This document describes tools included in the Android Reverse Engineering (A.R.E.) virtual machine from the Honeynet Project for analyzing Android malware. The A.R.E. VM includes tools for decompiling Android apps, disassembling Dalvik bytecode, inspecting app files and permissions, and monitoring apps dynamically in an instrumented Android virtual machine. It allows static and dynamic analysis of Android apps to identify malicious behavior and understand app functionality.

1. LA2600
Android Malware Analysis with the
Android Reverse Engineering(A.R.E.)
LA2600.org
VM
Jimmy Shah

2. LA2600
2
Android Reverse Engineering(A.R.E.) VM
LA2600.org
● VM from the Honeynet Project
● Includes a full set of tools for reverse engineering Android apps
● Conversion tools
– Dex2jar
● Classes.dex → Classes.dex.dex2jar.jar
– AXMLprinter2.jar
● binary XML → Human readable XML
● Disassembler
– Baksmali
● Dalvik bytecode → Jasmin-like assembly language
● GUI
– APKInspector
● GUI includes baksmali, dex2jar, APKtool

3. LA2600
3
Android Reverse Engineering(A.R.E.) VM, cont.
LA2600.org
● More tools
● Conversion tools
– APKTool
●
● smali/baksmali
● Disassembler
– Baksmali
● Dalvik bytecode → Jasmin-like assembly language

4. LA2600
LA2600.org
Android for Reverse Engineers

5. LA2600
5
LA2600.org
Android for Reverse Engineers
● Android apps are distributed as APKs(zip files) – what's inside?
● Files
– AndroidManifest.xml
● Stored as binary XML
● Permissions requested
● Registered intents
– Entry points
– classes.dex
● bytecode for the Dalvik VM
● App code is in classes.dex files.
– resources.arsc
● compiled resource table

6. LA2600
6
LA2600.org
Android for Reverse Engineers, cont.
● Android apps are distributed as APKs(zip files) – what's inside?
● Directories
– META-INF
● Public Keys
● Signatures for each component in the APK
– res
● Images, strings, etc.
– assets
● libraries
● other executables
● Other JARs

7. LA2600
Java vs. Android
.JAVA javac .CLASS JAR dx
7
LA2600.org
Android for Reverse Engineers, cont.
JJAARR
.C.CLLAASSSS
.C.CLLAASSSS
.C.CLLAASSSS
.CLASS
.CLASS
main()
main()
AAPPKK
cclalasssseess.d.deexx

8. LA2600
8
LA2600.org
●Processing a suspicious sample
1) Get sample
2) Begin analysis
● Static
● Identify known and active files
● File formats
● Executables
● Data fies
● Archives
● “active” files
● Executables and all files that can have an effect on the system
● Dynamic
● Run in Android VM

9. LA2600
LA2600.org
What's in the A.R.E.?

10. LA2600
LA2600.org
Overview – GNU strings
● You need strings, use strings.
● Ascii is default, unicode with option
● '-el' for 16 bit little-endian strings
● Why?
● Function calls
● Interesting Strings
– Messages
● Errors
● Debug
● To analysts/press/etc.
● Shout-outs

11. LA2600
11
LA2600.org
Conversion - AXMLPrinter2
● Java tool to convert AndroidManifest.xml to human readable XML

12. LA2600
12
LA2600.org
Decompilers - JAD
● Java Decompiler
● Feed it a JAR and get back decompiled .java source code.
● One of the few currently available java decompilers
● Useful but may no longer be updated by the author.
● Fails on some JAR files, classes
● Easy to run

13. LA2600
13
LA2600.org
Decompilers - ded
● Android decompiler
● Newer academic project designed specifically for mobile apps
● Optionally uses the Soot Java optimization framework to provide better
results.
● Combines translation to JVM bytecode , optimization and decompilation
● Takes a while,but the success rate is higher than other tools.

14. LA2600
14
LA2600.org
VM - DroidBox
● Instrumented Android VM
● Monitors
– Network activity
– Opened connections
– Outgoing traffic
– Incoming traffic
– DexClassLoader
– Broadcast receivers
– Started services
– Enforced permissions
– Permissions bypassed
– Information leakage
– Sent SMS
– Phone calls

15. LA2600
15
LA2600.org
VM - DroidBox, cont.
● Running VM
● ./startemu.sh Android21
● ./droidbox.sh <sample.apk>
● Ctrl-C to end logging/analysis

16. LA2600
16
LA2600.org
GUI - APKInspector
● Useful for analyzing APKs in one place
● Static analysis only
– Strings, Methods, Disassembly, CFGs,etc.