Automated Analysis and Deobfuscation of Android Apps & Malware PDF

Automated Analysis and Deobfuscation of
Android Apps & Malware

Jurriaan Bremer
@skier t
Freelance Security Researcher
June 10, 2013
June 10, 2013
Jurriaan Bremer
@skier t
Analysis and Deobfuscation of Android Apps
1 / 44
Introduction
June 10, 2013
Who am I?
Jurriaan Bremer
@skier t
2 / 44
Introduction
Who am I?
I
I
I
June 10, 2013
Student (University of Amsterdam)

Freelance Security Researcher
Cuckoo Sandbox Developer (Malware Analysis System)
Jurriaan Bremer
@skier t
2 / 44
Introduction
Android?
June 10, 2013
Jurriaan Bremer
@skier t
3 / 44
Introduction
Android?
I
Smartphones
Runs custom Linux
Millions of Devices
Hundreds of thousands of applications
etc..
June 10, 2013
Jurriaan Bremer
@skier t
3 / 44
Android Applications
Android Applications?
June 10, 2013
Jurriaan Bremer
@skier t
4 / 44
I
Application Package File (APK)

I
I
I
I
June 10, 2013
Download from Google Play

Zip file
Some Metadata (Manifest, Images, ..)
classes.dex
Jurriaan Bremer
@skier t
4 / 44
I

I
I
I
I
All your code are belong to classes.dex

I
June 10, 2013

Zip file
classes.dex
More on this later.
Jurriaan Bremer
@skier t
4 / 44
I

I
I
I
I
All your code are belong to classes.dex

I
More on this later.
Resources
I
I
I
June 10, 2013

Zip file
classes.dex
Images
Data files
Native libraries
Jurriaan Bremer
@skier t
4 / 44
Running Code on Android
There are two ways.

I
Running native libraries

I
I
June 10, 2013
Extremely awesome
This talk does not focus on native
Jurriaan Bremer
@skier t
5 / 44
There are two ways.

I

I
I
June 10, 2013
Extremely awesome
Jurriaan Bremer
@skier t
5 / 44
There are two ways.

I

I
I
Running Dalvik Bytecode

I
I
I
I
June 10, 2013
Extremely awesome
Dalvik is Compiled Java
Dalvik != Java
classes.dex
(More on this later)
Jurriaan Bremer
@skier t
6 / 44
Dex File Format (I)
I
I
Dalvik Executable Format

classes.dex
I
June 10, 2013
Container format to store Dalvik Bytecode with Metadata
Jurriaan Bremer
@skier t
7 / 44
Dex File Format (I)
I
I

classes.dex
I
I

Various Data Pools
I
I
I
I
June 10, 2013
Strings Hello World

Classes Ljava/lang/String;
Fields Ljava/lang/String;->value
Prototypes (I)Ljava/lang/String;
Jurriaan Bremer
@skier t
7 / 44
Dex File Format (I)
I
I

classes.dex
I
I

Various Data Pools
I
I
I
I
Lots of headers
I
I
I
I
June 10, 2013
Strings Hello World

Classes Ljava/lang/String;
Fields Ljava/lang/String;->value
Prototypes (I)Ljava/lang/String;
Complex Cross-references between fields and headers
The Classname is a String
A Prototype has a String as return value
A method links to a Prototype, etc..
Jurriaan Bremer
@skier t
7 / 44
Dex File Format (II)
June 10, 2013
Jurriaan Bremer
@skier t
8 / 44
Dalvik Bytecode Example

public static void hello() {
System.out.println(Hello AthCon);
}
->
June 10, 2013
Jurriaan Bremer
@skier t
9 / 44

}
->
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
June 10, 2013
Jurriaan Bremer
@skier t
9 / 44

}
->
const-string v1, Hello AthCon
June 10, 2013
Jurriaan Bremer
@skier t
9 / 44

}
->
invoke-virtual v0, v1,
Ljava/io/PrintStream;->println(Ljava/lang/String;)V
June 10, 2013
Jurriaan Bremer
@skier t
9 / 44

}
->
invoke-virtual v0, v1,
Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
June 10, 2013
Jurriaan Bremer
@skier t
9 / 44
Whats your point?
Decompiling is mostly trivial
JEB - http://android-decompiler.com/
June 10, 2013
Jurriaan Bremer
@skier t
10 / 44
Whats your point?
Decompiling is mostly trivial
JEB - http://android-decompiler.com/
Smali/Baksmali allows you to quickly modify code
Based on .smali files, a wrapper around Dalvik bytecode
Free and Open Source

https://code.google.com/p/smali/
June 10, 2013
Jurriaan Bremer
@skier t
10 / 44
Lets welcome Obfuscators
Commercial solutions
Make Reverse Engineering harder
Make automated analysis harder (what to look at?)
June 10, 2013
Jurriaan Bremer
@skier t
11 / 44
What can we do..?
June 10, 2013
Jurriaan Bremer
@skier t
11 / 44
What can we do..?
Deobfuscate the obfuscated code!
June 10, 2013
Jurriaan Bremer
@skier t
11 / 44
What can we do..?
Deobfuscate the obfuscated code!
But first..
June 10, 2013
Jurriaan Bremer
@skier t
11 / 44
Introduction to Our Tools

readdex(1)
I
Custom utility to read .dex files
Not very strict
Works in cases where traditional tools fail
E.g., dexdump, dex2jar, sometimes even JEB
(Will report JEB bugs later)
June 10, 2013
Jurriaan Bremer
@skier t
12 / 44
Introduction to Our Tools

readdex(1)
I
Custom utility to read .dex files
Not very strict
Works in cases where traditional tools fail
E.g., dexdump, dex2jar, sometimes even JEB
(Will report JEB bugs later)

Handles the following cases correctly
I
I
I
I
I
June 10, 2013
Invalid checksum hashes (fails dexdump)

Unused opcodes (fails dex2jar/dexdump)
Invalid Data Pool Indices (dexdump/dex2jar)
Unicode function names (IDA Pro?!)
Etc..
Jurriaan Bremer
@skier t
12 / 44
Introduction to Our Libraries
June 10, 2013
Dalvik Disassembler
Jurriaan Bremer
@skier t
13 / 44
I
I
Dalvik Disassembler
Basic Dalvik Emulator
I
I
June 10, 2013
Supports most Dalvik Instructions

Supports simple Java Classes (Strings, etc.)
Jurriaan Bremer
@skier t
13 / 44
I
I
Dalvik Disassembler
I
I
Dex File Parser

I
June 10, 2013

Dex File Creator is Work in Progress
Jurriaan Bremer
@skier t
13 / 44
I
I
Dalvik Disassembler
I
I
Dex File Parser

I
June 10, 2013

Totalling more than 5kloc C (including readdex)
Jurriaan Bremer
@skier t
13 / 44
I
I
Dalvik Disassembler
I
I

Dex File Parser

I
Not to mention basic Python wrappers
June 10, 2013
Jurriaan Bremer
@skier t
13 / 44
I
I
Dalvik Disassembler
I
I

Dex File Parser

I
Not to mention basic Python wrappers
All of it will be Open Source soon (TM)
June 10, 2013
Jurriaan Bremer
@skier t
13 / 44
Whats next? This stuff is actually useful?
June 10, 2013
Jurriaan Bremer
@skier t
14 / 44
Whats next? This stuff is actually useful?
June 10, 2013
Jurriaan Bremer
@skier t
14 / 44
Class & Function Name Obfuscation

Used by for example Dexguard & Freedom.apk..
June 10, 2013
Jurriaan Bremer
@skier t
15 / 44

Welcome to China..
June 10, 2013
Jurriaan Bremer
@skier t
15 / 44

Welcome to China..
June 10, 2013
Jurriaan Bremer
@skier t
15 / 44
June 10, 2013
Jurriaan Bremer
@skier t
16 / 44
China?
Unreadable identifiers
Problematic when Modifying Dalvik Code (.smali)
June 10, 2013
Jurriaan Bremer
@skier t
17 / 44
China?
Unreadable identifiers
Problematic when Modifying Dalvik Code (.smali)
unchina.py to the rescue!
June 10, 2013
Jurriaan Bremer
@skier t
17 / 44
unchina.py
Walks the Dex file
Enumerates all classes and methods
Renames Chinese names with something readable
zmagic + number
(For now, can be changed of course..)
June 10, 2013
Jurriaan Bremer
@skier t
18 / 44
unchina.py
Walks the Dex file
Enumerates all classes and methods
Renames Chinese names with something readable
zmagic + number
(For now, can be changed of course..)
Simple Python script using some hacky functionality
Rewrites parts of the Dex file as needed
Writes a new Dex file (still kind of experimental)
Sounds easier than it is!
June 10, 2013
Jurriaan Bremer
@skier t
18 / 44
unchina.py Demo
Demo of Unchina.py..
June 10, 2013
Jurriaan Bremer
@skier t
19 / 44
Obfuscated Strings (I)
Used by for example Dexguard, Whatsapp.apk, Freedom.apk
June 10, 2013
Jurriaan Bremer
@skier t
20 / 44
Instead of using Hardcoded Strings
Build strings up at runtime
June 10, 2013
Jurriaan Bremer
@skier t
20 / 44

Makes it harder to analyze
I
I
June 10, 2013
Strings usually have meaningful information

(Function names, Debug information, URLs, etc.)
Jurriaan Bremer
@skier t
20 / 44

Makes it harder to analyze
I
I
More code in the binary

I
I
June 10, 2013
Strings usually have meaningful information

(Function names, Debug information, URLs, etc.)
Normally one string
Now entire functions for decoding, function calls, etc..
Jurriaan Bremer
@skier t
20 / 44
Obfuscated Strings (II)
We want to reconstruct the obfuscated strings
June 10, 2013
Jurriaan Bremer
@skier t
21 / 44
Obfuscated Strings (II)
We want to reconstruct the obfuscated strings

I
Use our Simple Dalvik Emulator
Combined with some heuristics (in the future)
For now a bit hardcoded..
June 10, 2013
Jurriaan Bremer
@skier t
21 / 44
Three different String Obfuscation examples
Whatsapp.apk
Freedom.apk
A Dexguarded binary
June 10, 2013
Jurriaan Bremer
@skier t
22 / 44
Whatsapp (I)
#1 - Whatsapp.apk
I
Defines <clinit>for lots of classes

I
I
June 10, 2013
Class Initialization function

Called when the class is being loaded
Jurriaan Bremer
@skier t
23 / 44
Whatsapp (II)
June 10, 2013
Jurriaan Bremer
@skier t
24 / 44
Whatsapp (III)
I
I
We emulate the method

Intercept the sput-object instruction
I
June 10, 2013
sput-object v0, mb->z:Ljava/lang/String;
Assign Static Class Variable
Jurriaan Bremer
@skier t
25 / 44
Whatsapp (III)
I
I

I
We now have the deobfuscated string
(or multiple strings, in some cases)
June 10, 2013
Jurriaan Bremer
@skier t
25 / 44
Whatsapp (III)
I
I

I
We now have the deobfuscated string
(or multiple strings, in some cases)
Roughly 5000 strings deobfuscated!
June 10, 2013
Jurriaan Bremer
@skier t
25 / 44
Freedom (I)
#2 - Freedom.apk
I
Has xor decryption methods
Calls functions with magic decoding value
June 10, 2013
Jurriaan Bremer
@skier t
26 / 44
Freedom (II)
June 10, 2013
Jurriaan Bremer
@skier t
27 / 44
Freedom (III)
The xor decryption methods have a specific signature
Their prototype is always (B)Ljava/lang/String;
(Accepts an 8bit integer, returns a String.)
June 10, 2013
Jurriaan Bremer
@skier t
28 / 44
Freedom (III)
We scan every method in the Dex file
Function Call to Decryption Method ->Decrypt the String
June 10, 2013
Jurriaan Bremer
@skier t
28 / 44
Freedom (III)
We scan every method in the Dex file
Function Call to Decryption Method ->Decrypt the String
Roughly 600 strings deobfuscated!
June 10, 2013
Jurriaan Bremer
@skier t
28 / 44
Dexguard (I)
#3 - Dexguard is a Commercial Obfuscator

As example we use an obfuscated Cyanide.apk
Root exploit for some Motorala device
(Thanks to Justin Case for the sample)
June 10, 2013
Jurriaan Bremer
@skier t
29 / 44
Dexguard (II)
June 10, 2013
Jurriaan Bremer
@skier t
30 / 44
Dexguard (III)
Dexguard initializes a lookup table on <clinit >
Decrypts strings using this lookup table
One dedicated decryption method
Signature (III)Ljava/lang/String;
June 10, 2013
Jurriaan Bremer
@skier t
31 / 44
Dexguard (IV)
Dexguard is a combination of Whatsapp and Freedom
(With regards to techniques)
First emulate <clinit >
To obtain the lookup table
June 10, 2013
Jurriaan Bremer
@skier t
32 / 44
Dexguard (IV)
Dexguard is a combination of Whatsapp and Freedom
(With regards to techniques)
First emulate <clinit >
To obtain the lookup table
Then scan every method in the Dex file
Find function calls to the decryption method
Decrypt strings!
June 10, 2013
Jurriaan Bremer
@skier t
32 / 44
Dexguard (IV)
Original Dexguarded Cyanide.apk
June 10, 2013
Jurriaan Bremer
@skier t
33 / 44
Rewriting the Dex file (I)
Rewriting Whatsapp, Freedom and Dexguarded Cyanide.apk

I
We have the decrypted strings
Obfuscated code always takes more instructions than

deobfuscated code
Patching time..!
June 10, 2013
Jurriaan Bremer
@skier t
34 / 44
Rewriting the Dex file (II)
Some problems..
I
We have to introduce new strings

I
I
June 10, 2013
Extend the String Data Pool

Shuffle around half the Dex..
Jurriaan Bremer
@skier t
35 / 44
Rewriting the Dex file (II)
June 10, 2013
Jurriaan Bremer
@skier t
36 / 44
Rewriting the Dex file (III)
Some problems..
I

I
I
June 10, 2013

Jurriaan Bremer
@skier t
37 / 44
Rewriting the Dex file (III)
Some problems..
I

I
I
I
I
Patch Dalvik instructions (straightforward)

Remove obsolete functions
I
I
I
June 10, 2013

String Decryption Methods are now unused

Quite painful.. Dex file-wise
*Work in Progress*
Jurriaan Bremer
@skier t
37 / 44
Rewriting the Dex file (IV)
We move all strings to EOF
We fixup other data structures
Demo time
June 10, 2013
Jurriaan Bremer
@skier t
38 / 44
Rewriting the Dex file (V)
Demo of reconstructing Dexguarded Cyanide.apk
June 10, 2013
Jurriaan Bremer
@skier t
39 / 44
How do we go from here?
Generic Deobfuscation
I
June 10, 2013
Based on Heuristics with Prototypes etc
Jurriaan Bremer
@skier t
40 / 44
I
Classification based on stripped down binaries

I
I
I
June 10, 2013

One binary can have many obfuscated representations
Deobfuscate to something like the original binary
Allows more accurate classification
Jurriaan Bremer
@skier t
40 / 44
I

I
I
I
June 10, 2013

Did I mention plaintext strings?
Jurriaan Bremer
@skier t
40 / 44
I

I
I
I

Did I mention plaintext strings?
Plaintext Strings!
June 10, 2013
Jurriaan Bremer
@skier t
40 / 44
Automated Malware Analysis!
Yesterday a new malware was found in the wild..
http://www.securelist.com/en/blog/8106/The_most_
sophisticated_Android_Trojan
June 10, 2013
Jurriaan Bremer
@skier t
41 / 44
High Expectations Asian Dad strikes again!
June 10, 2013
Jurriaan Bremer
@skier t
42 / 44
Backdoor.AndroidOS.Obad.a
I
I
Seems like a pretty advanced android malware

Multiple obfuscation layers (for strings)
I
I
Some Plaintext Strings..

I
I
I
I
June 10, 2013
Got a start, but far from complete..

*Quick Demo*
Tries to enable Bluetooth
getSimSerialNumber
..
(I need some more time)
Jurriaan Bremer
@skier t
43 / 44
Questions?
Any questions?
Cheers to..
p1ra, nex, rep, blasty, thuxnder, diff-, jcase, George, jduck, ..
Interested in Android Security?
Join #droidsec on irc.freenode.org (thanks jduck!)
June 10, 2013
Jurriaan Bremer
@skier t
44 / 44

Automated Analysis and Deobfuscation of Android Apps & Malware PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Automated Analysis and Deobfuscation of Android Apps & Malware PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Automated Analysis and Deobfuscation of

Android Apps & Malware

June 10, 2013

June 10, 2013

Analysis and Deobfuscation of Android Apps

June 10, 2013

Analysis and Deobfuscation of Android Apps

June 10, 2013

Student (University of Amsterdam)

Analysis and Deobfuscation of Android Apps

June 10, 2013

Analysis and Deobfuscation of Android Apps

Runs custom Linux

Hundreds of thousands of applications

June 10, 2013

Analysis and Deobfuscation of Android Apps

June 10, 2013

Analysis and Deobfuscation of Android Apps

Application Package File (APK)

June 10, 2013

Download from Google Play

Analysis and Deobfuscation of Android Apps

Application Package File (APK)

All your code are belong to classes.dex

June 10, 2013

Download from Google Play

Analysis and Deobfuscation of Android Apps

Application Package File (APK)

All your code are belong to classes.dex

More on this later.

June 10, 2013

Download from Google Play

Analysis and Deobfuscation of Android Apps

Running Code on Android

There are two ways.

Running native libraries

June 10, 2013

Analysis and Deobfuscation of Android Apps

Running Code on Android

There are two ways.

Running native libraries

June 10, 2013

Analysis and Deobfuscation of Android Apps

Running Code on Android

There are two ways.

Running native libraries

Running Dalvik Bytecode

June 10, 2013

Analysis and Deobfuscation of Android Apps

Dex File Format (I)

Dalvik Executable Format

June 10, 2013

Container format to store Dalvik Bytecode with Metadata

Analysis and Deobfuscation of Android Apps

Dex File Format (I)

Dalvik Executable Format

Container format to store Dalvik Bytecode with Metadata

June 10, 2013

Strings Hello World

Analysis and Deobfuscation of Android Apps

Dex File Format (I)

Dalvik Executable Format

Container format to store Dalvik Bytecode with Metadata