The primary requirement for malware analysis is preparing a safe and reliable platform for running the malware to observe the behavior or perform reverse engineering techniques. Android malware, as much as other platforms, demands such environments which is a bit hard to find maybe because of the weakness of Android devices processors and physical memory; as malware analysis task demands for high processor performance and physical memory capacity.
Here is a list of some of platforms for Android malware reverse engineering, debugging, monitoring and generally emulating the Android structure and behavior…
- Android-x86 provides a ready-to-use virtual machine disk which can be simply mounted and used to run original Android on VirtualBox. The advantage of this method is that the experience is 99% like an actual Android device, but with higher processor performance, physical memory and storage.
More info: http://www.android-x86.org/
- ARE (Android Reverse Engineering) is a comprehensive ready-to-use virtual machine to work with Android. Unlike Android-x86 this is a tool set for Android Reverse Engineering which contains some of the necessary tools.
More info: https://redmine.honeynet.org/projects/are
- Androguard provides a python based tool to analyze Dex/Odex, APK, Android’s Binary XML and Android Resources (arsc) for Python powered Linux, OSX and Windows platforms.
More info: http://code.google.com/p/androguard/
- APKinspector is another python based tool which provides a GUI tool to aide analysis and reverse engineering of compiled Android packages and their DEX code.
More info: http://code.google.com/p/apkinspector/
- Android-apktool brings the capability of reverse engineering Android APK codes using Java runtime environment. Thanks to Java portability, this tool is usable in Windows, Linux and OSX operating systems.
More Info: http://code.google.com/p/android-apktool/
- Dare (Davlik Retargeting) retargets DEX and APK Android applications to raw .class files. You will need additional tool for further reverse engineering. This tool is an improved version of DED by same developers.
More Info: http://siis.cse.psu.edu/dare/index.html
- Droidbox is a sandbox which offers dynamic analysis of Android applications. These types of analysis mainly used to know the malware at first place; just to get some clues about the behavior of the malware. This tool provides network traffics, accessed files, accessed services, data leakages, circumvented permissions, cryptography operations and SMS/Phone calls of the malware.
More Info: http://code.google.com/p/droidbox/
- Smali is a simple assembler/disassembler tool for Android DEX codes. It provides the debug info, annotations, line info and etc.
More Info: http://code.google.com/p/smali/