Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
now you should have a good understanding of what techniques he should use for basic static analysis of an android application
00:05
in this lab, you'll analyze Mauer to die a P K, which is located in the lab files lab to folder. At the same time, we're going to bypass the whole identification online threat hunting of the MD five. But of course, in normal situations, it's definitely good practice.
00:22
However, I feel we've really covered this in depth already, and if you want, you can take it off line
00:27
and research it on your own. So to complete this lab, you should use only static analysis techniques. And I recommend Callie or Santa coup. But any limits machine with a peak, a tool in a job, a D compiler is appropriate in this instance. So go ahead, pause the video, answer the questions, take all the time you need. And when you come back,
00:46
I'll be here and we'll go over them together.
00:49
Okay, so how did you do on this lab? Okay,
00:52
I hope so. I'm imagining lots of smiling faces and collapse. Okay, so let's go over these answers together, Okay? So I've got my VM up and running. Where am I? I'm in the lab file's directory. Okay, so we need to be in lap two.
01:07
Okay, There's malware two, It's clear. The screen.
01:12
Okay, question one. What is the name of the Mount? Where? Okay. Well, first off, we need to unzip it. Right.
01:22
So he did that.
01:25
So now we've got different files there. Okay, Good. What's the name? We still don't know yet. We have to look at the Android manifesto. XML rights not decoded. So we gotta run a peek a tool.
01:42
Okay.
01:49
Okay. Let's clean screen there.
01:53
All right, so let's go. Look at her. Are
01:56
android manifest file.
02:02
Okay, So what is the app name? While the first thing you should do is you should take a look at the first intent filter. You should see that should be the main activity. So in 10 filter and 10 filter. Okay, so there's the There's the activity now right above it. I'm sorry. There's the intent. Filter that right above it. This should be the Apne.
02:23
Okay, So the labels, the Abney So
02:25
Okay, so this is a string. So we'll have to go into our
02:31
resource is
02:34
and look at our strings to find out what the APP name is.
02:38
Okay, The string resource is okay. So it's these characters here,
02:43
So that is the ab name.
02:45
Okay, let's see what this is.
02:53
It's Korean.
02:54
Translate from Korean.
02:57
Okay, smart banking.
02:59
There we go. There's our application name.
03:07
Okay. Based on the name of the mouth or what's the intended purpose of the application? Okay. We'll say banking. Right.
03:14
Banking.
03:17
Okay. Based on the purpose of the app. What permissions are suspicious to you? Okay, so we have to go look at the android manifest file to see what permissions are suspicious to us. So it's a banking application, right? So what do you think to me? The suspicious ones are read SMS write SMS
03:37
receives and
03:39
installed lead packages.
03:44
Those air suspicious to me.
03:45
Okay, so
03:49
it's a mass send,
03:54
receive,
04:00
receive,
04:04
install,
04:08
delete,
04:10
perhaps.
04:12
Okay. So what is this application doing? We don't know yet. Right? So where do we start? Well,
04:18
what we can do is look at the activity so we know where the application is gonna launch from, right? It's gonna watch from this main. That's the action that it's gonna take for the intent Let's take a look at some of these other activities.
04:32
So banks, splash
04:35
bank, pre activity, bank activity, bank number, bank card, bank activity.
04:41
Okay, look at this SMS receiver. So that's pretty interesting. Let's take a look at that.
04:47
That now, if you remember Android name, that is the class that we want to look at because it matches the permissions. So let's go and investigate that.
04:58
But first we need to
05:00
convert the decks files. Let's do that.
05:06
32
05:11
kor classes, the decks.
05:17
All right,
05:21
all right. We've got a jar file. So let's open that up in J d. Gooey
05:32
already.
05:42
Okay, so what do we got here?
05:46
Okay,
05:47
so
05:49
we've got a couple of
05:53
things we want to look at. So here's our main activity. We know that we've got that. So we wanted to take a look at the SMS receiver, So let's look at that.
06:03
Look at that class.
06:06
Oh, here is some tasty juicy stuff right here.
06:13
String SMS receiver SMS received
06:16
Android telephony SMS received.
06:19
Oh, this looks This looks bad.
06:24
Banking one dot cat cat dot net. That definitely doesn't look like a ray. Her banking site
06:32
update. You are l looks for connectivity, so it looks like for and it looks like it needs Internet connectivity. It's got that update that u R l
06:45
looks like it gets SMS is from the phone.
06:51
Look at this.
06:54
Looks like it gets the SIM card number, the telephone
07:00
red type.
07:01
And then we've got lots of other errors. So it seems like we have a pretty good idea of what this application is doing. It's definitely reading information from the phone. Intercepting SMS is possibly and connecting to that you are l. So those air definitely some artifacts that we can go ahead and investigate
07:19
with some more static analysis. Or maybe we could use some dynamic analysis
07:25
all right, and lab to. We looked at a piece of android malware that seems to be targeting banking customers in Korea.
07:32
The malware could be used to intercept SMS messages as well as profile the device for telephony information, and then that info might be sent to the questionable girl that we found in the SMS class. So what we want to do next is confirmed those hypothesis by running similar tools
07:51
and carefully inspect the Java classes to uncover more functionality
07:57
and maybe even used this an AG dynamic analysis scenario to confirm our suspicions

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor