![Page 1: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/1.jpg)
Android Malwarein PracticePart I
![Page 2: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/2.jpg)
Android Filesystem Layoutvisitor@UOA283090 ~ $ adb shell mountrootfs / rootfs ro,relatime 0 0tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0devpts /dev/pts devpts rw,relatime,mode=600 0 0proc /proc proc rw,relatime 0 0sysfs /sys sysfs rw,relatime 0 0none /acct cgroup rw,relatime,cpuacct 0 0tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0none /dev/cpuctl cgroup rw,relatime,cpu 0 0/dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0/dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered,noauto_da_alloc,discard 0 0/dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered 0 0/dev/block/mmcblk0p3 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered 0 0/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,..../dev/block/vold/179:17 /mnt/extSdCard vfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime,uid=1000,gid=1023,...
![Page 3: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/3.jpg)
Android Filesystem Layout
The mounts of interest
/ - root of the filesystem hierarchy/system - the ROM that holds all system binaries/data - RW location for user applications/cache - transient data space for user applications/efs - phone specific information like IMEI number/mnt/sdcard - fat32 filesystem with no inbuilt security
![Page 4: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/4.jpg)
Application locations• System applications• /system/app/<AppName>.apk
• User applications• /data/app/<AppName>.apk (preloaded)• /data/app/<AppPkgName>-1.apk (downloaded)• /mnt/secure/asec/<AppPkgName>-1.apk (sdcard)
![Page 5: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/5.jpg)
App Signing• All apps are signed with a key to provide android with the
ability to distinguish distributors of software• Possible to group applications in the same security context
when two applications are signed with same key giving identical digital signature
![Page 6: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/6.jpg)
Android Debug Bridge• Android Debug Bridge allows the developer access to the
Android device connected via usb or IP• Once connected to a device, ADB provides developers an
interface to interact with a rich suite of tools to manage the device
![Page 7: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/7.jpg)
ADB Push / Pull• Using ADB we are able to transfer files from/to the device• Pull test.txt off the device and place in pwd• adb pull /mnt/sdcard/test.txt [local location]
• Push local test.txt to sdcard on the device• adb push ./test.txt /mnt/sdcard
![Page 8: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/8.jpg)
Android Manual Install• Manually install application• adb push com.myapp.hello.apk /data/app/• (Permissions need to be changed to 0644)• adb install com.myapp.hello.apk
• Manually uninstall application• adb uninstall com.myapp.hello
![Page 9: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/9.jpg)
Package Manager• pm is a tool that is provided to manage and provide details
about applications and permissions.• List all applications• pm list packages
• Find location of an application • pm path com.myapp.helloworld
• List available permissions• pm list permissions -f
![Page 10: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/10.jpg)
Activity Manager:Sending Intents• The activity manager provides the mechanism to start an
instance of a graphic application• using adb we are able to start applications via • am start -a android.intent.action.CALL -d tel: 021021021
![Page 11: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/11.jpg)
Service Manager• The service manager can also be invoked via command line to
send messages• service call isms 5 s16 "+??????????" i32 0 i32 0 s16 "SMS
TEXT HERE"
![Page 12: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/12.jpg)
Android Startup
![Page 13: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/13.jpg)
init (1)• Responsible for creating mounts and file permissions
associated with mount• Reads initrc file which contains these directories, mounts and
file permissions• Responsible for further starting other processes/daemons
![Page 14: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/14.jpg)
daemons (2)• Native linux daemons such as the following are started by init• netd (manages network connections)• vold (manages volumes such as sdcard)• usbd (manages USB connections)• debuggerd (debug processes - coredump)• rild (manages communication with the radio)• zygote
![Page 15: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/15.jpg)
zygote (3)• init launches zygote which loads classes and listen for requests
to spawn new applications through an instance of a dalvik virtual machine
• Utilises copy-on-write memory references when forking its process to reduce memory footprint
![Page 16: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/16.jpg)
Runtime/Service Manager (4a/b)• init starts android runtime process which initialises the Service
Manager• Service Manager is the context manager for binder that is
responsible for service registration and lookups• Android runtime then sends a start signal for zygote to create
an instance of System Service (Android Services)
![Page 17: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/17.jpg)
dalvik (5)• Zygote has received a signal to instantiate a dalvik virtual
machine instance for the Android System Server
![Page 18: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/18.jpg)
System Server (6)• Zygote forks itself with appropriate permissions and starts the
System Server instance• Its role is to bootstrap all the android services required by the
android framework which provide services to applications
![Page 19: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/19.jpg)
Native System Services (7)• Native System Services are services that integrate with the
operating system to provide low latency and high availability services such as the audio and surface flinger
• Audio Slinger provides audio management and multiplexing while Surface Flinger is the composition framework to display graphics
![Page 20: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/20.jpg)
Native System Services (7) continued• Native System Services register themselves with Service
Manager allowing them to be available through IPC for other applications or processes
![Page 21: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/21.jpg)
Android System Services (8)• Android System Services provide high level framework services
for applications• These services like Native System Services register themselves
with Service Manager allowing for IPC communication from Android applications and other services
![Page 22: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/22.jpg)
Android Development• Android provides users familiar with Java an easy route to
build mobile applications. Google provides a SDK and NDK which enable the developer to call upon rich libraries and tools.
![Page 23: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/23.jpg)
Software Development Kit (SDK)• The android Software development kit provides libraries and
tools to develop standard java applications. Some of the tools allow for automatic installation of various android platforms and their associated libraries - eg. Ice Cream Sandwich.
• Included in the ADT bundle is the SDK and an eclipse environment configured and setup for building/developing Android applications.
![Page 24: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/24.jpg)
Native Development Kit (NDK)• Android allows for native libraries to be used with the android
environment. • These libraries are C/C++ based and give developers greater
performance gains for intensive hardware operations.
![Page 25: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/25.jpg)
Repackaging
howto: reverse engineering an application –
open the apk archive to access smali-$ apktool d com.hello out
ORrun dedexer (convert apk to jar archive)
run a java decompiler or use jdgui
http://java.decompiler.free.fr/?q=jdgui
![Page 26: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/26.jpg)
Insert the payload• Still have key signing issue• But users can be unaware of the dangers
![Page 27: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/27.jpg)
Reverse Engineering Links• http://
a4apphack.com/security/sec-code/extract-androidapk-from-market-and-decompile-it-to-java-source
• http://marakana.com/s/post/1109/decompiling_an_android_app
• http://blog.apkudo.com/2012/10/16/reverse-engineeringandroid-disassembling-hello-world/
![Page 28: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/28.jpg)
Malicious App 1: SMS
DEMO
![Page 29: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/29.jpg)
Malicious App 2: Photo/Sdcard
DEMO
![Page 30: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/30.jpg)
Malicious App 3: Keyswift
DEMO
Reference:http://
www.android-app-development.ie/blog/2013/03/06/inserting-keyloggercode-in-android-swiftkey-using-apktool/
![Page 31: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/31.jpg)
Notes• These attacks were aimed at Samsung devices which have
been known to implement their own sdk libraries for android. • These have not been tested as vigorously as would be liked
and have been proven to provide further vulnerabilities.
http://randomthoughts.greyhats.it/2013/03/owning-samsung-phones-for-fun-but-with.html
![Page 32: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/32.jpg)
Permissions Concerns
android.permission.SEND_SMS / RECEIVE_SMSandroid.permission.SYSTEM_ALERT_WINDOWandroid.permission.READ_CONTACTS / WRITE_CONTACTS android.permission.READ_CALENDAR / WRITE_CALENDARandroid.permission.CALL_PHONEandroid.permission.READ_LOGSandroid.permission.ACCESS_FINE_LOCATIONandroid.permission.GET_TASKSandroid.permission.RECEIVE_BOOT_COMPLETEDandroid.permission.CHANGE_WIFI_STATEcom.android.browser.permission.READ_HISTORY_BOOKMARKS /WRITE_HISTORY_BOOKMARKS
Sourced from Google IO 2012 and marakana.com
![Page 33: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/33.jpg)
References• Android: http://developer.android.com/index.html • Google IO: https://sites.google.com/site/io/ • Marakana: http://marakana.com/training/android/ • Genome project http://www.malgenomeproject.org/
![Page 34: Android Malware in Practice Part I. Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755](https://reader031.vdocuments.us/reader031/viewer/2022020716/5518beb8550346881f8b54df/html5/thumbnails/34.jpg)
Questions?