Android Application Reverse Engineering and Malware Analysis: Analysis environment preparation.

-
Hi everyone, this time I would like to share my experiences on Android application analysis and reverse engineering preparation. Like every other processes when we need to do something in the world, we have to consider and prepare basic things to have everything executed in a structured and efficient manner.

Prior to our analysis for any mobile application, we have to consider a few things to prepare which is:
  1. Workstation.
  2. Tools and software.
  3. Skills require.
Considering and preparing these components will significantly improve your readiness and response time when the sample is acquired and needs to be examined.

WORKSTATION

For a workstation, this is the specification that at least you should have:
  • Minimum Quad core processor and support Virtualization.
    • Currently I have 4 cores with 8 threads processor.
      • Malware analysis and reverse engineering process is resource intensive, more is better to support virtualization and heavy processing.
      • During my analysis, at least I will be using 1 analysis VM, 1 emulator or device. All these have to share the resources from my host machine.
  • Minimum 8 GB of RAM.
    • 8 GB of RAM is too small actually. If you can, go for 16 GB or higher, if that is all you got. Well, size doesn't matter, it's how you use it that counts.
  • 500 GB of storage, SSD preferred.
    • Why SSD, makes your tool load faster and better. If you doesn't have it, well.. you will have more quality time to make your coffee while waiting your tools to start or to process your binary.
    • More space means more powerrr! Just kidding, your can store more "things" in your workstation and TLP RED stuff.
  • Internet access.
    • For research purposes (Stack Overflow and Googling stuff).
  • Multiple monitor.
    • For better productivity, when I have too many applications and tabs is open, it is easier to interact with my work space when have multiple display rather than have to minimize and maximize between application.

TOOLS AND SOFTWARE

These are the some basic tools I prepared in my workstation, which is for me adequate for android malware analysis:
  • Virtualization platform
    • VMWare Workstation
    • VirtualBox
    • Genymotion
    • AVD - require Android studio to be installed.
  • Emulator Image
    • Android VM 4.4.4 to 9.0 or latest Android API level.
      • Available in Genymotion.
      • Make sure to flash Play Store and snapshot your emulator image.
        • tips: You can snapshot emulator image in VirtualBox.
  • Linux distro
    • Kali linux
      • I already familiar with it, what ever distro you comfortable, but I recommend that you choose debian based.
      • I create a virtual machine using this distro and install most of my tools inside except Genymotion and Windows based applications.
    • Santoku
      • This distro already pre-configured of mobile application analysis and forensics tool, take it or leave it.
  • Reverse Engineering tool
    • JADX
    • Dex2Jar
    • JD-GUI
    • apktool
  • Mobile application vulnerability and analysis tool
    • MobSF - I mainly use this for malware analysis
    • Qark
    • Androbugs
    • Androwarn
  • IDE
    • Android Studio
      • I recommend you install it in your host machine.
    • Notepad++
    • Sublime / Leafpad / Nano / Vi
  • Utility
    • Android Debug Bridge (ADB)
    • SQLite Database Browser
    • Internet browser
  • Network capture and analysis tool
    • BurpSuite - I use this, but I only have community version only :(
    • OWASP ZAP
    • Wireshark
    • NetworkMiner
  • Productivity
    • Microsoft Office Word
    • Microsoft Office PowerPoint
  • Open Source Intelligence (OSINT) tools
    • Google
    • Shodan
    • Whois
      • If your organization have budget, I would like to recommend you to subscribe Iris from DomainTools, this tools allow you to collect historical data and timelining C2 information of the malware.
      • You can correlate IP, domain and information collected regarding malicious campaign you have found.

SKILL AND KNOWLEDGE

Reverse engineering is complex and require you to have experience and knowledge in programming. If you jump directly to the code without any programming basics and knowledge, you will end up going nowhere, unless you're genius, and of course you're.

These are some point where you can start build up your knowledge for you to become Android malware reverse engineer.

  • Understand Android architecture, file system, Android application architecture and component, Application life cycle.
  • Able to program in Android supported programming language.
    • I learned Java and coded android application in Java but you can choose any other language, native or hybrid such as C/C++, kotlin, ionic, xamarin etc and scripting.
    • Scripting can help automate repetitive tasks and simplified complicated processes, learn and use it.
  • Able to interact and using Windows and Linux command line console.
    • You have to know how to use basic command line for Linux especially when interacting with Android device/emulator while using ADB.
  • Knowledgeable in networking and web application.
    • This is for you to understand what the malware try to communicate with its Command and Control (C2) server.
    • Helps you in dynamic analysis and behavioral analysis of the malware.
  • Red teaming and penetration testing.
    • As independent researcher, you might what to collect or take a peek what inside the C2 server and gather intelligence regarding the threat actor.
    • This skills will help you collect valuable information about the threat actor to include in your report. Thus, help to take down the criminal and brings them to justice.
    • Use this knowledge ethically, protect the innocent and make a difference in this world.
I will leave some link below where you can learn from free course available in the internet for your reference.

Maybe this is just a simple list and guideline, but if you don't know where to start, this guidelines and recommendation will get you started. Hopefully this can help me, you and other to combat evil in this world. 

Thank you.




Comments

Post a Comment

Popular posts from this blog

Deploying open-source SOC lab with red team simulation, at home. Elasticsearch Stack EDR + SIEM (Part 1)

-
Image
Introduction I’m always want to have my own lab that can mimic enterprise monitoring at home which include EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), case management and have a threat intel platform. It must be something that can be built from open source and free... Since there is significant upgrade on my personal workstation, I’m able to ramp up my virtualization capacity to support my endeavor. let’s gooooo! Network & Resources Allocation For this lab, everything will be deployed in virtual machine (VM) and in private network, simple. These are minimum specification I used in this lab; you can allocate more if you have more resources. CPU: 2 cores Network: bridged connection and replicate physical network connection state Storage: 80 GB RAM: 8 GB (For both Ubuntu VM, I’m allocating 16GB for better performance) Architectural & System Design Refer to the diagram above We will deploy two (2) Ubuntu 20.04 Desktop a...
Read more

Deploying open-source SOC lab with red team simulation, at home. MISP, Cortex and TheHive (Part 2)

-
Image
Sorry for posting this a bit late for those who are waiting for part 2. During my time writing part 1 and part 2, I was in rush to prepare for the new addition to my family, we (me, wife & family) have been blessed with our firstborn baby boy. So yeah, with the birth of my son, Ramadhan, and preparation for Aidilfitri all together at once, time is a little bit tight. Hehe Thank you very much for all your wishes and thank you for still following this series, so this time we will set up and install components for MISP, Cortex, and TheHive. This includes installation and integration between these 3 components as described in part 1. Once you have completed all the installation and integration, this server will tremendously help your analysis and automate a lot of things, you can track your progress or investigation, manage case, alert, task, and IOCs found. With a click of a button, you can receive reports and threat intel from multiple sources. This can be your great tool as a ...
Read more

Android Application Security - obfuscation using ProGuard in Android Studio

-
There are many techniques out there for Android Application code obfuscation. Most popular and easy to be applied is using ProGuard in Android Studio. What it usually does is it will shorten your app's class name, optimize your code, remove unnecessary resources and code. The main goal of it is to make your app harder to be reverse engineered. Obfuscation in Android Application has been applied extensively by malware author to hide their malicious code and give security researcher like us a bad day. As developer, you can applied ProGuard in your Android App project by implement this additional rule in your project level build.grade(Module:app)  file. buildTypes { release { minifyEnabled true shrinkResources true proguardFiles getDefaultProguardFile ( 'proguard-android-optimize.txt' ), 'proguard-rules.pro' } debug { minifyEnabled false shrinkResources false proguardFiles getDefaultProguardFile ( 'proguard-and...
Read more