Andrubis: A Tool for Analyzing Unknown Android Applications

Andrubis We are proud to announce that we have released our brand new extension for Anubis: Andrubis. As the name already suggests, Andrubis is designed to analyze unknown apps for the Android platform (APKs), just like Anubis does for Windows executables. The main goal we had in mind when designing Andrubis is the analysis of mobile malware, motivated by the rise of malware on mobile devices, especially smartphones and tablets. The report provided by Andrubis gives the human analyst insight into various behavioral aspects and properties of a submitted app. To achieve comprehensive results, Andrubis employs both static and dynamic analysis approaches.

During the dynamic analysis part an app is installed and run in an emulator. Thorough instrumentation of the Dalvik VM provides the base for obtaining the app’s behavioral aspects. for file operations we track both read and write events and report on the files and the content affected. For network operations we also cover the typical events (open, read, write), the associated endpoint and the data involved. Additionally all traffic transmitted during the sandbox operation is captured and provided as a pcap file. Of course we employ the containment strategies for malicious traffic that have proven their effectiveness with Anubis. Dynamic analysis allows us to detect dynamically registered broadcast receivers that need not be listed before actual execution as well as actually started services. We also capture cellphone specific events, such as phone calls and short messages sent. Taint analysis is used to report on leakage of important data such as the IMEI and also shows the data sink the information is leaked through, including files, network connections and short messages. Invocations of Android’s crypto facilities are logged, too. Finally we report on dynamically loaded code, both on the Dalvik VM level (DEX-files) and on the binary level. The latter include native libraries loaded through JNI.

Additionally, we collect information that can be obtained statically, i.e. without actually executing the app. To begin with, we list the main components an app needs to communicate with the Android OS: activities, services, broadcast receivers and content providers. Going into more detail, information related to the intent-filters declared by these components is also included. We recommend to read the Android framework documentation for a detailed explanation on what these components are and which role they play. Runtime requirements are a further aspect: the report displays both external libraries that are necessary to run the app as well as specific hardware features the app requires. Furthermore, we compare the permissions the user has to grant at installation-time with those actually used by the application. We then provide a detailed list of the method calls that require a certain permission. Finally, we also output all URLs that we were able to find in the app’s byte code.

In order not to reinvent the wheel, we leveraged several existing open source projects in addition to the Android SDK:

Check out the new Andrubis at anubis.iseclab.org and submit your APKs! If you have any questions, bug reports or comments contact us at andrubis@iseclab.org.

About these ads
This entry was posted in Anubis, Binary Analysis, Malware Analysis and Detection. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s