Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
now that we have it installed, let me go ahead and explain to you what Droz or does, and then we'll come back, finish the set up and see what it can do.
00:10
All right, so we have the drills or agent running on their phones. So what is drove her well, drills here is a framework for android security. It's developed by M. W R Labs. It's really one of the best android security tools available.
00:23
The nice thing about the project is that it's usually well maintained and allows you to interact with the application components and weaken. Do testing on them to see how these components respond as we analyze the applications to get you up and running fairly quickly. The droves. Their server is already installed on Santa coup.
00:38
So all we need to do is get the agent connected to the server, and then we can start playing around with applications.
00:46
So let's take a look at a few Droz er commands that we need to get us moving. So to beginner, it may seem a little odd, but the android system has a funny way of naming the packages. Has you might have noticed during your static analysis, but with a few of the package commands offered by Droz ER,
01:00
you can get a good look at the system and find the packages you're analyzing or hunt for packages on the system that may be malicious.
01:07
Once we find the running application, we can get more information about the package, such as what file permissions it has. We can do this using the Manifest View Command now if you remembered we did this during our static analysis. But the advantage here is you don't need to decode it. It's all right there in memory.
01:23
Lastly, we could look at the components of the application, like the activities or the content providers, and then we can interact with them. We could see what happens when we run them
01:33
and how they interact with our emulator. So by using drugs at runtime, you can get a picture of what the application is doing. And then you can use those findings and compare those two what you uncovered during your static analysis process.
01:46
Okay, now let's get drills are connected and we'll move an application to our phone. Then we'll run. Some drove her commands, so we'll get you familiar with a BB and Roeser.
01:56
So as you can see, I've got my Santa coup, the em all ready to go. So let's get droves or turned on. The first thing that we want to do is we want to turn on this little embedded server button on the bottom,
02:07
so just click off and I'll go on.
02:10
So it started an embedded server on this port. Here, this 3141531415 So now what we need to do is with the e. D b forward command, we want to take the connections and forward them. So that's a simple command with a D v a d being
02:30
forward
02:34
and the port number.
02:45
And we want to forward it to TCP the same port.
02:52
You can typically omit the TCP here, but we just do it just in case. Okay, so now we should have that port boarding set up so that we just still log in so we can do that with the Droz er
03:08
console Connect Command.
03:15
Okay, so once you're connected, you should have this d z prompt. So now we can start issuing commands. Great. So the server works. We don't know about that. But let's exit out of this real fast because what we want to do is we're gonna move an application to our phone. So let's go ahead and just install a test application. I called it my dash app.
03:35
So a t b
03:37
install
03:46
in the name of the package.
03:49
Okay, so it's all installed. So now this is a little confusing. So this is my app right now. What's the application name? While we have no idea, we just know that this is a package called my AP AP K So what we can do is we can get on Droz er and we can see what the application name is. So let's log back into our console.
04:13
So we're back at her counsel. So let's run the package lis command, so we can look at all the different packages, So run
04:19
space app package
04:24
list. That list
04:28
This is gonna give us a list of all the running packages on our missing
04:30
on our emulator.
04:34
So we get scroll up the list
04:36
and we can look at what applications are on the device.
04:45
So this gives you the package names So let's say we find an application that were interested in. Then we can find out more information about the package. We can do that with the dash a target.
04:57
So, for instance, so this is the application I installed? Where is it? Here it is, this mobile example, right? So this is the application will used to get more information about. So we'll just copy this.
05:14
So instead of the list, will use the info target
05:18
while the Info Command sub command
05:23
dash A
05:24
and then we'll give it the
05:30
so Here we go. Here's all the information about the package. It's not very interesting, right? It only has one u i. D. There's no shared libraries. There's no shared permissions. There's nothing. So this package is pretty boring. But I wanted to show you some of the basic commands to get you up and running. But we can pick some other packages that might be more interesting.
05:47
Maybe. Let's see,
05:55
uh,
05:56
just pick the bottom one here. Lets go for this captive portal log in. So let's see what this application is all about. So instead of this package, we just say
06:08
we want info on this package
06:14
based.
06:17
So here we go. So now we can look at some of the permission. So it's got Internet permissions accessing the networks. So with droves of there's lots of different things that we can look at while we're examining packages, let's go back and see what other artifacts we could be retrieving. And then we'll come back. We'll put it all together,
06:36
all right, so we have a quick look at drones. They're there, and we can see what potential it has and what it can do for us, and we'll come back to him in a second. But let's see what else we can get from an application perspective while it's running on the system. Well, we could look for a file system modifications, and to do that we could use tools such as Androids Studio.
06:55
It has a file system monitor. It's in real time, but it doesn't give you a lot of information, but it still could be useful.
07:01
We have the monitor application. It is nice. It works pretty well. However, it has been depreciated, but it still works, so you could use that. But seeing I prefer the command line, I recommend a nice little tool called F s. Ma. This is a nice little utility. You can run from the command line to get all types of file system modifications and system alerts.
07:23
Now, the last thing we should do is you the network connections. Ah, la. The time an application is going to use the network in some way. So we want a way to monitor. Of course. Now, a lot of people prefer to use proxies, which is okay if you want to inspect and maybe modify the traffic. But again, I like to use my old friend TCP dump
07:40
with TCP dump. We can just dump the traffic to a file
07:44
and then pull it off for later analysis.
07:46
Lastly, you can debug the program so similar to iPhone, a version of GDP. Debunker is already installed on Android. So all we would need to do is set up a remote session and we can do that using the 80 be commit. So if you like GDP, then you're in luck because it's similar to L. L D B. And so a lot of commands are similar.
08:05
Now, if you want to use a job in a bunker, you can use Androids studio, and this gives you a gooey interface to debug your program so it's a little bit easier and plus, seeing you're going to be developing applications in Java, it's helpful to have a job in the bugger.
08:18
Lastly, a nice debugging option is an bug. It's 1/3 party application and requires a little bit of setup. But once you get it working, it's a nice alternative to some of the other command line two buggers.
08:31
As we wrap up our dynamic analysis, you can see our process is very similar to our iPhone process. Once we have some hypothesis about what our application is doing, we can go and confirm them using Dynamic announces. Or we could start with dynamic analysis, observed the application at runtime and then confirm those findings with static analysis.
08:50
It's totally up to you based on your analytical goals.
08:54
But before we wrap up ahead and a model for, I'm gonna give you a brief demo and show you how you can put a few of these techniques together and get more information out of our running applications.
09:05
All right, so let me show you how to put this all together now. So in this exercise we will get into your phone and set up some monitoring tools and then will install an application. Will be chrome in this case. Then we'll use drove her, and we'll look at the application will make it do a couple of things, and then we'll pull off our information and we'll analyze it.
09:24
So let's get going.
09:26
Okay, So first things first, let's turn on the drills or server.
09:33
Okay? It's on. Let's make sure that we can get it to it.
09:39
Okay, so it looks like we're in their perfect. Okay, so let's get into our device and steps of monitoring tools,
09:48
so e d B
09:54
let's make sure we're running his route.
09:56
That's fine.
10:03
Okay, so we'll go to the data directory
10:07
and we'll set up
10:09
F s mom.
10:20
We'll use the J target toe log information. Is Jason on
10:24
and we'll pipe it too.
10:37
And put in the background. Okay, so this gonna monitor all the file system changes, and then we'll set up TCP dump and monitor The network changes. So by default, it listens on w land one. So we'll do TCP dump.
10:58
Sorry, W land zero.
11:11
Okay, so Now we've got both tools running in the background. So let's go ahead and install our application. Gonna change into my directory first.
11:37
Okay, so that installed successfully. So now if we navigate over to our drones, er, we can run commands like
11:43
Ron
11:46
Ap
11:52
package list.
12:11
That gives us all the packages that are on the device. So we know we just installed chrome, but if we want to look for it specifically, we can use the dash F target to make sure it's on there. So, Ron,
12:26
package list
12:31
comes
12:35
chrome.
12:39
Okay, so we know it's installed.
12:41
So now we want to take a look at the information about the package so we can do that using the A switch, so we would do Han
12:52
package
12:54
in foam,
12:56
FAA.
13:09
Okay, so this gives us all the permissions, gives us everything about the application we can scroll through and take a look at the a p K path. The data directory. It's you I d. It's g i d. All of stuff about the application so we can learn exactly about the application.
13:24
So what else can we do? So now we can run the app package attack surface commander. We can get the information about what type of activities and broadcast receivers and different components at exports. So let's run, then run
13:39
package
13:48
taxer, ISS
13:50
and the package name, which is calmed up and dried
14:00
grill.
14:05
Okay, here we go. So we got nine activities exported, 11 broadcast receivers exported and three content providers, and five service is so we could go ahead and fool around with all of those things and see exactly what they dio. So let's take a look at the activities because that's what's going to be happening in application as we use it.
14:22
So to do that we do. Ron.
14:24
Yeah,
14:28
activity
14:31
info
14:37
and again calm.
14:39
Not
14:41
android.
14:50
So here the activities of the application. We could go through these and look for interesting ones and see what type of effect they have as we run them. So let's pick one out. Let's see. Okay, so let's go with me. Right? So, in essence, this should start the application, right?
15:05
So let's fool around with these components here, so let's run this activity so we could do that. Say, Ron,
15:13
AP
15:15
activity
15:16
don't start
15:20
and then the component,
15:24
and now will
15:26
we'll just do this so I don't have to keep
15:30
typing it so many times because I'm I know I'm making some mistakes. I think you don't want that. Okay. And now the interesting activity. So
15:39
here we go. So this should write. It should launch it on our phone.
15:46
Let's see what happens.
15:50
Okay. And there we go. So that just launched on her phone. So that's what that activity does. Now, let's just accept and continue.
16:02
Cool.
16:03
So before we forget, why don't we generate some web traffic?
16:10
Here we go.
16:11
It was probably some already in there
16:15
from the content, and it's ah, looting.
16:26
Okay, so, yeah, this is just a test to get some
16:29
web traffic in our pea cap. Okay,
16:32
so that's that.
16:36
So let's go back and fool around with these activities, see if there's anything else that interesting that comes up.
16:40
So let's try this bookmark at activity. So let's try that. Let's see what happens when we launch that,
16:59
see if anything happens.
17:02
Oh, here we go.
17:03
I wonder if it added a bookmark. We gotta check,
17:08
See if we can get to that
17:11
works.
17:18
No bookmarks. Okay. So that didn't work. Some of these are gonna work. Some of them are not going to work. It depends from where we are in our application. So But we've got all those different activities and content providers and service is that we could go through with droves or to enumerate. Okay, so now that we've kind of gone through the dynamic analysis,
17:37
let's shut these service is down and pull off the files.
17:41
Okay, so let's just shut these down,
18:15
okay? So those air shut down
18:18
so we can't exit out of here. We don't need it anymore.
18:21
Okay, so now let's pull those files.
18:23
So a T B
18:29
pull data
18:32
12
18:34
Jason.
18:40
Okay, 10 megs. Pull that one and we'll pull the pea cap.
18:53
Okay, great.
18:56
Now you would push files the same way. So we pulled them this time. So now what we can do is just We could analyze your data. We could go toe wire shark,
19:15
and let's see if we can find our
19:18
escapes data.
19:27
Okay, so here we go. Here's our hex capes data. So we've got TCP dum day that we can look at. So what's next? Okay, we can close this.
19:37
All right.
19:38
All right. So Let's just clear this up.
19:44
So now we can take a look at our monitor file that within Jason Format, but we can cut it out just to see what's in there.
19:53
Oh, yeah, definitely. So lots of different file permissions that we could go ahead and use look, file content modified, modified
20:03
so we could go and see and investigate exactly what applications are changing the modifications to the system. So that wraps it up. That's what you can do with droves, er and these different tools on these android devices so you can pull different things as you're looking at application and then compare them to your static analysis when you're finished.

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor