Mobile Forensics: MPE+ Android Malware Detection

Presenter: Lee Reiber, Global Director of Mobile Forensics, AccessData

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Lee Reiber: Good morning! Or afternoon, or wherever you guys might be. I appreciate you guys spending your Friday afternoon, morning, or whatever it is, wherever you are. We’re going to go over a few things today. Just—a kind of generic WebX, and I know that there’s also—it’s going to be hosted, I think Forensic Focus is kind of doing something on this as well. So you can probably go and check it out. But again, very generic, as we go through kind of this presentation, obviously in the 45 minutes or 50 minutes that I’ll be spending on that, might have to fly through some things. But hopefully you guys will have some questions, either on the forum, that can help maybe get into a little bit more. But obviously, in this short amount of time, it might be a little difficult to get extremely technical. But I’ll kind of give you an overview on all of that.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Again, kind of like the generic, little fun training for you guys. So like I was introduced—I’m Lee Reiber, I’m the director of Mobile Forensics for AccessData. And I have this real cool intro, you know, with the green screen and everything else like that, but got in a little too late to put that stuff on there. So we’ll have to do that at another time. But we’ll go through this presentation, I will do some live stuff. So bear with me, obviously, if there are some technical difficulties, but I’m not expecting too many.

So, excellent! Just a little overview, really quick, about some of the training that we offer, have to do a little bit of this. But we do have—and it’s kind of changed—if you haven’t seen on the website and whatnot, we have with our mobile device or any mobile training stuff, it’s really… we have a few live classes with our 101, our MPE+, with the TALON, MPE+ TALON, that we will have those classes, our live 3-day classes, but we’re really going online with this whole bunch. Because we had a lot of international customers who wanted to participate. So a lot of the classes went online, to our learning management system that you can log on to and take a whole bunch of other ones.

But there’s quite a few other classes that are coming on board as well, that will be some online classes. Obviously, with some of the budget concerns of people who are travelling, we wanted to make things as available as we could. But really, we’re kind of spread out. It’s not just AccessData products, obviously we cover some others that you can see on there as well.

So what’s kind of cool is—also, we have some certifications. If you guys are not familiar with the AME, it’s kind of like the ACE, but really for MPE+. But [unclear 02:39] a little bit more in it. If you have not taken that AME, you kind of have to have a basic knowledge, which, hey—go figure! You have to have a little bit of mobile forensic knowledge, some cell power stuff might be on there, as well as not just on MPE+ but of course you do have to have MPE+, so do that. We also have kind of an encompassing, MFCE is what that’s called, and it’s kind of a long process, if you’re familiar with our [unclear 03:07] process. It goes through some things that really is not tool-specific. So you can look on the website for more of that stuff but hey, that is my promo for you.

So let’s get on to talk a little bit about the Android stuff. And I will give you just kind of a brief overview or history of just Android, just so we can understand some of the things that I might talk about. Again, I’m going to go through this relatively quickly, so we can get into some of the other, more important stuff, at least to my mind.

So we look at this: Android really started and—back in, if you look at it, in 2003, and I’m sure you’ve heard the name of Andy Rubin, if you had quite a few of those. But obviously, he’s gone through it. And if you guys are familiar with Danger—Danger was a company, back in the day when I was processing quite a few phones, that we just kind of hated, because it was an active device. So there were a lot of things that were happening, and only the data stayed on it when it was attached to the network, which kind of sucked as an investigator, right? As you’re going through with that.

But obviously, he stepped down as the vice president here, but continues to be and develop on some of that stuff. So obviously Google, that we have with the different—or the handsets, as we go through with the different versions. And then they turned it into the Handset Alliance. But let’s look at the versions. Obviously I have some cool little pictures up there, and it’s quite interesting, and if you guys know what the next one is going to be, after Jellybean—I’m sure that you guys have heard of the name, but all these great desserts. But there were a couple that were released before, with our—it was a 1.0 and a 1.1, that were released, obviously, back in 2008 and 2009 respectively, which you had, a few those, like the Dream, that you might… the G1, on some of those older versions. Then we just kind of went into the 1.5, 1.6 types with Cupcake and Donut, and then moving on to our 2—to our 2.1 Eclairs, 2.2 the Frozen Yogurt or Froyo, and then obviously Gingerbread. Honeycomb was really kind of just moving it into our tablet types, and then obviously with Honeycomb we took into some of the Gingerbread or Honey—or Ice-cream Sandwich, sorry—that we had that, brought that into it. And then kind of brought both of those in with the Gingerbread and Honeycomb, and then obviously the latest release of Jellybean.

So why am I bringing all of this stuff up? Well, if you guys know some of these, they kind of change, there are different versions that you might see that are coming through. But if we look at the architecture, that’s kind of what’s important, because when we get into some of the malware and understanding some of the attacks and some of things that are done, it really centers along if you look at, with the runtime that we have. Obviously we’re not going to talk about exploits, but that’s more kind of looking at the kernel level, but we’re going to talk about how these bad things happen on some of these devices, and they’re really—we look at the runtime. Because if you’re familiar with the Androids themselves, like an APK file, right? An APK file, in itself, is exposed code, right? So you can disassemble that, and it has everything that you want to see in writing code. And that in itself does not run, right? So you have the APK file, and then we have some other things, and what really happens on a device itself is if you guys are familiar with some code like JIT or Just In Time—so we have, it occurs within or on the device itself, and then we start talking about these Dex files [sp] or the Dalvik VMs [sp]. So we have this APK file, it’s then on the device itself, it’s compiled, it’s compiled into these, and once it’s compiled it then runs. So that’s really I guess the Achilles heel when you start looking at some of these, because I’m exposing a code that has not been compiled, so what happens?

Well, I can take a legitimate APK file, and I can go and inject some malicious code. So I can inject some malicious code into this particular APK file, and hey, it’s Angry Birds—oh, my gosh, yeah, I love that game! And I can install it, because it’s Angry Birds. Well, someone could possible inject some code into that. Right? It’s Angry Birds. Inject that code into it, it’s then compiled on the device, and look at what you have. You’re now running it with some of this exposed code on that particular device, which you believe is to be a legitimate application, one you have, and it’s going through this.

So that’s kind of, again, looking at, really, the Achilles heel. Now, there’s no protection, complete destruction on the device? Well, again, the VMs that these are running into with the exposure, outside of that—unless you start getting into kind of a [unclear 08:25], kind of the kernel type stuff, maybe leeching out of there, it can still be contained within these [sp]. But really, what we’re going to talk about is how does some of this exposure occur. And in doing this, again, we’re going to talk about how can we—as examiners, how are we going to go in and maybe take a look at this.

So if you guys are familiar, we call Android or, with this OS, it’s open-source. Well, I mean, not necessarily open-source, because it is obviously based upon the [unclear 09:02] kernel, but there are some forks in the road. Right, there are some forks in the road, some of the exposure that you might not have, but if you guys know, you can go to the Android, with the developer site there, you can download the Software Development Kit or the SDK, and what’s great about that is that you can go and download a ton of these emulators, you could actually build the device, like the physical one that you’re looking at, that has the same processing power, the same SD card [sp], the same internal components, and you can actually build that upon, or in, an emulator.

Well, why is that important? We’re going to take a look at kind of building some of these emulators, and how we can really go about it. So I suggest, if you’re familiar with any type of VM, you know, if you’re looking at Virtual Box VM, where—anything that you can go and you can take and build an image, and then be able to install, say, the SDK, run some of the emulators, and then some of the other tools that we’re going to talk about, like APK Inspector [sp], if you want to run Wire Shark [sp], if you want to run Eclipse, bring that into that area, and now it’s your sandbox [sp]. And you’ve probably seen out in the wild, and some of these others, that they’re just VMs that do a lot of this. They sit on Linux. And that’s really what I’ve done. I’ve built this homegrown one, but you can go and get some of these environments, that you could do some of this testing that we’re going to actually talk about here, as I rush to move through all of this stuff.

But anyway, you want to kind of build it up, and build your standard VM if you have that. Because it allows you to do several things about exposing, obviously, the underlying system or the host system, to test some of these. So we’re going to take a look at that.

So really, how do we do this? I’m going to go and jump into a Linux environment right now, and all we’re going to take a look at is, say, the emulator. How can I go in and run the emulator? What might it look like as we go through that? So I’m just going to jump into—see if I have something on here, see if it’ll actually allow me to share this. So let’s go in here, and I’m going to try to share this [unclear 11.16], hopefully you guys can see it on here. I am hoping, if you cannot, scream and yell, and I just might see it. I don’t know. Alright, so, let me go here, and we’ll try this one more time.

Okay! So if I’m taking a look at this, again, it’s just standard with the Linux environment, and we’re going to do a couple of things. You can do it one of two ways. If you do have it installed and you do have a Linux, you can fire it up simply, you can go into and fire up Terminal, and in Terminal itself, we can do a couple of things. We can go, if we have the SDK installed, we can go Android and say “AVD,” and what that does, it brings with, or inside, it gives you the AVD or Android Virtual Device, it goes and gives you your little pane for your device manager. Inside with the device manager itself, you can go in and either edit this current one or you can build a new one. Obviously, you can see that we’re built upon the 2.2, you can build it upon with the 4x, whatever you want, you can build it with that particular platform. So obviously that is one way that we can go ahead and start it. You can start this simply by hitting the Start button, it’s going to obviously give it this information, and I hit Launch. Once I do that it’s simply going to start the emulator up, and you’re ready to go. Now, another way that we can also do this is you can go and run this from Terminal as well, and if I run it from Terminal, I can go ahead and just type in, if you—say, you already have it on this one, it’s called Android Malware Device. And we’ll look at this again, here, in a little bit, but it’s called Android Malware Device, I can go in and start at the—if you’re writing this stuff down, I can start from the Terminal, and I can just type in “emulator @ android malware device,” whatever the name is of your AVD, and boom! It’s going to fire that particular device up, but we did it the kind of easy way by doing the AVD Manager, and it’ll allow us to actually go into that and start it.

So but now you have—when the emulator starts up, and if you have not messed with the emulator, it’s more like it allows you to go—and you can build an account. But the best part about it is you can go and take malware, and you can put the malware on it, and see what happens, without blowing something up. You might suspect some malware, hey, maybe you install it in the emulator and see what’s going on. So again, that’s a great way to go in and type some of this information in. But make sure that you’re building it. Because again, it’s an opportunity for you to: one, not only test some of the Android devices, but look at some of the malware. Because I can take this, and I can hook it up, and I can actually process it with MPE+. I can process an emulated device with data on it, with MPE+. Or whatever tool that you’re going to use, you can go and hook up to this emulator, and process it, because it is seen as a device. Right, it is seen as a virtual device, but you still can go and process it. So here’s the emulator if you’re looking at this here, and it gives you everything else. I mean I have all my applications, you can go and navigate through this entire thing by clicking on a lot of this information that you might have. Here’s all the applications. Fantastic! You can go through every single one of them—looks like there are some good ones, right?

So I can actually go through all of these, I can go in to take a look at my settings, do all that great stuff. And so, anyway, that’s the emulator. We’re going to get back into the presentation here, and then we’ll came back to this in just a minute, because now we’re going to talk a little bit about some other items. So I’m going to go back and see if I can go and share this again, to my slide show. So we’re going to go back over here.

Okay, excellent! So let me show you that again, and we’ll get going. Excellent! I’m going to go and minimize this, and we’ll come back into it. Alright, so we should be back up here, watching this with the presentation. Now, malware! Now let’s talk about really what you guys came to look at, some of these. Let’s first talk about the malware in itself. So we look at malware, and you know obviously, you guys aren’t going to be talk—but really, what is malware? Well, easily, right—it’s just malicious software, right? Combine both of those. But we really think about malware, when we think about it kind of on computers. But what does malware do? Well, malware just makes you mad. Malware’s going to go in on, say, on your system, it can do several things. It could spy on you, it can send information out, it can shut a network down, you can remotely access stuff, like that, and then we’ll talk about also billing for premium services. That’s kind of the kicker when we start talking about some of these mobile devices. But Zero Day, you guys have heard that. That’s pretty much from the—when the assistant goes, “Oh, crap!” And that’s when our designers, they do find, and it’s that first day or that first event, that they have that little, “Whoops! We probably better do something about it!” Obviously, just with the different vulnerabilities.

But let’s look at—and now, this is quite interesting. If we start talking about the simple numbers, right? So we say that , the amount of malicious Android apps—one million! It will reach one million in 2013, and then if you look at some of these different reports, they say that in 2012 there were 350,000 malicious and high-risk apps that they had with some of these samples. But now they say it’s going to increase to over—or that rose with over a thousand of them. But now they say that they’re going to—there’s 650,000 pieces of malware in the upcoming year. So if you look at this, if you think about Windows, Windows, the malware—and we’re just, now we’re talking about Windows. What they did in 14 years with the types of malware with Windows, the Android, they have done it in 3. They have taken that in 3 years, to do that.

Now, the malware is considerably different if you look at, with PC, versus if you’re going to look at it with a device, and it really has to do with what—what are they going to be after. And these first ones that I’m going to talk about are pretty much [unclear 18:09]. This is my opinion, this is where my research has taken me, of really what are the types of malware that are rampant on these particular devices. Now, is it hundreds of thousands of different kinds of malware? No, no, it’s really not. They do usually one of three things. And, on with the mobile devices. And we’ll talk about that.

Because number one that we are going to be talking about would be different types of malware, and we talk about mobile devices, are going to be the premium services adware and some sort of data mining. And the data mining has to do with premium services too. What premium services—and when we start talking about some of those—is that it is going to be like the 1-900 numbers, right? So if we start talking about the premium service, it’s when—automatic sms, those types of things. You get some sms messages: “Hey! Dial this particular number!” Or “Hey! Click on this if you want a million dollars from..” or you know, you get it from these different types of stores. Now you have these different premium services. Because really, what can happen now, is that we’ve started dialing into premium services, sending out text messages… I run this application, it now sends another text message, what does it do? It now takes all of my contacts, and transmits those out, because what are they now going to do with your contacts or with the phone numbers on the phone list? They’re now going to jam up everybody in your contacts.

So that’s really what it’s doing, it’s moving to the data mining. The same thing with [unclear 19:52] adware is that now, you’re going and, say, you might run an app, and the app has some sort of ad in it. Now we start talking about clicks. Think about Google, right? If I click on something, or someone has an ad, I go up and with the Analytics, I can go and put [unclear 20:10] mobile or MPE+, I have competitors who have paid money to put something to advertisers and say, “Hey, we’re better than MPE+,” and it’s the first hit. Well, if I click on it, now we’re starting to get paid. Now, the same thing happens with what you’re looking at on a mobile device. Because now if I’m going and I have this malicious app it installs or it has any type of adware that’s on, I click on it, now they’re getting paid. So just think of that, guys. If you look at—some of these applications are 650,000 that have been downloaded. Actually, there’s one piece of malware that was downloaded 250,000 times. One piece! Just think about getting a nickel for each one of those that there was some data that they can sell now. Sell either to get the numbers, the phone numbers, or selling some of the contacts, so that now they can target you. So it becomes like this huge scheme, of now moving things around. That is where the mobile device malware is really, really coming.

So that’s kind of, when you think of it, the generic malware. But there is some other ones that we’ll start talking about. Now moving into some of the other specifics. Because there are some pieces of malware that will actually root [sp] your device, and what do they do? They now call upon their servers to download more stuff. And if you didn’t know that it’s pretty scary. Because you have this malware, it now opens the door to actually root [sp] the device, what it does as part of its payload, is it now puts an exploit on it, say it puts Gingerbreak [sp] on. And so it can exploit, it can root [sp] the device, and once it’s rooted, and they’ve circumvented all the protection or the permissions on that particular device, and now it downloads a whole bunch of this stuff. And we’ll start talking about some updates, the browser hijacker. You know that from seeing it on, with the mobile device. But again, it has everything to do with marketing. Everything to go on sending and to make money. Malware that makes money, that is good malware for those people.

But when we start talking about some of these others, Denial of Service attacks, any type of those keywords, any type of spyware on the device, that becomes personal. Those are personal. Because the big—the malware guys who are looking for the money aren’t doing the personal things. They’re not putting on the spyware because they don’t want to listen to your conversation. They don’t want to, say, go and read all the texts that come through. They don’t want to do that. So, and then that is targeted. So it’s going to be a target that—is that a piece of malware? Of course that’s a piece of malware, that’s definitely targeted. Can it be on the device? Yes, of course, it can still be on the device. But it doesn’t make a whole bunch of money, it is just to wreak havoc or, you know, find out where somebody might be. Which comes on to the others that I’m not even mentioning, with the viruses or with Trojans, those are ones that you can see, on—and you are familiar with, I’m sure that you’ve seen with the computer stuff.

Another graphic that we can look at, but number one, like I mentioned before is, if we look at the premium sms. That is what it’s all about. Again, like the 1-900 number, I can go and I can target these numbers because I’ve stolen someone’s contacts and I’m sending out a hundred thousand sms messages to you, now I can turn that into the marketing—it’s like the cold calls. How many people can I call, and I can put a tick mark on there. And if it’s going and it’s getting that. But the applications can open the door for that because now they’re sending out your contact information, your phone information out to these people who can now target and sell your information, and the information being your phone number, and the device information, which is extremely important, obviously, if they’re going to now go in and target you and all of your contacts. If we look at some of those.

Okay, so if we look at this right here, you guys know—where does this stuff come from? Obviously Google Play, that we have, you know, it was the Android, it was the Market, they introduced something because back before they had, or Bouncer, is this scanning, and it actually goes in, looks for any kind of malicious code, it then contacts it and go through the developer’s site, all of that stuff, which is great, and you can still get that going and get it through. But if you look at it, it’s funny, if you look at their applications now, more than 175 million downloads of high-risk apps, they were found in Google Play’s top 500. And they were top 500. So it’s crazy! But it’s not only Google Play, at least they have Bouncer, and it’s at least a step in the right direction. But look at what we have—we can get downloads from Amazon, GetJar, any other places, ROM MOD, WebKit, any of these other places that I can go in, and I’m going to go and put in, because it can go and attack with a WebKit, in there, any type of Mod 2, any of the ROMs that come in, obviously I have a rooted device, I’m now more susceptible to some of these others, but I have these other two, Amazon and GetJar, and there’s other places that I can go and I can download a lot of this information in there.

So let’s look at it. If we look at the ten most top dangerous apps that were rated, that we have with this TrustGo. You look at the number one, Talking Tom Cat Free. Look what it does. And look at how many downloads are on there. It’s amazing! It actually sends the phone number and the device ID out to a third party. So it sends it out to someone, because what are they going to do with it? They’re now going to target you with those premium services. They’re going to target you with that. They now have another name, end of their queue, that they can add a tick mark to, they get paid for the same thing. You look at all the rest of these, what are they doing? They are going and targeting you to send you out marketing. Send you out information. That’s exactly—it’s just pretty much spam, and you’re getting it with this malware. But it is crazy because it is going and pulling your device information, which includes your phone number, and bringing that stuff in and sending it out to you. Again, there were 175 million downloads. 175 million MEs in the top 500 only with the Google Play. It’s amazing if you look at some of these.

So what we’re going to do is, I’m going to go in and, in just a minute, we’ll jump out to Google Play, and we’ll start talking about permissions and grabbing some of this information.

Okay, so how do we go and take a look at some of these? How do we expose some of these? How do we go and get down and dirty with some of these? We obviously know it’s out there. Whether people are scanning for it [unclear 26:52] “Holy crap! I should probably be scanning for some of this stuff when I’m doing any type of analysis.” Now that’s what we’ll kind of get to. Because if we have that, if there’s any type of breach or any type of malware on there that leads to, hey, what else could it have done? Now, if it’s only targeting ads, now, but what if they now pushed all this data on here that I’ve now been caught with?

So let’s look at it. We’re going to talk about permissions, because permissions are pretty important, and they have changed. They’ve changed significantly. When you go and, say, you download some of these, it used to—when you download some of the applications, it would pretty much install it, and people say, “Okay, fantastic!” Now, it really gives you an alert about the permissions. Say, you understand that it is going to do this. This is the stuff that is going to come in, and it’s going to be able to operate with your device—but you know what, what’s the weakest link in this? I’m lazy—boom! And I hit it. And I accept them. I accept it—hey, I want to play Angry Birds! I really want to do that, so—I’m going to accept it. Now I’ve just opened myself up, because I’ve just given permission to this application. This application now has permission to do what it wants, and it is listed in the permissions. So you can go into your setting, or into the settings, look into there, you can go in and check out the permissions that are on these devices. And we’ll do that here in just a minute, I’ll show you on the emulator, but just with your settings.

Now, can malware hide permissions? Yes, it can hide permissions as well. But it’s pretty generic, if you look at some of the permissions you need to understand, and you can’t go through every single one of those, but some that might stand out to you. As if the service that cost you money—and you’re playing Angry Birds, and it’s a service that cost you money, you want to think about that, right? Any time of premium member, premium services, that’s what—if it is something that is going to cost you money, you better be looking at it. Obviously, if it makes calls, or if it’s an sms, okay, that might be legitimate. But if it’s something that’s just a game, and you’re just playing a game, should it cost you any money? So you want to kind of look into some of the—now again, we’re talking low level, we’ll move up on to some of these other types of things, but you want to—hey, personal information! What if it looks for your personal information now, okay modify your contacts—you want to know what’s going on with that personal information or with that particular application. Changing things on the SD card that you might think—your location!

You know, a lot of the tools now, or a lot of the apps right now really want to know your location, so that’s a little bit iffy, when you’re coming up and looking for some of these others. So there are obviously some legitimate ones. But hey, to know your accounts? To know—does it need full internet access? Those types of things. You want to look into these permissions, and you can see these on every one of the Androids, and you can find them in your collection or the extraction of the device when you are looking at—on each and every, on a particular APK file. So that’s quite interesting, that you can look and see exactly what the permissions are, and we’ll get into that here in just a minute hopefully.

So I’m going to jump back into the Linux box, hopefully I do this right and you guys can go and take a look at it. So if I have some of this—so if you have, say your applications, or the emulator—so I have the emulator, and hopefully it’s fired up still. So here’s the emulator, I went into my settings, and so you can go into any of these. So if I come into my Applications, and inside of the Applications that you might want to go into and we’re going to look at, any of these applications, I say, okay, I’m going to go in and we’re going to take a look at and manage the applications. So inside the Applications, it’s going to have applications that are listed. Here’s my Angry Birds. There’s Angry Birds that’s listed over here. So I can say, okay, I’m going to take a look at Angry Birds, I click on that. So now I come in and I’m like, “Okay, perfect, let’s take a look at this.” Down to the bottom I have some of these other ones, it gives me right here, it gives me my location, network communication, storage, phone calls, system tools. You want to remember those, because there might be something else down there, I’m going to show you in just a minute. So I’m looking at some of these, okay, location, network, okay, phone calls, system tools, read phone state and identity-this could be interesting. Okay, but you can go ahead and we can look at that. That’s how you can find some of your permissions.

Obviously I can go into any of these other ones, like Cut The Rope. If I come in here to Cut The Rope, if I come in here to Madden NFL 12, if I come and take a look at this one. So let’s take a quick gander at this and—but you can really look at any of these, guys. Any of these in your Applications, you can go and take a look at. Again, low level, we’re talking low level. Services that cost you money. Now, okay—send sms messages—why is a football game going to send that, right? Okay, why is this going to receive sms messages? Okay, that might be a clue if you’re looking at some of these applications. Again, this is low level, we’re taking low level, we’re going to build upon this, but we’re kind of looking at and working through this.

Okay, so if I look at this—and we can go back into this in just a minute—but that’s a way that we can go and look at some of these, or grab a hold of some of the permissions. Now you understand what permissions are, it allows how the application is going to go and run, and how it can go in and we can take a look at it. So I’m going to go in here and I’m going to [unclear 32:44]. Perfect.

If I’m looking at this, here’s the permissions. Google Play actually says, “You know what, I want people to know, when they go and download this, exactly what this is going to do.” So again that takes a little liability off them. Hey, we posted exactly what it does, dudes! [unclear 33:01] permissions, now we have that. So we look at this. This Talking Tom Cat 2. Which is quite interesting, if you look at this particular application itself. This one, it actually goes, if you look at this—if you look at the information on here, they have kind of the information with malware is quite different than what we would expect malware to do. So I’m going to go and take a look at that. We’re going to jump out and take a look at the Google Play, we’re going to look something up.

So I’m just going to go in here and share this so that you guys can see it. So I’m just going to look this up, and we’ll see it. Alright, what do I need? We go to play.google.com. Oops! I needed the store. There we go. So we’re just going to take a look at this really quick, as we go and look for any of these particular items. So we can go and look for any of our apps that are on here. So I can look for any of the Android apps, okay, fantastic. Let’s look up—Talking Tom Cat 2. Perfect. So we look at this. Kind of the same thing. We have Talking Tom Cat 2, that might be listed. I can go and take a gander at that, we now have our permissions. Perfect. I can look up my permissions, and look at this—network communication, full access, phone calls, read phone status and identity, system tools, modify system, full network access, that’s good, so we have these other ones, that’s modify-delete USB storage, so there might be a few things on here. You can also look at any of these others that you might have. We have, with the Talking Tom Cat 3, that might add—and we have again with our full network access. So again, you can go and look at this, you can go and look at some of the stuff right here. “This permission allows the app to determine the phone number and device IDs or ID”. Okay, interesting. And remote number connected by a call. Okay. So I’m looking at these, but you can go through each and every one of these apps that are sold on here, and you’d be amazed at some of the permissions that you are going to go ahead and can see here. So it is quite amazing, again, some of these apps.

So again, go to Google Play, look at some of the apps that you might have on here, see exactly what it’s doing. Again, this is low level, we’re going to move on and talk about some others. So installation. Where do I go and look for some of these apps to be installed? Remember, guys, you need to have access to the data area, so there are some certain parameters that I have to go and get. I have to have access. The USB debugging [sp] has to be on. Or you have to bypass and get physical with whatever tool that you’re going to use. So you want to look in the particular areas, in the system/app folder. It’s read-only, but that’s right there where you might have some of the pre-installed bloatware that might be in the system. But then you want to look into the data app area, and that’s where you can have the apps say that they’ve been downloaded and are going to be sitting ready to be installed, or ready—remember to run, because it’s just in time so it’s going to be able to be compiled on the device itself, but that’s where you can kind of look for that data, in the /data/apps [sp]. Now some of the apps, if they’re put on to—in the app private [sp], if there’s any type of encryption, it can also be stored on the SD card for external memory. What’s interesting about that is before Android runs it, that Android’s going to run it, it has to be encrypted [sp], so then you can have it exposed, so that you’re going to have in the [unclear 36:55] temptmpfs or the file server, file system can be stored there as well. So that you can go and find some of that.

You might want to look on some of these that are encrypted for a different extension, asec instead of the atk file, that might be located on the device as well. But again those are some of the installation points that you might want to go ahead and take a look at in these areas. So applications, typically installed in the “installed area” so things in the system area, okay, but if I look at it into that particular area, into the apps installed, I might want to go ahead and take a gander, also in the temp area, tmp, you’ll see that in the data temp area, because you do have some and there are some exploits that might be in there. And say, if they didn’t root the device, didn’t know what to look for.

Well, we’ve already talked about the permissions—permissions are really important as well. So you want to go and look at that as well, in those areas. Again, low hanging, but look at the hooks, and that’s going to—this is going to make sense when we start looking at the apk file itself. And look at what the hooks—what are typical? But what are not? [unclear 38:03] chmod, if they’re using that, if they’re using [unclear 38:09], you want to look at those different types of permissions that are actually in the code, read, open, access, those types that are written into there for that particular device. Again, we’re going to talk about the difference between static and dynamic analysis. And obviously what is not. If it’s going to be sms, it’s going to cost me, that could be an issue that you’re looking. Full internet [unclear 38:13] it’s just a standard game, but a lot of them do have the apps that come down and below, because they do go and target you again with some of those as we bring those on.

So what we’re going to do is I’m going to talk a little bit now, and we’re going to move on to a different type or the applications, because we can go ahead and utilize—and I’m going to jump back into the VM that I might have here. I’m just going to minimize this for now. But I might want to go ahead—I’m going to take a look at this with Eclipse. Eclipse is quite interesting, I’ll get into this in just a minute, but any of the devices that you might have attached, you can still view the File Explorer [sp]. And I’ll talk about, either the live devices, and you can even do the emulator and actually go through any of these particular items, looking into the particular area that you might want to have into it. So you can grab that and look into the file system. Again, that’s with Eclipse. You can mount live devices into this, you have to have some of the plugins to that to set it up. We don’t have time to walk through some of the setup with that, but you can go through the file system again, like an emulator or with the live device itself.

So I’m going to minimize that, we’ll get back to Eclipse again, don’t worry. I just have to go and—okay, so let’s talk about it. We have static and dynamic. Two different ways to analyze the malware. Static in itself is—we’re going to actually step through some of the code [unclear 40:07] that’s what people are doing really right now with the other tools. We’re scanning, we’re looking for signatures, signature-based stuff. We’re going to do a couple of ways and looking at the signatures, and then we’ll jump into kind of the code.

So let’s fly through some of this stuff. So with the static analysis you’re going to use again the VM. VM’s always good to go in there, if we’re going to use APK Inspector, [unclear 40:30] APKs. But we’ll also talk about the signature base that will use MPE+, mounting the image itself, there are some other tools that obviously have that in there, and then you can disassemble it, which we can do in APK, which APK Inspector does, there are some other applications that can go in and disassemble the APKs. Then we’ll talk about getting into some of these additional ones, or processing at a higher level.

So you must have access to it. You must have, not necessarily root access, but you have to have USB debugging [sp] to get a lot of those, but you really need to—if you do have root access, to get some of the database files, as well as the access to some of the APK files that might be exposed or, say, might have been encrypted at one time but utilized on the device, but you can get that. Also, with the full physical on these, the unallocated space, you can recover APK index files. Index files are the compiled code that actually runs in the VM or the [unclear 41:33] VM on there, so that if you do recover that you can—if they deleted the application that might be on there you can possibly find some of these APK files running some of the custom carvers [sp] that we have-had active data, looking for the particular file types in the unallocated space on the Android device. So you can definitely use some of that.

But well, you want to look at, in every APK file, there is going to be a manifest, and in that manifest it’s going to contain all the permissions. So you can actually go into that manifest and you can’t hide—so the interface on the Android device can hide permissions, or the malware can hide, mask it. But here if you’re looking at the actual XML [sp], that stuff is going to be in itself, it is going to be displayed for you in this XML. So you can see all the permissions in there, and we’ll actually take a look at that here as we go into and look at the interface itself.

We’re going to first talk about static analysis using MPE+. Because it allows you to go and mount images, read-only, and use any tool that you want. Some tools kind of just tell you only you can use the one that’s embedded into the particular software, but MPE+ allows you to use whatever you want, to go ahead and mount that image and scan it for any type of malware. So what we do is on the interface itself, you simply mount the image, you then stick your image file, you go ahead and hit Mount, it now mounts it read-only. You can now go into that file system, simply right-click on it, and use your custom signatures and whatever software you use, four or five different types of malware softwares, run it against that mounted image to detect any of that.

Here in this slide I’m going to use this HouseCall, it’s free, you can download it, it actually does a fantastic job with malware. It does a great job. So what you do is you just mount it in MPE+, I now go to the settings, I now set it to do custom scan, I now set it to the mounted drive. As you see here, I had it selected to the mounted drive, once I do that I now hit “Scan Now”. As I hit “Scan Now” it’s going to go and walk through, it’s going to look for any type of results that you have and it now lays out the particular item that you’re going to have listed into the interface. So it’s pretty cool.

And now HouseCall does something even better, you can view the details on a particular type of malware. Because you might get some false hits, right? You can go and look at this, and you can just click on it, and now take this out and it gives you really what is it. A backdoor. What does it do? Can it take some of the data? Okay, that’s a little bit low, but it—what it does is it allows—what did I tell you? It allows other stuff to come on. Remember the downloader? It allows stuff to come on, it allows us to go in and open the door for some other stuff that we might be able to install on there. So it’s extremely easy to do, and you can simply go in—if I do have—and here is, it’s right here. And it’s kind of like a little message here. In this particular, I can go right over here to Mount Image, that is on the MPE interface, once I go ahead and hit the Mount Image, I can select my image file, I go right here, and in my image file I go and select it right here and that’s Forensic Focus, because that’s where all of it is. Here’s an ad1 [sp], that was made of it, and I just go and hit now Mount. Now, once I go ahead and hit Mount, it can mount that in as read-only. I simply can come into the interface or any of these on to my explorer, and now I have my explorer, I go right here, I can right-click on any of these or I can go into my HouseCall that I have listed right here. Maybe you guys can see that—no, I don’t, so I’ll share it.

So I have HouseCall. I simply come into the settings like I said before. I come right over here into the images, I’m going to go Custom Scan, and now I’m going to select the one right here and select it and say, okay, I now have that. I now go ahead and can hit Scan Now. Now it’s going to go through this and it’s going to give you all these wonderful things that might be showing up here, as it’s going and initializes—then it will go through the data that’s actually mounted, and if it does locate anything it can give that information out, and just like we saw on the slide, allow us to look at that as it’s going through and listing some of those. As it’s going through it grabs some of these. Obviously it has a few of those as it’s going through with the APK files. And it has 3, 4, 5, it’s going to continue to go through and grab some of those, and immediately go and find some of this that were loaded into this particular device that we have now listed out as it goes. And it’s going to give you the same thing that we just saw before as it gets that information out.

Fantastic. I am just going to—I will stop that share, and look at my other virus, actually it’s hitting it as well. So I’m just going to stop that and go back into this other application, and I’m going to close this. I have just so many applications going on. Alright, so-I’m going to talk about APK Inspector. If you have haven’t seen it, it can go disassemble APK files, and we’re going to go through this and fly through it. Please look at APK Inspector, it’s a free tool that you guys can go and utilize. So I’m going to jump back into my Linux. I’m going to go and hit this down here, and I’m going to come up here into a terminal. Now, APK Inspector, I might go ahead and I look at some of these other items. It’s going to allow me to bring in any of these APK files, and if I have some of these other APK files… I’m just going to close this, we’re going to see if it gets mad. Okay, perfect.

So I’m going to open this other one. And with that, it allows, again it allows me to bring in any of these other applications, and we can go in and look at the code. Now, this can get a little technical, but we’ll do as best we can. Alright, if I can actually open this. Let me close this down and see if that helps.

Okay. So with APK Inspector, again, you can download. It only runs, it’s only on Linux right now, but it’s a fantastic tool that allows us to go ahead and take a look at that. So it’s going to be superfast as I do this, and I’m just going to change this. Alright, and let’s go—A-P-K. And now we’re going to run this. So now, when it fires up, I’m going to grab a quick piece, and once I go ahead and go and look at some of this, I’m going to bring in a quick application and then we’ll take a look at what it looks like.

So here it is. I’m going to go and bring in an APK file. And once I bring that APK file in I am going to go right here on to the desktop and into the samples, because you always have to have some of these samples. I’m going to go into this particular one here—here’s an APK file and I hit Open. It’s now going to go and bring this stuff in, it’s now going to disassemble it and it is going to grab some of this information for you. And we’ll look at it, really, really fast, at some of the things that you want to pay attention to. You’ll notice that there’s a manifest XML file, which is great to go ahead and look at. Because inside this manifest file, it’s going to give you some pretty good information. Here’s my manifest. Look at that. Read phone state, call phones, oh, my gosh! Read contacts, write contacts, send sms, receive sms. And this in itself is just kind of just a browser, it doesn’t do anything really, if I look at this stuff as I’m grabbing some of these particular types of reading contacts, all that great stuff. But I can go into—if you look at, into the permission level—at the permission level, find location, read phone state, send sms. But you’ll also notice that right here, at the Phone State and after Find Location, it gives you right here, is my message. It can actually go into the code, using, going into the browser into here, and I can go in and drill down into that path, if I’m looking and drilling down into the path in this particular area and now into my utilities that I have listed out over here. Fantastic. In my utilities, I can now go in and look at this particular data that’s listed out in this area. I can now go in and grab some of these if I’m looking at these additionals. And some of this, I have my call in and out, that are going to look at these, in these particular areas, that are going to give us—I can double-click on any of these, it takes you into the code base, and it shows you me that. It also gives me anything else that’s going. Things that might be sent out and where that is.

So again, it’s a great tool to go in and dive into it. Again, static analysis. It is a little bit difficult, but you can really get down to what’s occurring within those ATK files. And inside these ATK files, it gives you all the different services that are going to be ran on it. Again, a fantastic tool and it’s free, and it can take and decompile those for you.

So dynamic—dynamic is when it’s really fun. And I’m flying, I got 10 minutes left, actually 9! So if I’m looking at some of my dynamic stuff as I’m going—this is when we start talking about doing live. So I’m actually at a live device, and I’m bringing this information in with a particular live device, or I’m using, say capturing some data on these others. And what that allows me to do is see what’s occurring behind the scenes as I’m going through it. So we’re going to use a couple of things. I’m going to use Eclipse and I’m also going to go ahead and use WireShark as we go and look at some of these. So what I’m going to do is capture this traffic, and now I have the information, I actually run these apps and I capture the information that’s going on as it’s flying through, either Eclipse, or if I’m going to run WireShark to get the TCP stuff. So very, very important, because what happens if you actually uncover this type of stuff? You’ll find out if you look at these captures that—hey, this information is going out to China, they’re storing that information, now they’re selling that! So if there’s a connection, a TCP connection with some of these applications to this particular area, that’s kind of a red flag when you look at the information that might be getting transmitted, be it your calls or your contacts or your sms. That information goes out, and you can show all of that using these two tools as we look at right now.

So as we finish up, I’m just going to jump into this, I’m going to close this down, and I’m going to go ahead and see if Eclipse, if we still got that going. So what I’m going to do with Eclipse right now is I am going to go in and I have a live device. I actually have a live device hooked up to this, and if I have this, with this live device—oh, great. So hopefully my device is going to show up here. So here’s my device that I have listed. It’s an actual live device I have plugged in. Look at this—look at all the information that’s flying out through here. So what’s nice is I’m going to clear this right here, and I’m going to go on to this, I’m going to show you really quick. I’m pressing the buttons on the phone, and as I’m pressing the buttons on the phone, look at the information that’s flying through there. You’ll see information like email, and email that might be coming up, my Wi-Fi state. As I have the log cat [sp], which you guys are familiar with if you have Linux. So I can press anything here—I’m going to go in and I’m going to clear this, because I’m going to press an application. So here is messages—I’m going to hit messages.

Look at this. You’ll start seeing everything that’s going and everything that’s happening with all of this. Your Wi-Fi, just all kinds of information that might be coming out through here, all the info. You can go and you can actually show—I can go and have some of these malicious applications, I can go and check and click on some of these malicious applications, that I just checked off with some of those, or the different mail that you might be looking at, and going through it, Google Play. It has all this information that’s checked out as I’m looking through and grabbing some of the information. So you can go and hook the network up to it, and it gets crazy. Crazy stuff as I’m going through it.

So how do you go ahead and—again, not using Eclipse. Now, if I’m going to go and look for some malware I can use WireShark, right? But what’s nice about this is that we can go ahead and take and look at some of these by utilizing WireShark, but we’re going to use some of these captures. And utilizing some of the captures—I’m just trying to get this thing back here. I’m going to expand that. So we can use these capture files by simply going in and selecting—I had to refresh my screen there, sorry about that—by taking and grabbing some of these, I can use Terminal, and inside a Terminal I can go in and say, okay, I’m going to run Emulator, and I’m going to run a TCP dump, and we’re going to call this “emulator.cap” and then here I’m running it on this particular piece of ABD [sp]. So “android malware device”—and now what I’m going to do is fire up that emulator, and once it fires up that emulator, we can go on to the emulator and we can start pressing buttons, going into the different apps—and so I press on the Angry Birds.

If I’m going to press on the Angry Birds, I can go and kind of look at some of that information on the Angry Birds app, and if I look at that information I can now go and, we have that capture file, and I can now go and look at it in WireShark. So obviously as the malware device fires up, again, it might take a little while to start up, so we’re going to jump into WireShark, because again, it’s like a cooking show for an hour. So if I go and I click on it, we’re going to go and take a look at this application as we move into it. So WireShark is starting up.

What I’m going to do is I’m going to bring in the cap file, which is just the capture of the TCP. And so if I bring in that capture file, we’re going to take a look at something that might be interesting to you. So this particular capture file, obviously it’s like the cooking show—but I’m going to look at this capture file, so I’m going to open this one and we’re going to go on to the desktop and I have my malware here that might be listed. Alright, here’s Malware2, let’s try that one. So if I click on that it’s now going to bring in, inside of this, now it has all these captures that are done. Quite interesting if you look at it. Look at this. If you look at this particular app going out to that—and look up this [unclear 57:25].com, China. You can actually go and take into a lot of these TCP queries, looking at the information. If you are hooked up to the internet and you are using the sandbox arena [sp], you will actually get the captures of what is being sent out there. If you have a closed-off system—say, because you don’t want things to leak out on that—it’s still going to give you where it’s going to be un-querying [sp]. So the software is querying out for a website. It’s going out to a little website. Well, there’s no apps in there, there’s nothing in this, why is it going out into that particular—looking for that? So again, very, very indicative of these applications in going through some of the information.

Again, that’s with using free tools with WireShark, using APK Inspector, and grabbing some of that information. So, with that being said, with some of the information with the Android malware that you guys saw—this right here, it’s crazy—if you are not just running simple signature analysis with MPE+ or any other tool that can bring this in, look for these particular items. You’re leaving the door open for someone to say that malware did it. Like I’ve just explained to you, malware, there’s a pretty small number that are utilizing it to spy on an individual or a group. It’s still there. But the majority of malware out in the wild right now is to make money, and to make money it’s through ads, through premium services. But still, it’s malware. If I can say—I’m a bad guy, and I can say malware did it—and they ask you “Did you scan if for malware?” and you say “No,” then—what are you doing? So the malware on these mobile devices is rampant, you need to make sure that you’re utilizing the tools that at least scan that.

I got pretty technical into looking and seeing exactly what the malware is doing, but that’s the thing that you guys need to do, and I kind of gave you some tools that you can go in and dive into a lot of this data, and I did it in exactly 60 minutes. So this is a three-day topic, I can talk for months on this stuff, and getting into the dirty stuff, but hopefully if you guys do have some questions or some technical questions, I’d be more than happy to respond to those as best as I can on the Forensic—I think Forensic Focus is doing something. I’ll try to answer as many questions as I can now, that I can leave you to the forum. Hopefully you enjoyed this very, very quick kind of demonstration, and the problems that we might see with some of the malware, and hopefully you guys come back for either some other training or some other questions which you have.

Thank you guys very much for attending this, and if there are any questions—I’m kind of looking at some of the questions that are coming now—do you have a top list of downloaded malware apps? Yeah. So that one, just go ahead and look—I had that screenshot, there is a great [unclear 1:00:20] does a really good job about putting that information in there, and you can also look up truscoe [sp], it kind of gives the most dangerous apps, but they also have some others that are on there. So you have to search for it, because a lot of times they don’t want those—Google Play and those types don’t necessarily want those out all the time. But look at your Kaperskys [sp], your Trend Micros, they do a lot of work on a lot of those, like spread analysis. There are a couple of places as well that I can include in some information.

Someone’s asking “How do you get the Eclipse to access Androids?” So we do that in our class, I couldn’t do it in 60 minutes obviously, they do have a great documentation on the developer site for Android, as well as with the Eclipse, because you do have to do some stuff with some plugins.

Does WireShark and the emulator show traffic that would go over both cellular and Wi-Fi? It depends on your –you have to do some settings because your memory only went and capture the information on the cap files for the TCP traffic on that particular. But if you look at it with Eclipse and with a live, you can get some fantastic stuff because you’re getting all the processes and the services. So it even has—if I had a longer time I can show you when you dial a call, it will show that with the connection, and it will also give you latitude and longitude, that actually comes through. So it’s pretty cool, it’s a live capture, if you look at it. And that’s really all it is if you’re familiar with that.

Okay, guys, I’m like two minutes over. I appreciate so much each and every one of your time today, and again, lreiber@accessdata.com, if you have anything, I’ll be happy to answer any of your questions. Jump on the Forensic Focus—I think Forensic Focus is on there as well if you have any additional questions or if you want to say just how awesome malware is. I would be happy and I will try to answer as many of those as I can. Okay guys, I thank you very much for your time!

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles