APKs Analysis

Some Information and tools

Android Apps are usually written in Java and lately Kotlin started to be used too

android arch is linux-based which use user based protection. Thats mean every app is treated as a new user to prevent apps from interacting or spying on each other. for this reason malwares will always try to gain root privilages.

android does not use JVM insted it has a dalvik virtual machine “DVM”, thats why google made DEX compiler that produce a dalvik byte code from the java byte code

the previous picture shows the ways to compile the java code.

APKs take the left route as we said

so if we want to decompile an apk back to java we need to convert that dex file “dalvik byte code” to java using tools like dx2jar “pre-installed on flare”.

google forces the app developers to write a manifest.xml file which describe what does this app does beside any permission needed for this app so this file is considerd as the entry point for the analysis of any APK.

the main, launcher and splash activities in manifest file are also considerd to be the start point in the code so if you are not sure where to start just follow it.

activities and actions worth reading in manifest file

we can extract the manifest.xml file using axmldec or APKtool

Decompiled Java code is quite misleading due to the classes and methods names so searching specific words can save us time until we take an overview

Advanced analysis

as any malware we analyse there are 2 ways for advanced static. Disassembling and Decompilation

disassempling produce .smali files which needs deep understanding of this assembly instructions.

decompilation as we mentioned before we use dex2jar then any java decompiler that produces code very similar to the high level language.

pros and cones of each way are the same for any type of files

Now if we want to decompile it as i mentioned we will use the dex2jar tool and pass the dex classes to it then it will produce the .jar file

this .jar file will be decompiled using any java decompiler for example the jd-gui tool that is pre-installed on flare vm

we can use jadx tool instead of the previous 2 steps

emulation or virtualization

android virtualization not similar to linux or windows we usualy deal with. the options are limited but there are too much details.

so each one need to check the best for the available resources.

for me i am currently using android studio emulator

android studio may slow down you laptop because it needs high resources to run like RAM, so if your laptob won’t fit i recommend checking something else or download the AVD without the android studio or qemu.

we use adb commands to cntroll the emulator

resources

while i was analysing anubis i found this writeup, it contains a lot of useful tools and information i recommend taking a look

https://rxored.github.io/post/analysis/anubis/anubis/#sms-sending-receiving-and-spamming