Download Android malware analysis PDF

TitleAndroid malware analysis
TagsAndroid (Operating System) Malware Google Play Smartphone Java Programming Language
File Size1.4 MB
Total Pages28
Document Text Contents
Page 1

Android Malware
Past, Present, and Future

Author:
Carlos A. Castillo
Mobile Security Working Group
McAfee

White Paper

Page 2

White Paper Android Malware—Past, Present, and Future

Table of Contents
Executive Summary 3

Introduction 3

The History of Android Malware 4

Android Fundamentals 9

Methodologies and Tools to Analyze Android Malware 11

Mobile Malware Evolution 12

The past: Fake Player 12

The present 17

The future 24

Conclusion 25

Acknowledgements 25

Page 14

14

White Paper Android Malware—Past, Present, and Future

When the object “localDataHelper” is created, the constructor method will open another object
(OpenHelper) and will also prepare an SQL statement to insert the value “was” in the existing
database “table1”:

Figure 6. DataHelper Constructor preparing the SQL statement to insert a “was” in the SQLite database.

Inside the class DataHelper, there is an embedded class called OpenHelper, which is responsible for
creating the SQLite database movieplayer.db with only one field (was).



Figure 7. Fake Windows Media Player creating a SQLite database.

Once the database is created and the SQL statement is compiled, the method canwe is executed:



Figure 8. Canwe method.

Page 15

15

White Paper Android Malware—Past, Present, and Future

However, the code showed by JD-GUI contains strange instructions like an “if” already closed (with
a ;) and a “for” with a “return” that does not make any sense. This suggests that perhaps the Java
decompiler tool is not interpreting the code correctly and is not showing the correct instructions. For
this reason, when static analysis of Android malware is performed, it is important to use several Java
decompilers in order to maximize the chances of getting the best representation of the original source
code. In this case DJ Java decompiler71 was used, and now the canwe method is understandable:



Figure 9. canwe method with DJ Java Decompiler.

Once the SQLite database is created and initiated, and if the method canwe returns true, the application
will show text in Russian (“Wait, requesting access to the video library ...”) and will try to send an SMS
to the number “3353”:



Figure 10. Showing the text message and sending an SMS to premium-rate numbers.

Page 27

27

White Paper Android Malware—Past, Present, and Future

51. NetQin. “Security Alert: Fee-Deduction Malware on Android Devices Spotted in the Wild.” [Online] May 30, 2011. http://www.prnewswire.
com/news-releases/security-alert-fee-deduction-malware-on-android-devices-spotted-in-the-wild-122822179.html.

52. AVG Mobilation. “Malware information: BaseBridge.” [Online] May 23, 2011. http://www.avgmobilation.com/securitypost_20110605.
html#tabs-2.

53. Jiang, Xuxian. “Security Alert: New Sophisticated Android Malware DroidKungFu Found in Alternative Chinese App Markets.” [Online]
May 31, 2011. http://www.cs.ncsu.edu/faculty/jiang/DroidKungFu.html.

54. Apvrille, Axelle. “Android/DroidKungFu uses AES encryption.” [Online] June 9, 2011. http://blog.fortinet.com/androiddroidkungfu-uses-
aes-encryption/.

55. Android. “Android Developers.” [Online] http://developer.android.com.

56. SQLite. SQLite. [Online] http://www.sqlite.org/.

57. Case, Justin. [Updated] “Exclusive: Vulnerability In Skype For Android Is Exposing Your Name, Phone Number, Chat Logs, And A Lot More.”
[Online] April 14, 2011. http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-
phone-number-chat-logs-and-a-lot-more/.

58. Asher, Adrian. “Privacy vulnerability in Skype for Android fixed.” [Online] April 20, 2011. http://blogs.skype.com/security/2011/04/privacy_
vulnerability_in_skype_1.html.

59. Ehringer, David. “THE DALVIK VIRTUAL MACHINE ARCHITECTURE.” [Online] March 2010. http://davidehringer.com/software/android/
The_Dalvik_Virtual_Machine.pdf.

60. Machine, Dalvik Virtual. Dalvik Virtual Machine. [Online] http://www.dalvikvm.com.

61. “Guide, Android Developers--Dev. Application Fundamentals.” [Online] http://developer.android.com/guide/topics/fundamentals.html.

62. android4me. “J2ME port of Google’s Android.” [Online] October 9, 2008. http://code.google.com/p/android4me/downloads/
detail?name=AXMLPrinter2.jar&can=2&q=.

63. dex2jar. “A tool for converting Android’s .dex format to Java’s .class format.” [Online] http://code.google.com/p/dex2jar/.

64. Decompiler, Java. “Yet another fast java decompiler.” [Online] http://java.decompiler.free.fr/.

65. Gabor, Paller. “MY LIFE WITH ANDROID :-).” [Online] January 9, 2009. http://mylifewithandroid.blogspot.com/2009/01/disassembling-dex-
files.html.

66. Meyer, Jonathan and Reynaud, Daniel. JASMIN HOME PAGE. [Online] 2004. http://jasmin.sourceforge.net/.

67. Paller, Gabor. “Dalvik opcodes.” [Online] http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html.

68. smali. “An assembler/disassembler for Android’s dex format.” [Online] http://code.google.com/p/smali/.

69. HEX-RAYS. “IDA Pro 6.1 feature list.” [Online] http://www.hex-rays.com/idapro/61/index.html.

70. Bornstein, Dan. “Dalvik Docs Mirror.’ [Online] http://www.milk.com/kodebase/dalvik-docs-mirror/.

71. http://www.neshkov.com/djdec312.zip

72. Jiand, Xuxian. “Security Alert: New Stealthy Android Spyware—Plankton—Found in Official Android Market.” [Online] June 6, 2011.
http://www.csc.ncsu.edu/faculty/jiang/Plankton/.

About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest
dedicated security technology company. McAfee delivers proactive and proven solutions and services
that help secure systems, networks, and mobile devices around the world, allowing users to safely
connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled global
threat intelligence, McAfee creates innovative products that empower home users, businesses, the
public sector, and service providers by enabling them to prove compliance with regulations, protect
data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security.
McAfee is relentlessly focused on constantly finding new ways to keep our customers safe.
http://www.mcafee.com

http://www.prnewswire.com/news-releases/security-alert-fee-deduction-malware-on-android-devices-spotted-in-the-wild-122822179.html
http://www.prnewswire.com/news-releases/security-alert-fee-deduction-malware-on-android-devices-spotted-in-the-wild-122822179.html
http://www.avgmobilation.com/securitypost_20110605.html#tabs-2
http://www.avgmobilation.com/securitypost_20110605.html#tabs-2
http://www.cs.ncsu.edu/faculty/jiang/DroidKungFu.html. Apvrille, Axelle. �Android/DroidKungFu uses AES encryption.� [Online] June 9, 2011. http://blog.fortinet.com/androiddroidkungfu-uses-aes-encryption/
http://www.cs.ncsu.edu/faculty/jiang/DroidKungFu.html. Apvrille, Axelle. �Android/DroidKungFu uses AES encryption.� [Online] June 9, 2011. http://blog.fortinet.com/androiddroidkungfu-uses-aes-encryption/
http://www.cs.ncsu.edu/faculty/jiang/DroidKungFu.html. Apvrille, Axelle. �Android/DroidKungFu uses AES encryption.� [Online] June 9, 2011. http://blog.fortinet.com/androiddroidkungfu-uses-aes-encryption/
http://developer.android.com
http://www.sqlite.org/
http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/
http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype_1.html
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype_1.html
http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf
http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf
http://www.dalvikvm.com
http://developer.android.com/guide/topics/fundamentals.html
http://code.google.com/p/android4me/downloads/detail?name=AXMLPrinter2.jar&can=2&q=
http://code.google.com/p/android4me/downloads/detail?name=AXMLPrinter2.jar&can=2&q=
http://code.google.com/p/dex2jar/
http://java.decompiler.free.fr/
http://mylifewithandroid.blogspot.com/2009/01/disassembling-dex-files.html
http://mylifewithandroid.blogspot.com/2009/01/disassembling-dex-files.html
http://jasmin.sourceforge.net/
http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
http://code.google.com/p/smali/
http://www.hex-rays.com/idapro/61/index.html
http://www.milk.com/kodebase/dalvik-docs-mirror/
http://www.neshkov.com/djdec312.zip
http://www.csc.ncsu.edu/faculty/jiang/Plankton/
http://www.mcafee.com

Page 28

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information
contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability
of the information to any speci�c situation or circumstance.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other
countries. Other names and brands may be claimed as the property of others. Copyright © 2011, McAfee, Inc.
36803wp_android-malware_1111_fnl_ETMG

McAfee
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.mcafee.com

Similer Documents