Dynamic Analysis Technique of Android Malware by Injecting Smali Gadgets
When dynamically analyzing Android malware, it is currently difficult to follow its code using debuggers unlike Windows malware. Although there is a technique [1] to hook a method dynamically by Frida [2], obtaining the in-progress state of the method is still difficult, and since Frida is not a tool dedicated to Android, only limited information can be obtained. In this article, I introduce smali gadget injection technique as a more flexible method for dynamic analysis of Android malware. This method enables dynamic analysis by creating and injecting a gadget for analysis in the APK file to create a repackaged APK file.
Confirm the result of reverse compile
First, check the code of the Android malware to identify on which part of it you wish to perform dynamic analysis. Decompile results of APK files can be viewed as Java code by using a decompile tool such as JADX or JEB Pro. Figure 1 shows an example of the decompile result. In this technique, you need to know in advance the methods to decode and unpack from the decompile result. In the example in Figure 1, you can see that the malware receives an argument of String type in method a of class a in the package com.fky.lblabjglab. It then decrypts the string and returns a variable of String type. Note that although RC4 is used for encryption, it is not necessary to identify the encryption algorithm in this technique.
Extract smali file and inject gadget
Once you identify which part to analyze, extract the Android malware next. You can use Apktool [3] to extract APK files. By executing the following command, the specified APK file is extracted as shown in Figure 2, and the smali file to inject a gadget can be edited. The smali file can be found by referring to the decompile result obtained by JADX or other tools. In this example, let’s assume that the gadget will be injected in the smali file smali/com/fky/lblabjglab/a.smali, which is calling the RC4 decryption function.
$ apktool d mal.apk
Here, as an example, the file smali/com/fky/lblabjglab/a.smali is opened in a text editor, and a gadget that outputs the argument and returns value to the debug log is injected as shown in Figure 3. You need to specify the variables to be displayed. In the method, p0 is this pointer, and p1 is the first argument. Therefore, if you wish to check the value of the first argument, p1 is specified, and the string log is output in android.util.Log.e.
Assemble and sign smali file
After injecting the gadget for analysis, assemble the smali file and create an APK file. After that, create a certificate file and sign the APK file. You can create an APK file with the gadget for analysis injected by executing the following commands.
$ apktool b mal $ keytool -genkey -v -keystore test.store -alias example -keyalg RSA -validity 32767 $ apksigner sign --ks test.store -v --v2-signing-enabled true --ks-key-alias example mal.apk
Execute the repackaged APK file
Finally, you can perform a dynamic analysis. Use Android Studio [4] or other applications to launch an Android virtual device as shown in Figure 4 and install the repackaged APK file on it. Note that the virtual device environment must be disconnected from the Internet prior to running the Android malware.
After installing the APK file, launch the application on the virtual device. Then, as shown in Figure 5, by referring to the Logcat tab and setting the appropriate filter, you can view the strings before and after decryption. This technique can be applied to perform various types of analysis, such as referencing or changing the contents of a variable or calling another method in the middle of a method.
In closing
This technique enables flexible dynamic analysis, which has been difficult to achieve with Android malware, although it requires some preparations in advance, such as checking decompile results and preparing a suitable smali gadget. The Android malware used for testing this technique is presented in the Appendix.
Yuma Masubuchi
(Translated by Takumi Nakano)
References
[1] Frida
https://frida.re/
[2] How-to Guide: Defeating an Android Packer with FRIDA
https://www.fortinet.com/blog/threat-research/defeating-an-android-packer-with-frida
[3] Apktool
https://apktool.org/
[4] Android Studio
https://developer.android.com/studio
Appendix: Hash value of Android malware used
- Cerberus: 1249c4d3a4b499dc8a9a2b3591614966145daac808d440e5202335d9a4226ff8