained in APK file (zip format)
Main components include:
Manifest
Dalvik byte code (classes.dex file)
Resources
Assets
Libraries
![Page 7: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/7.jpg)
#RSAC
Basic Analysis Process
7
Explore what’s in APK file
Decompile DEX and review source
Run app on phone or AVD & capture network activity
![Page 8: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/8.jpg)
#RSAC
Tools – Android Studio
8
If you are going to analyze apps you have to know a bit about how they are made…
Also provides many of the tools needed for analysis…
ADB (debugging)
AVD (simulated phones)
![Page 9: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/9.jpg)
#RSAC
Tools – Apktool
9
Tool for reverse engineering Android packages (apk files)
Extract components
Manifest, Resources, Libraries, Assets, Byte-code (Smali)
Can edit and modify components
Rebuild modified app
![Page 10: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/10.jpg)
#RSAC
Tools – ADB
10
Android Debug Bridge
Comes with Android Studio
Provides:
Shell access
Access to file system
Scripted remote control
Application Install/Uninstall
![Page 11: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/11.jpg)
#RSAC
Tools – dex2jar
11
Converts Dalvik byte code to Java byte code
First step in de-compiling an Android app.
![Page 12: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/12.jpg)
#RSAC
Tools – Java Decompiler
12
Converts Java byte code to source code.
Doesn’t always work
Options include:
JD-GUI
Luyten (Procyon)
![Page 13: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/13.jpg)
#RSAC
Tools – WireShark
13
Capture and network traffic
Analyze network traffic
Help develop detection rules
![Page 14: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/14.jpg)
#RSAC
The Lab
14
Internet
Control Server
ADB/USB
wifi
Malware
Packet Capture
![Page 15: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/15.jpg)
15
![Page 16: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/16.jpg)
16
![Page 17: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/17.jpg)
17
![Page 18: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/18.jpg)
#RSAC
Using a Real Mobile Network
18
Some malware may only function on a real mobile network
You can build your own mobile network.
InternetGPRS ETHETH
BTS
LinuxOpenBSCOsmoSGSNOpenGGSN
![Page 19: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/19.jpg)
#RSAC
Automation
19
We have automated the analysis process using:
Web based user interface
Real phones and AVDs
Malware database
APKtool/Dex2Jar/GD-GUI
ADB scripting
Monkey Script
WireShark
Interface to Virus Total
![Page 20: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/20.jpg)
20
Provides a name
![Page 21: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/21.jpg)
21
Information from Manifest
![Page 22: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/22.jpg)
22
Run Sample in AVD
![Page 23: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/23.jpg)
23
Analyze Network Traffic
![Page 24: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/24.jpg)
#RSAC
Manual Demo – NotCompatible Proxy Bot
![Page 25: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/25.jpg)
25
Disassemble APK
![Page 26: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/26.jpg)
26
Directory structure created by apktool
Disassembled Dexin Smali format
![Page 27: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/27.jpg)
27
Permissions
Intents
View Manifest
![Page 28: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/28.jpg)
28
Unzip APK file
Convert to JAR
![Page 29: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/29.jpg)
29
Config file is encrypted using AES
View the Java source
![Page 30: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/30.jpg)
30
C&C Decoder
![Page 31: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/31.jpg)
31
C&C Decoder
If you don’t like Java you can look at the
Smali code.
It can be modified and the APK can be
rebuilt using apktool
![Page 32: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/32.jpg)
32
Ping/Pong
C&C packet capture
Proxy Request
Data
![Page 33: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/33.jpg)
#RSAC
NotCompatible - Overview
Web Proxy Bot ported from Windows to Android environment.
Allows remote miscreants to anonymously browse the web through the victim’s phone.
Consumes lots of bandwidth, for example 165MB in two hours over 300K TCP sessions
![Page 34: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/34.jpg)
#RSAC
NotCompatible – Infection
Phishing spam is used to lure the victim to an infected web site.
Web site tells you the browser is “not compatible” and provides an update.
The user downloads and installs update.apk
Malware has no icon or user interface. It is automatically started on BOOT.
You can get rid of the infection by uninstalling the application.
![Page 35: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/35.jpg)
#RSAC
NotCompatible – Operation
Opens an encrypted configuration file containing the address and port number of the server.
The bot connects to the server via TCP.
Sophisticated command and control protocol is then used to multiplex Web proxy services over that connection.
This provides an anonymous web browsing services to clients.
![Page 36: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/36.jpg)
#RSAC
NotCompatible – Command & Control
Simple command/response packet format contains both commands and data.
Channel number can multiplex many connection at once.
The ping and pong are used as a heartbeat when there is no proxy work to be done.
Once a proxy request is issued the “raw data” commands are used to transfer the data in either direction.
Packet format:
Commands:
![Page 37: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/37.jpg)
#RSAC
NotCompatible – Uses & Impact
Uses Anonymous Web Browsing Service
Providing Access to Restricted Foreign Content
Ad-Click Fraud
Web Site Optimization Fraud
APT Probing and Exfiltration
ImpactOne user from Finland, roaming in the US, used over 165MBytes in less than two hours of airtime.
In the lab it averages 100MBytes per hour.
Causes huge data bills
Caused the battery to run down quickly
Who knows what sites your phone in visiting!!!
![Page 38: How to Analyze an Android Bot](https://reader031.fdocuments.in/reader031/viewer/2022021922/587e284d1a28abb93e8b55af/html5/thumbnails/38.jpg)
#RSAC
Summary
38
Android malware analysis enables you to:
Know what the malware does
Understand the threat level
Detect and remediate the infection
You should now know:
What tools are required
How to set up the network environment
How to use the tools