Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Stop criminals in their tracks
Don’t let criminals destroy your life
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Nowadays Android malware analysis becomes more and more common task during mobile forensic investigations. Thousands of new malware types are created every month, so it becomes critical for any digital forensic examiner to have at least basic understanding of maliсious application analysis.
In this article we’ll show you how to perform basic static and dynamic analysis of a malicious Android application with Apktool, dex2jar, JD-GUI and VirusTotal.
We’re going to start from basic static analysis. The first step is unpacking an APK-file with Apktool in order to get decoded AndroidManifest.xml file which contains the application’s permissions:
Now we have our AndroidManifest.xml decoded and ready to be analyzed. Our app requires the following permissons:
As you can see, there are a lot of suspicious permissions: it can read contact data, send, read and delete SMS messages, has full Internet access, can directly call phone numbers, read phone state and identity, such as it’s phone number and serial number, also it can modify or delete SD card contents.
Let’s go further – extract the .class files from the APK with dex2jar. Now we have a JAR file ready to be decompiled.
To do it, open JD-GUI and click the corresponding icon, or go to File – Open File…, or simply push Ctrl + O and choose the JAR file:
Now you can walk through the .class files, analyze the codes and, for example, search for interesting strings like the IP-address on the illustration.
It’s time for basic dynamic analysis. We’ll use VirusTotal for it. Just upload your sample to it and wait for analysis to complete. Go to “Behavioural information” pane and check the results of dynamic analysis:
As you can see, we have a lot of useful information: the app calls APIs that provide access to information about the telephony services to collect subscriber’s info. Also it calls APIs that manage SMS operations and even sends with “balans” text to 900 – its Sberbank number for mobile banking.
Of course, advanced analysis isn’t as easy as basic. If you want to learn more about it we highly recommend Android Malware and Analysis by Ken Dunham and Shane Hartman. But if you need a professional to do it – use our contact form.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Save my name, email, and website in this browser for the next time I comment.