Android Malware and Analysis: 1st Edition (Hardback) book cover

Android Malware and Analysis

1st Edition

By Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, Tim Strazzere

Auerbach Publications

242 pages | 83 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781482252194
pub: 2014-10-24
$65.95
x


FREE Standard Shipping!

Description

The rapid growth and development of Android-based devices has resulted in a wealth of sensitive information on mobile devices that offer minimal malware protection. This has created an immediate need for security professionals that understand how to best approach the subject of Android malware threats and analysis.

In Android Malware and Analysis, Ken Dunham, renowned global malware expert and author, teams up with international experts to document the best tools and tactics available for analyzing Android malware. The book covers both methods of malware analysis: dynamic and static.

This tactical and practical book shows you how to use to use dynamic malware analysis to check the behavior of an application/malware as it has been executed in the system. It also describes how you can apply static analysis to break apart the application/malware using reverse engineering tools and techniques to recreate the actual code and algorithms used.

The book presents the insights of experts in the field, who have already sized up the best tools, tactics, and procedures for recognizing and analyzing Android malware threats quickly and effectively. You also get access to an online library of tools that supplies what you will need to begin your own analysis of Android malware threats. Tools available on the book’s site include updated information, tutorials, code, scripts, and author assistance.

This is not a book on Android OS, fuzz testing, or social engineering. Instead, it is about the best ways to analyze and tear apart Android malware threats. After reading the book, you will be able to immediately implement the tools and tactics covered to identify and analyze the latest evolution of Android threats.

Updated information, tutorials, a private forum, code, scripts, tools, and author assistance are available at AndroidRisk.com for first-time owners of the book.

Table of Contents

Introduction to the Android Operating System and Threats

Android Development Tools

Risky Apps

Looking Closer at Android Apps

Malware Threats, Hoaxes, and Taxonomy

2010

FakePlayer

DroidSMS

FakeInst

TapSnake

SMSReplicator

Geinimi

2011

ADRD

Pjapps

BgServ

DroidDream

Walkinwat

zHash

DroidDreamLight

Zsone

BaseBridge

DroidKungFu

GGTracker

jSMSHider

Plankton

GoldDream

DroidKungFu2

GamblerSMS

HippoSMS

LoveTrap

Nickyspy

SndApps

Zitmo

DogWars

DroidKungFu3

GingerMaster

AnserverBot

DroidCoupon

Spitmo

JiFake

Batterydoctor

2012

AirPush

Boxer

Gappusin

Leadbolt

Adwo

Counterclank

SMSZombie

NotCompatible

Bmaster

LuckyCat

DrSheep

2013

GGSmart

Defender

Qadars

MisoSMS

FakeRun

TechnoReaper

BadNews

Obad

2014

DriveGenie

Torec

OldBoot

DroidPack

Open Source Tools

Locating and Downloading Android Packages

Vulnerability Research for Android OS

Antivirus Scans

Static Analysis

Linux File Command

Unzip the APK

Strings

Keytool Key and Certificate Management Utility

DexID

DARE

Dex2Jar

JD-GUI

JAD

APKTool

AndroWarn

Dexter

VisualThreat

Sandbox Analysis

AndroTotal

APKScan

Mobile Malware Sandbox

Mobile Sandbox

Emulation Analysis

Eclipse

DroidBox

AppsPlayground

Native Analysis

Logcat

Traceview and Dmtracedump

Tcpdump

Reverse Engineering

Androguard

AndroidAuditTools

Smali/Baksmali

AndBug

Memory Analysis

LiME

Memfetch

Volatility for Android

Volatilitux

Static Analysis

Collections: Where to Find Apps for Analysis

Google Play Marketplace

Marketplace Mirrors and Cache

Contagio Mobile

Advanced Internet Queries

Private Groups and Rampart Research Inc.

Android Malware Genome Project

File Data

Cryptographic Hash Types and Queries

Other Metadata

Antivirus Scans and Aliases

Unzipping an APK

Common Elements of an Unpacked APK File

Certificate Information

Permissions

Strings

Other Content of Interest within an APK

Creating a JAR File

VisualThreat Modeling

Automation

(Fictional) Case Study

Android Malware Evolution

Android Malware Trends and Reversing Tactics

Behavioral Analysis

Introduction to AVD and Eclipse

Downloading and Installing the ADT Bundle

The Software Development Kit Manager

Choosing an Android Platform

Choosing a Processor

Using HAXM

Configuring Emulated Devices within AVD

Location of Emulator Files

Default Image Files

Runtime Images: User Data and SD Card

Temporary Images

Setting Up an Emulator for Testing

Controlling Malicious Samples in an Emulated Environment

Additional Networking in Emulators

Using the ADB Tool

Using the Emulator Console

Applications for Analysis

Capabilities and Limitations of the Emulators

Preserving Data and Settings on Emulators

Setting Up a Physical Device for Testing

Limitations and Capabilities of Physical Devices

Network Architecture for Sniffing in a Physical Environment

Applications for Analysis

Installing Samples to Devices and Emulators

Application Storage and Data Locations

Getting Samples Off Devices

The Eclipse DDMS Perspective

Devices View

Network Statistics

File Explorer

Emulator Control

System Information

LogCat View

Filtering LogCat Output

Application Tracing

Analysis of Results

Data Wiping Method

Application Tracing on a Physical Device

Imaging the Device

Other Items of Interest

Using Google Services Accounts

Sending SMS Messages

Getting Apps from Google Play

Working with Databases

Conclusion

Building Your Own Sandbox

Static Analysis

Dynamic Analysis

Working Terminology for an Android Sandbox

Android Internals Overview

Android Architecture

Applications

Applications Framework

Libraries

Android Runtime

The Android Kernel

Build Your Own Sandbox

Tools for Static Analysis

Androguard

Radare2

Dex2Jar and JD-GUI

APKInspector

Keytool

Tools for Dynamic Analysis

TaintDroid

DroidBox

DECAF

TraceDroid Analysis Platform

Volatility Framework

Sandbox Lab (Codename AMA)

Architecture

Host Requirements

Operating System

Configuration

Running Sandbox

What Happens When You Upload Malware Samples, from a Dynamic Analysis Point of View

Conclusions about AMA

Case Study Examples

Usbcleaver

Checkpoint

Static Analysis

Checkpoint

Dynamic Analysis

Launch of the APK

Summary

Torec

Bibliography

Index

About the Authors

Ken Dunham has nearly two decades of experience on the front lines of information security. He currently works as a principal incident intelligence engineer for iSIGHT Partners and as CEO of the nonprofit Rampart Research. Dunham regularly briefs top-level executives and officials in Fortune 500 companies and manages major newsworthy incidents globally. Formerly, he led training efforts as a contractor for the U.S. Air Force for U-2 reconnaissance, Warthog Fighter, and Predator (UAV) programs. Concurrently, he also authored top Web sites and freeware antiviruses and other software, and has taught at multiple levels on a diverse range of topics.

Dunham is the author of multiple books, is a regular columnist, and has authored thousands of incident and threat reports over the past two decades. He holds a master’s of teacher education and several certifications: CISSP, GCFA Gold (forensics), GCIH Gold (Honors) (incident handling), GSEC (network security), GREM Gold (reverse engineering), and GCIA (intrusion detection). He is also the founder and former president of Idaho InfraGard and Boise ISSA, a member of multiple security organizations globally, and former Wildlist Organization reporter. In 2014, Dunham was awarded the esteemed ISSA International Distinguished Fellow status. Dunham is also the founder of the nonprofit organization Rampart Research, which meets the needs of over 1,000 cybersecurity experts globally.

Shane Hartman, CISSP, GREM, is a malware engineer at iSIGHT Partners, focusing on the analysis and characteristics of malicious code. He has been in the information technology field for 20 years covering a wide variety of areas including network engineering and security. He is also a frequent speaker at local security events and teaches security courses at the University of South Florida. Hartman holds a master’s degree in digital forensics from the University of Central Florida.

Jose Morales has been a researcher in cybersecurity since 1998, focusing on behavior-based malware analysis and detection and suspicion assessment theory and implementation. He graduated with his Ph.D. in computer science in 2008 from Florida International University and completed a postdoctoral fellowship at the Institute for Cyber Security at the University of Texas at San Antonio. He is a senior member of the Association of Computing Machinery (ACM) and IEEE.

Manu Quintans is a malware researcher linked from many years ago to the malware scene, as a collaborator with groups such Hacktimes.com and Malware Intelligence, developing expertise and disciplines related to malware research and response. He currently works as an intelligence manager for a Big4, performing campaign tracking of malware and supporting incidence response teams in the Middle East. He also chairs a nonprofit organization called mlw.re dedicated to the study of new online threats to assist organizations and computer emergency response teams (CERTs) combating such threats.

Tim Strazzere is a lead research and response engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include reversing the Android Market protocol, Dalvik decompilers, and memory manipulation on mobile devices. Past speaking engagements have included DEFCON, BlackHat, SyScan, HiTCON, and EICAR.

Subject Categories

BISAC Subject Codes/Headings:
COM051230
COMPUTERS / Software Development & Engineering / General
COM053000
COMPUTERS / Security / General
LAW041000
LAW / Forensic Science