Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Let's move on to Android dynamic analysis. So I hope you're still with me there. Don't let IOS analysis deter you. I know there's a bit of a learning curve there, but lucky with Android, with a lot more resource available to help us with our analysis process.
00:15
Similarly to IOS there several approaches when it comes to dynamic MAOREN else's as you'll see throughout the rest of the slides. Ah, lot of our techniques are repeatable with android ends, the same approaches we had to IOS apply to Android. During our dynamic analysis, we could use an online mount where sandbox
00:33
we could use 1/3 party framework, or we could build our own environment with android analysis tools.
00:41
So unlike IOS, we have a myriad of options when it comes to Step one of our dynamic analysis process. So our first step is to identify the file and then we would submit are malicious a P K to an online sandbox like hybrid analysis, for instance.
00:55
And in fact, the online sandboxes are really quite good. Usually the analysis is quite detailed, and a lot of the functionality can be determined. From this step alone. It's even possible when combined with your static analysis process that you can accomplish all your analysis goals just by completing the simple step. This is undoubtedly due to Androids platform being mostly open
01:15
and the most targeted.
01:17
The overall ease of this step, however, does come with its drawbacks. As with most online submission tools, the sample you submit is available for public consumption. So if privacy is a concern for you, this may not be the best option. If you do choose to go with this method, be sure to analyze the sandbox findings and compare them to your own
01:36
while looking out for permissions, intense
01:38
call outs and other artifacts to confirm the functionality of the program
01:42
before we move on to our next step, I mentioned that we could run third party tools in our environment to deal with privacy issues. With that in mind, one time I wanna highlight is mob S F
01:53
mom s F is ah, malware analysis sandbox platform for Windows, IOS and Android. With mob S f, you could get an effective android malware analysis platform up and running in about 10 minutes. Set up is quite easy. In the results of the analysis are quite good. The platform also supports running applications dynamically
02:14
in an android virtual or rooted device.
02:15
However, currently, only static analysis is available for Windows in IOS. To set up the virtual dynamic feature, you must have mob sf running on your host system and not of the M. So hardware may be an issue for you, but it does run on any of us
02:31
again. With any tool, we want to analyze the artifacts and look for risky permissions
02:37
and other indicators that help us determine the functionality of our program. Let me show you really quick what kind of results we can get with mob sf. Okay, so as you can see here, I have my Callie v em up and running and also have mob itself up and running. Honestly, it's so simple to get this up and running. You can do in 10 minutes. All you have to do is consulted documentation.
02:54
So once it's up and running, we simply upload our A p K and analyse the results. So let's go ahead and do that right now.
03:06
Okay, So our results come back and you can see here that we get information about the application, the app, icon file information, app, information. You could see what activities that a P K provides we can look at. The service is receivers.
03:19
We could come over to the left hand side and we could look at the binary analysis. So this will give us all the information about the binary. We can check out the permissions, which is where we want to start.
03:29
So look, as you can see right here, it's got full Internet access so you can look at permissions. We can go and take a look at the girls that are embedded inside. We could see what you are A ls it has. We can see what e mails there are inside. If there's any and we've got some strings there,
03:44
I can take a look at even
03:46
more strings.
03:49
So those are the basic features of mob SF. And as you can see, if there's a really good job at analyzing the binary, it'll give you lots of different artifacts that you can use to compare when you do your static analysis.
04:01
Next, we'll want to explore the application at runtime. The dynamic announces process is similar to that of Windows or Lennox binaries. There are several tools and environments that allow you to get set up quickly for analysis. One of the quickest ways is through the use of Android Studio Endurance Studio is the official I. D. E o of Google Android Development,
04:21
and it comes with tools such as the software development kit.
04:25
It also includes Tthe e Android Device Bridge, the main command line till you need to interact with your android device.
04:31
Now the only note here is that with the A V D. The hardware's emulated, so this may create problems with them. Our sample. So at times a physical device might be preferable.
04:42
The first step to getting up and running is deciding where you will execute your A V D or if you use a physical device. Because the emulator is fully featured, it's advisable to run this in a segregated network environment with limited access to other hosts, Internet tools could be routed, fake and monitored with tools like Remnick sign. It's him and Weir Shark.
05:00
However, you may experience a little bit of a performance declined based on your hardware,
05:04
but sometimes running your virtual machines and headless mode can help you improve performance. Next, you're gonna want to download Install Android Studio Now, For the purposes of this course, it's the fastest way to get you up and running, so we'll run arm our in an A V D that we create next during the installation. You also want to make no of the platform tools directory
05:24
has it holds the TB program that will use to interact with our device
05:28
from the command line. After you've got installed from the welcome screen, click on the Configure Option and select the AIVD manager.
05:34
Once the AIVD manager loads, click the virtual device buying on the bottom of the screen to create a new virtual device that usually on the screen, you could pick any device you want. Now the only caveat here is you don't want to choose a device with Google Play store, and you don't want to select an image with Google. Play AP eyes. The reason is because if you do that, you won't have root access,
05:55
and we want root access to play with the emulator.
05:57
After setting up the image in the West that the faults are usually good on most platforms, so you can just click through and create the device. Now my preference is to usually create an older ish device that runs an older issue version of Android. And the reason it's so that when the android platform runs
06:13
the mount, where can exploit a little bit better Also, while choosing and device, you want to understand that some of the newer devices don't support the older versions of Android. Okay, so let me show you how to create an android virtual device real quick.
06:25
We're gonna want to make sure we get this right because we're gonna want to issue some commands with E d. B via the command shell and install some software.
06:32
So let me go to my screen here. OK, so you've got the android studio screen. It's all set up and ready to go. So all you do is come over and click, configure and click on a V D manager.
06:46
Then you click down here Virtual device. You know, you could pick really any device you want, but let's stay away from the Google play stuff so we'll just choose a pixel three
06:57
click next. Then we picked the operating system or the image for the operating system. Now again, we'll stay away from the school AP eyes so quick on X 86 images
07:08
and then we'll pick an operating system. You might have to download yours. I already have it so I could just click it
07:15
click finish,
07:17
and then that should be it. We'll just call, We'll just give it a name.
07:25
We'll call it
07:27
test.
07:33
Okay, so once that is all set up, you should get a window that looks like
07:40
this.
07:42
And that's just a regular phone.
07:44
We can interact with it and fool around with it.
07:53
Okay? So if that's it properly than the next thing we want to dio is test our access to it.
07:59
So what you want to do is bring up a terminal window
08:01
in a popular command is to list the devices with a BB. So let's navigate to the platform tools directory and issue the command A TB devices.
08:16
Okay, I've got my emulators. That device we're gonna use
08:20
now another command will use for a devious show. So that will give us a show on the system. So if you want to log in his route, you need to issue the command a TB route.
08:33
Now I'm already running as route, but you should be able to log in his route. So once you log into the shell, he d be shell.
08:43
You should see that you have the pound sign. That means your route. So now if you do a simple L s command, you can see that you have permissions on all the files.
08:58
So now that we have our virtual device set up and we have installed the shell access, we're going to go over some of the basics of what a TB is. So a TB is a command line tool that allows you to communicate with your device. But not only can you control the device, you can install APS and you can run shell commands and do lots more.
09:15
So here I've listed some of the basic commands, and you should get acquainted with them as we're going to install some software now.
09:20
So giving this set up and going was pretty easy because we're using an android virtual device. However, if you're using a physical device first we need to enable developer options. At that point, a TBI will see your device. Luckily, this pretty easy. I can show you how to do it on our android virtual device.
09:39
It's because the android virtual device runs basically the same operating system that your physical device uses.
09:43
So let me show you how well, do that. And I'll show you how to side load AP case in this example, will install an A P. K named Droz Er OK, so let me show you how to enable develop our options on your device and then we'll use the 80 bichel to run some commands on our device.
10:01
So let's switch over.
10:03
Okay, so we have our phone here.
10:05
So to enable developer options, you go to settings so it's navigate to settings
10:15
and what you want to do, A scroll down to the bottom
10:20
and all the way at the bottom. You see, it says about emulated device. So what you want to do is click on there
10:26
and then at the very bottom, you see this build number? So you just want to click on that build number a few times and you could see 4321
10:35
And now we're developer.
10:37
So the next thing you want to do as a developer is you want to make sure that your USB debugging is turned on. This will allow a TB to see devices that are connected to your computer. So to do that, it's in a developer options. So you just go back.
10:52
Now, you click on the developer options menu at the bottom,
10:58
and you want to find the option for a USB debugging and enable it.
11:03
You go right here. Oops.
11:07
USB debugging just turned it on.
11:13
Okay, so let's start issuing some commands at our command line. So the first command you want to get familiar with is tthe e A D B device Command A TB devices will show you which devices are connected to your computer.
11:37
Okay, so we've got the emulator that's running on our machine. So if we want to interact with it, we could use the shell command, or we can use the route commits. What we'll do is make sure that a TV starts with roots O E D B.
11:56
Okay, so now we can log into our device as route
12:00
using a TV shell command.
12:07
So now we're in our device.
12:13
Okay, so just a quick note here. If you have multiple devices, you'll need to specify which one you want to log into by using the dash s target. So what you would do is it's gonna look something like this e d b,
12:37
and that also allows us to go into the show. But because we only have one device, we don't need to use it here. But if you had multiple devices, you want to use it with multiple devices. So the next thing you want to be able to know how to do is side load AP case that's installing them to your device and will do that to install the Droz er agent. So it's
12:56
very simple a D B
13:01
install
13:09
and that's it. So now what we can do is we can go over to our device and check to make sure that it's installed.

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor