Android Malware in Practice I

Android Malware
in Practice
Part I
Android Filesystem Layout
[email protected] ~ $ adb shell mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,
data=ordered,noauto_da_alloc,discard 0 0
/dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,
data=ordered 0 0
/dev/block/mmcblk0p3 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,
data=ordered 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,....
/dev/block/vold/179:17 /mnt/extSdCard vfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime,
Android Filesystem Layout
The mounts of interest
/ - root of the filesystem hierarchy
/system - the ROM that holds all system binaries
/data - RW location for user applications
/cache - transient data space for user applications
/efs - phone specific information like IMEI number
/mnt/sdcard - fat32 filesystem with no inbuilt security
Application locations
• System applications
• /system/app/<AppName>.apk
• User applications
• /data/app/<AppName>.apk (preloaded)
• /data/app/<AppPkgName>-1.apk (downloaded)
• /mnt/secure/asec/<AppPkgName>-1.apk (sdcard)
App Signing
• All apps are signed with a key to provide android with the
ability to distinguish distributors of software
• Possible to group applications in the same security context
when two applications are signed with same key giving
identical digital signature
Android Debug Bridge
• Android Debug Bridge allows the developer access to the
Android device connected via usb or IP
• Once connected to a device, ADB provides developers an
interface to interact with a rich suite of tools to manage the
ADB Push / Pull
• Using ADB we are able to transfer files from/to the device
• Pull test.txt off the device and place in pwd
• adb pull /mnt/sdcard/test.txt [local location]
• Push local test.txt to sdcard on the device
• adb push ./test.txt /mnt/sdcard
Android Manual Install
• Manually install application
• adb push com.myapp.hello.apk /data/app/
• (Permissions need to be changed to 0644)
• adb install com.myapp.hello.apk
• Manually uninstall application
• adb uninstall com.myapp.hello
Package Manager
• pm is a tool that is provided to manage and provide details
about applications and permissions.
• List all applications
• pm list packages
• Find location of an application
• pm path com.myapp.helloworld
• List available permissions
• pm list permissions -f
Activity Manager:
Sending Intents
• The activity manager provides the mechanism to start an
instance of a graphic application
• using adb we are able to start applications via
• am start -a android.intent.action.CALL -d tel: 021021021
Service Manager
• The service manager can also be invoked via command line to
send messages
• service call isms 5 s16 "+??????????" i32 0 i32 0 s16 "SMS
Android Startup
init (1)
• Responsible for creating mounts and file permissions
associated with mount
• Reads initrc file which contains these directories, mounts and
file permissions
• Responsible for further starting other processes/daemons
daemons (2)
• Native linux daemons such as the following are started by init
netd (manages network connections)
vold (manages volumes such as sdcard)
usbd (manages USB connections)
debuggerd (debug processes - coredump)
rild (manages communication with the radio)
zygote (3)
• init launches zygote which loads classes and listen for requests
to spawn new applications through an instance of a dalvik
virtual machine
• Utilises copy-on-write memory references when forking its
process to reduce memory footprint
Runtime/Service Manager (4a/b)
• init starts android runtime process which initialises the Service
• Service Manager is the context manager for binder that is
responsible for service registration and lookups
• Android runtime then sends a start signal for zygote to create
an instance of System Service (Android Services)
dalvik (5)
• Zygote has received a signal to instantiate a dalvik virtual
machine instance for the Android System Server
System Server (6)
• Zygote forks itself with appropriate permissions and starts the
System Server instance
• Its role is to bootstrap all the android services required by the
android framework which provide services to applications
Native System Services (7)
• Native System Services are services that integrate with the
operating system to provide low latency and high availability
services such as the audio and surface flinger
• Audio Slinger provides audio management and multiplexing
while Surface Flinger is the composition framework to display
Native System Services (7)
• Native System Services register themselves with Service
Manager allowing them to be available through IPC for other
applications or processes
Android System Services (8)
• Android System Services provide high level framework
services for applications
• These services like Native System Services register themselves
with Service Manager allowing for IPC communication from
Android applications and other services
Android Development
• Android provides users familiar with Java an easy route to
build mobile applications. Google provides a SDK and NDK
which enable the developer to call upon rich libraries and
Software Development Kit (SDK)
• The android Software development kit provides libraries and
tools to develop standard java applications. Some of the tools
allow for automatic installation of various android platforms
and their associated libraries - eg. Ice Cream Sandwich.
• Included in the ADT bundle is the SDK and an eclipse
environment configured and setup for building/developing
Android applications.
Native Development Kit (NDK)
• Android allows for native libraries to be used with the android
• These libraries are C/C++ based and give developers greater
performance gains for intensive hardware operations.
howto: reverse engineering an application –
open the apk archive to access smali$ apktool d com.hello out
run dedexer (convert apk to jar archive)
run a java decompiler or use jdgui
Insert the payload
• Still have key signing issue
• But users can be unaware of the dangers
Reverse Engineering Links
Malicious App 1: SMS
Malicious App 2: Photo/Sdcard
Malicious App 3: Keyswift
• These attacks were aimed at Samsung devices which have
been known to implement their own sdk libraries for android.
• These have not been tested as vigorously as would be liked
and have been proven to provide further vulnerabilities.
Permissions Concerns
android.permission.SEND_SMS / RECEIVE_SMS
android.permission.READ_CONTACTS / WRITE_CONTACTS android.
android.permission.CHANGE_WIFI_STATE /
Sourced from Google IO 2012 and
Google IO:
Genome project
Related flashcards
Create Flashcards