In this article, we are dealing with the main principles of the detection and analysis of the Android operating system malware, considering that this operating system is widely used in the smartphones and tablets. The main tools that are used by the experts for Android applications analysis are described.
- General characterization of the Android malware;
- Android malware detection;
- Anti-forensic techniques and countermeasures;
- Analysis of malicious activity traces;
Mobile devices contain a great number of important personal information, including banking information and it attracts cybercriminals. The development of the mobile operating systems, such as iOS and Android for example, and also technological development of smartphones and tablets made the operating systems, mentioned above, popular. High demand, a great number of the operating system security holes and a lack of antivirus protection aroused cybercriminals’ interest in the development or purchasing of the mobile platforms’ malware. As a result, it set up new tasks for digital forensic experts.
General characterization of the Android malware
Most of the applications on Android operating system are developed using Java programming language. The programs are executed in the system via AndroidRuntime, starting from version 4.4.
In order to make the applications’ analysis, an expert has to understand its format. Thus to analyze applications are stored in the mobile device memory in the APK format. It is worth to notice that an application is compiled first and only then it is archived into the APK file with all its parts. The file is a ZIP-archive that contains bytecodes, resources, certificates, and manifest-file. After installation, the APK file is copied to a specific location in the system. Usually, for the system applications, the location is /system/app and for user-installed applications, it is /data/app.
In the context of forensic processing, an APK file contains three main important parts: signature, bytecode and resources.
The signature contains a hash-sum of the APK file, which may help the expert to find out if the application is damaged. Moreover, the expert can collect the signatures of applications, including the signatures of malware, in order to speed up a process of malware identification in the memory of an examined device.
The executable part of the application is stored in the file classes.dex that is in the APK file, and it contains all the compiled classes in the form of bytecodes. It should be mentioned that the bytecode is converted to the instructions for the AndroidRuntime virtual machine, as this virtual machine is register-based unlike Java virtual machine. Also, APK file may contain compiled code (catalog lib).
Resources are non-executable parts of the application, for example, components of user’s interface. The most important part of the resources is, in the context of forensic processing, AndroidManifest.xml. This file contains information about permissions that the application requires at the installation step. Some applications request the permission to use messages, contacts etc., in order to get an access to the protected API files of the Android operating system. The analysis of the examined file is the most important step of the malware detection.
Android malware detection
Despite the fact that there are specialized malware detection applications, they do not provide the solution to the issue of this article. The task of the forensic expert is not only to detect a malware, but also to analyze its code and reconstruct the malicious events.
Hash can be used in order to detect a malware. Hash database can be collected from the data that is represented, for example, in Google Play. The fact that hash sum of an application does not match any hash from the database may be an indication that this application is a malware. It is obvious that the indication is not enough to make a firm conclusion: the in-depth analysis is required.
Permission requirement is a unique feature of Android software. It should be mentioned that the request is required only once – during the process of installation. Many users ignore this requirement and as a result, the malware, which seems to be harmless, gets an access to everything it needs. Suspicious permission request is one of the main features of a malware.
Anti-forensic techniques and countermeasures
Experts put emphasis on the four most widely used anti-forensics techniques of Android malware: obfuscation, strings encryption, decompilation resistance and environment verification.
Obfuscation is a technique that allows the developers to safe the functions of an application but the code of it will be changed in the way that it will be hard to make its analysis and to understand its algorithms.
The expert has to make a decompilation of the malware before the deobfuscation of the code. Unfortunately, decompilers can not decompile applications perfectly. The code provided after the decompilation process, usually, is incomplete and has errors, but the bytecode is always accurate, even though it is much more difficult to be analyzed. It shows that experts should take into account both decompiled code and bytecode when they analyze malware.
In order to extract bytecode (in .dex format) from APK file expert may use, for example, ApkTool. A combination of tools, such as Dex2Jar (decompilation) and JD-CUI (analysis), can be used for decompilation of a bytecode into Java source code. The decompiled Java source code has to be edited: there may be a need to remove empty classes, correct errors, rename techniques, classes, objects etc.
Strings of a malware are the source of the most valuable information for the forensics process. In order to make strings encryptions, developers use both simple techniques, such as XOR, Base64, ROT13 (including its variations, for example, ROT15), and sophisticated ones, such as DES and AES.
In order to make strings identification that were encrypted by XOR technique, the expert can use XORSearch tool developed by Didier Stevens.
it is important to note that cybercriminals use different techniques to avoid detection of the algorithm. For example, XOR encryption can be done by two steps: 1) using one value and then 2) using another one.
There are a great number of programs and online –services that allow to make strings, which were encrypted by Base64, readable. Even though it is not difficult to make the decryption, it can be challenging for an expert. For example, if the developers of the malware changed the symbols order in the Base64 alphabet and it could obstruct the work of standard decryptors.
ROT13 – is the simplest algorithm out of three we are dealing with, but there are modifications of it that can make the process of decryption more difficult. The malware developers may use modifications of this algorithm, for example ROT15, that rotate not 13 letters, but 15. Some malware are written in a way that they can function only on a certain types of mobile devices. Such applications check not only the system properties, but also international mobile subscriber identity (IMSI). The application will not run if a device or emulator does not satisfy the requirements of the application, it obstructs the dynamic analysis. There is a countermeasure against this technique: an expert needs to modify the code of the malware.
Analysis of malicious activity traces
Experts differ two types of malware analysis: dynamic and static.
In the context of the dynamic analysis of a malware, which is sometimes called behavioral analysis, experts deal with the behavioral features, including the information about the interaction with the system, what kind of data it collects, what kind network connection it setups etc.
In order to make the dynamic (behavioral) analysis, an expert may use, for example, Droidbox tool. It allows to collect the following information about the malware and about its activity in the system:
- APK file hash sum (algorithms MD5, SHA-1 and SHA-256);
- information about sent and received data via network;
- information about reading and recording of files;
- information about running services and loaded classes;
- information about collecting and sending of user’s data;
- information about the permissions that application has received;
- information about crypto-operations that are done by the application with using of Android API;
- information about sent SMS and phone calls.
The analysis will provide the expert with a set of files in JSON format that contain the abovementioned information. It is necessary to point out that the tool with which we are dealing is used on Linux and Mac OS X operating systems, but most of the experts use the computers running Windows operating systems. The solution of this problem can be a creation of a virtual machine and installation of the operating system or an expert can use Santoku Linux distribution.
Static analysis of a malware makes analysis of its code. The main task of this type of analysis is to identify the part of code that executes the malicious activity.
There are two widely used ways of making static analysis: 1) via ApkTool and 2) via the combination of Dex2Jar and JD-GUI.
ApkTool allows to disassemble a malware. The analysis will provide an expert with a several files and catalogs, including:
- Android Manifest file, which contains the information about permissions requested by the malware and the information about entry points;
- A res catalog, which contains XML-files that describe application’s template, and required image files for the application etc.;
- A smali catalog, which contains .smali files (operational code) that can be analyzed via text editor with syntax highlighting feature, for example Notepad++.
In order to use Dex2Jar, the expert needs to extract API file of the malware then convert classes.dex file (bytecode), via Dex2Jar, into classes.dex.dex2jar.jar (java-code). The analysis of the file that contains Java code can be made via JD-GUI program.
Fig 1. Steps of detection and analysis of the malicious activity traces in the Android operating system.
In this article, we discussed the main principles of the detection and analysis of the Android operating system malware. The main tools that are used for the Android applications analysis were shown. In the following articles, we are going to take a closer look at the ways and tools of the malware analysis, and provide the examples of the detailed analysis.