Demystifying the Android Malware

October 6, 2011, by | Start Discussion

McAfee‘s first quarter threat report stated that, with six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history. McAfee stated that Android devices are becoming malware havens with Android being the second most popular environment for mobile malware behind Symbian in the first quarter.

In this paper we are going to take you through the various phases so to understand how and what are these malwares exactly made up of. We will first start with a background of Android and then move on to the basics of Android package architecture and later analyze an Android malware in complete detail.

Introduction to Android platform:
Android is a mobile based operating system based on the Linux kernel. Android application developers write primarily in the Java language, controlling the device via Google-developed Java libraries.

The Android compiler suite compiles the developer's Java files into class files, and then the class files are converted into dex files. Dex files are bytecode for the Dalvik VM which is a non-standard JVM that runs Android applications. The XML files are converted to a binary format that is optimized to produce small files. The dex files, binary XML files, and other resources are needed to run an application and are packaged into an Android package file. These files have the extension .apk, but they are just ZIP archives. Once the APK package is generated, it's signed with a developer's key and uploaded to the Android Market through Google's website from a user can download these apk files and install it on their Android device.

There are currently more than 2million downloadable applications in the central repository of android applications run by Google and android applications can also be downloaded from other third-party sites. Requirements:

  • Tool to unpack .apk file : Winzip
  • Tool to convert .dex to jar file : dex2jar
  • GUI Tool for java decompiling : JD-GUI
  • Sample android malware for analysis

Detailed Steps:
Step I: To start off the malware analysis procedure we first download a sample android malware. For this article I will use iCalendar.apk which was one of the 11 suspicious applications removed from the Android market because it was found to contain a malware as per Gagdet Media.

A scan of the application on VirusTotal revealed a detection rate of 46.5% as show in the figure.

Figure 1

Step II:
Now, we are going to extract the iCalendar.apk file using Winzip to see the contents of the .apk file.

Figure 2

Here we see the .dex and the .xml file which we discussed in the earlier part of the article.

Step III:
The next step will be to get a better view of the code using the ‗dex2jar‘ tool. What the dex2jar toolkit does is, is converts the Dalvik executable .dex files into the Java .class files.

We just drop the =classes.dex‘ file from our application into the dex2jar‘s directory and perform the conversion using the command: dex2jar.bat classes.dex

Figure 3

This creates the file =classes.dex.dex2jar.jar‘ in the same directory.

Figure 4

Step IV: To see the readable format of the class files, we make use of JD-GUI. Open the ‗classes.dex.dex2jar.jar‘ file using JD-GUI.

Figure 5

This gives you a systematic view of the complete source code of the android application.

Step V: With the complete source of the application in front of you, you can perform the actual analysis of the source and see if something is amiss. We notice class file named ‗SmsReceiver.class‘ which seemed weird because as this is a Calendar application there should not be any need of a SmsReciever.

On further inspection of the source code of ‗SmsReceiver.class‘, we find that it contains three numbers which are 1066185829 , 1066133 , 106601412004 and look rather suspicious, like there is an attempt to block any messages from these numbers coming to the Android mobile device that has this application installed and running.

Figure 6

After Googling these numbers, we found out that they are High premium rate SMS numbers which belong to China Mobile.

Figure 7

 

We will try and understand why the application tries to suppress delivery reports from these numbers in later steps.

The first most suspicious thing we notice is in the showImg() function. Once there are 5 clicks there is a call to a function sendSms().

Figure 8

Step VI: Once done with the ‗SmsReceiver.class‘ we move on to the analysis of the code of next class file i.e. ‗iCalendar.class‘.


Figure 9

So we run though the file and check for the ‗sendSms()‘ function to see what it does. Voila!! As shown in the figure above, we see that when the function sendSms() is called, there is a SMS sent to the number 1066185829 with the text 921X1.

Step VII: At the end of sendSms() function there is a call to save() function. So we look for the save() function in the code and find it to be just above the sendSms() function.

On proper analysis and understanding of the save() function, we find that the string ―Y‖ is passed whenever the save() function is called. It is also concluded that the sendSms() function can be called only once and never again due to the ―if‖ loop set for the sendSms() function.

Figure 10

Step VIII: Putting all the findings together we made during the analysis we can get a clear picture of the whole working of the malware.

The application sends a SMS to the premium number 1066185829 with the text 921X1 and in the background blocks any incoming delivery reports from the number so that the victim does not get any response regarding the SMS that the application sends in the background. Also, the SMS is sent only once and never again so that the victim has no suspicion on what caused the SMS charges to him.

Figure 11: Complete iCalendar.apk Malware cycle

 

Conclusions:

A piece of malware with root access to a phone can not-only read any data stored on it but can also transmit data anywhere. This includes contact information, documents, and even stored account passwords. With root access it's possible to install other components that aren't visible from the phone's user interface and can't be easily removed. The ways to safeguard from these Android malwares are:

  • Download Applications only from Trusted Sources
  • Check out the ratings and reviews before downloading an application
  • Look at the application's permissions very closely
  • Install Android OS Updates as soon as they're available
  • Install a Mobile Security Application

This whitepaper shows an example of how malwares may affect innocent users. Without the users actually knowing about it, they are capable to perform malicious actions in the background. These malwares may cause you financial losses by debiting your call balances, or may target you by stealing your passwords or may just corrupt your phone. It is very important to safeguard against these by taking precautions. It is always better to be safe than to be sorry!


Dinesh Shetty is currently working as a Information Security Consultant with Paladion Networks. Dinesh is an Computer engineer from Ramrao Adik Institute of Technology and also a EC-Council Certified Ethical Hacker.

Leave a Reply