android security development - part 2: malicious android app dynamic analyzing system
TRANSCRIPT
Android Security Development
PART 2 – Malicious Android AppDynamic Analyzing System
SEAN
Sean
• Developer
• https://www.facebook.com/erinus
You Need...
• Hardware• Phone
• Google Nexus 4
• Google Nexus 5
• Tablet• Google Nexus 7
• Google Nexus 9
You Still Need...
• Software• Virtual Machine
• VMware Workstation
• VirtualBox
• Operating System• Ubuntu Desktop 14.04
Build Nexus 5 Image
[1] Install Ubuntu 14.04
# create user named "user"
> sudo apt-get update
> sudo apt-get install vim less gcc g++ make build-essential binutils wget ssh openssh-server openssh-client zip unzip perl python rsync git openssl
> sudo apt-get upgrade> sudo apt-get dist-upgrade
> sudo apt-get autoclean> sudo apt-get autoremove> sudo rm –f /var/cache/apt/archives/*.deb
[2] Build Environment for 4.x
> sudo apt-get install git gnupg flex bison gperfbuild-essential zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 libgl1-mesa-dev gcc-multilib g++-multilibmingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386
> sudo ln -s /usr/lib/i386-linux-gnu/mesa/libGL.so.1 /usr/lib/i386-linux-gnu/libGL.so
> sudo apt-get install python-software-properties> sudo add-apt-repository ppa:webupd8team/java> sudo apt-get update> sudo apt-get install oracle-java6-installer
[2] Build Environment for 5.x
> sudo apt-get install git gnupg flex bison gperfbuild-essential zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 libgl1-mesa-dev gcc-multilib g++-multilibmingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386
> sudo ln -s /usr/lib/i386-linux-gnu/mesa/libGL.so.1 /usr/lib/i386-linux-gnu/libGL.so
> sudo apt-get install openjdk-7-jdk
[3] AOSP Environment
> cd ~> mkdir ~/aosp> mkdir ~/aosp/bin> PATH=~/aosp/bin:$PATH> curl https://storage.googleapis.com/git-repo-downloads/repo > ~/aosp/bin/repo> chmod a+x ~/aosp/bin/repo
> curl https://storage.googleapis.com/git-repo-downloads/repo > ~/aosp/bin/repo> chmod a+x ~/aosp/bin/repo
> git config --global user.email "user@USER"> git config --global user.name "user"
[4] Download AOSP
> mkdir ~/aosp/src> cd ~/aosp/src
> repo init -u https://android.googlesource.com/platform/manifest -b android-4.4.4_r2.0.1
> sudo sysctl -w net.ipv4.tcp_window_scaling=0
# -j(?) means amount of thread(cores) used> repo sync -j1
[6] Download Nexus 5 Driver
> cd ~/aosp/src
> wgethttps://dl.google.com/dl/android/aosp/broadcom-hammerhead-ktu84p-5a5bf60e.tgz> wget https://dl.google.com/dl/android/aosp/lge-hammerhead-ktu84p-49419c39.tgz> wget https://dl.google.com/dl/android/aosp/qcom-hammerhead-ktu84p-f159eadf.tgz
> tar xzvf broadcom-hammerhead-ktu84p-5a5bf60e.tgz> tar xzvf lge-hammerhead-ktu84p-49419c39.tgz> tar xzvf qcom-hammerhead-ktu84p-f159eadf.tgz
[7] Import Nexus 5 Driver
> cd ~/aosp/src
> ./extract-broadcom-hammerhead.sh> ./extract-lge-hammerhead.sh> ./extract-qcom-hammerhead.sh
[5] Build AOSP
> cd ~/aosp/src
> source build/envsetup.sh> lunch aosp_hammerhead-userdebug> make –j1
[8] Download Android SDK
• Android SDK Platform-tools
• SDK Build-tools
[9] Flash Image Onto Device
> export ANDROID_PRODUCT_OUT=/home/user/aosp/src/out/target/product/hammerhead
> fastboot erase boot> fastboot erase cache> fastboot erase recovery> fastboot erase system> fastboot erase userdata
> fastboot flash boot boot.img> fastboot flash cache cache.img> fastboot flash recovery recovery.img> fastboot flash system system.img> fastboot flash userdata userdata.img
The Walking Deadveloper Orz...
Find Java Base Class Library
libcore/luni/src/main/java
Find Android Base Class Library
frameworks/base/core/java
Find Android ADB
system/core/adb
Android Image Modification
> source build/envsetup.sh> lunch aosp_hammerhead-userdebug> make update-api> make –j1
Android ADB Modification
# Build for Windows> sudo apt-get install mingw-w64
> cd ~/aosp/src> make USE_MINGW=yes adb showcommands
# Build for Linux> cd ~/aosp/src> make adb showcommands
Customize Logcat
[1] Start...
1. Android developers use "Log.d / Log.e / ..." toread messages.
http://developer.android.com/reference/android/util/Log.html
2. So, monitor "Log.d / Log.e / ..."?
No, it's not enough!
Why?
[2] Base Knowledge
3. Android Architecture
Log.d
?
[3] View Source Code
4. Android Source Online
https://android.googlesource.com
5. Search Android Source Online
http://code.metager.de/source/xref/android/4.4/
http://grepcode.com/project/repository.grepcode.com/java/ext/com.google.android/android
[4] Where?
6. Search Possible Occurrence
[4] Where?
7. System.java
[4] Where?
7. System.java
CLICK
[5] Got You!
8. System.java
[6] Java – JNI – C++
9. Java
/libcore/luni/src/main/java/java/
JNI
/libcore/luni/src/main/native/
[7] JNI – C++
10. java_lang_System.cpp
[8] Modify...
11. Patch java_lang_System.cpp
[8] Modify...
11. Patch java_lang_System.cpp
ADD
[8] Modify...
11. Patch java_lang_System.cpp
ADD
[8] Modify...
11. Patch java_lang_System.cpp
MODIFY
MODIFY
[8] Modify...
11. Patch java_lang_System.cpp
[9] Modify...
12. Patch System.java
[9] Modify...
12. Patch System.java
ADD
ADD
[9] Modify...
12. Patch System.java
Create Customized Function: appsandbox(String)
ADD
[10] Output
> adb logcat –v long appsandbox:V *:S > adb.log
# appsandbox:V means "Verbose for Tag:appsandbox“# *:S means "Silence for Other Tags"
Dive Into Source
First
PID
[1] Why I Need PID?
1. When you try to get package, you get the package name where your called.
It's not package name of app!
com.td.bookshelf.provider
com.td.bookshelf
[2] Get PID
2. import android.os.Process;
/frameworks/base/core/java/android/os/Process.java
[2] Get PID
3. Process.myPid();
[2] Get PID
3. Process.myPid();
[3] Application
4. import android.app.Application;
/frameworks/base/core/java/android/app/Application.java
[3] Inject Code
5. Monitor onCreate()
[3] Inject Code
6. Monitor onTerminate()
Second
IO Stream
[1] Find Base Class
1. import java.io.InputStream;
/libcore/luni/src/main/java/java/io/InputStream.java
2. import java.io.OutputStream;
/libcore/luni/src/main/java/java/io/OutputStream.java
[2] What Is Necessary?
3. Monitor InputStream
[2] What Is Necessary?
4. Monitor OutputStream
Third
Network
[1] Find Base Class
1. import java.net.URL;
/libcore/luni/src/main/java/java/net/URL.java
2. import java.net.URI;
/libcore/luni/src/main/java/java/net/URI.java
[2] What Is Necessary?
3. Monitor URL
Hook Constructor
[2] What Is Necessary?
3. Monitor URL
Hook Constructor
[2] What Is Necessary?
4. Monitor URI
Hook Constructor
Demo
Interested On This? Join Me!
Next Part
Malicious Android AppStatic Analysis