Running app on android

During my research on android malwares, I faced an issue of running the malware on android (emulator) which I used 2 methods depends on the situation.

In case you need to only run the app and you do not care about what happenes next, you can use “am” command,

adb shell am start -n package/.activity

You can find out the package/activity name by refering to my previous post and find more about android activity manager here

On the other hand, if you need to poke the app to imitate (somehow) the real user, Monkey will do the job for you.

adb shell monkey -s 10 --throttle 1000 --pct-touch 100 -p %s 20 > /dev/null &

To find more info about Monkey please refer to my previous post here or here.

Advertisements

Stability control of Android Monkey behavior

I had a problem with Android Monkey which the Monkey mimicked random patterns of events while this behavior prevent my system’s results to be same all the time. The fact is that by default Monkey sends pseudo-random stream of user events to the system. This behaviar may cause difficulties for developers who wants to practice a series of expected user events with the least randomization.

Well, it is possible to define the randomization seed which can almost trigger similar sequence of actions. In addition you can decide what types of event (Touche, Motion, Trackball or Navigation) are going to be send.

For example

adb shell monkey s 10 --pct-touch 60 --pct-motion 40 -p com.android.app 200

will send 200 events to the app which contains 60% touch and 40% motion events to the system while the variables are using randomized values with the define seed of 10.

In my own case, I used an additional time interval to make it even more predictable as:

adb shell monkey -s 10 --throttle 1000 --pct-touch 100 -p com.android.app 20

which will send 20 event with intervals of 1000ms. This makes it easier to predict what is going on with the system so we can perform automated debugging in more convenient way (in this case you can expect a run time of 20 seconds in which one touch will be send every second).

Monkey Reference: http://developer.android.com/tools/help/monkey.html

Finding APK package/activity name

During my research I had a problem of finding the package and activity name of the android APK file. Googling only results to tons of messed up solution which usually didnt work.

In this post I am sharing a piece of code I wrote in Python to analyse the result of android aapt tool (*well I am a Python freak so you are going to feel Python in this blog!):

def get_package_activity_name(apk_address):
	command = "aapt dump badging %s" %apk_address
	aapt_result = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True).communicate()[0]
	lines = aapt_result.split("\n")
	myDic = {}
	for line in lines:
		splitedline=line.split(":")
		if len(splitedline)==2:
			myKey,myValue=line.split(":")
			myDic[myKey]=myValue
	package = myDic['package'].split("'")[1]
	activity = myDic['launchable-activity'].split("'")[1].split(".")[-1]
return package, activity

I hope you can use this code or the idea of how to use aapt for obtaining package and main activity names.

Android Reverse Engineering Platforms

The primary requirement for malware analysis is preparing a safe and reliable platform for running the malware to observe the behavior or perform reverse engineering techniques. Android malware, as much as other platforms, demands such environments which is a bit hard to find maybe because of the weakness of Android devices processors and physical memory; as malware analysis task demands for high processor performance and physical memory capacity.

Here is a list of some of platforms for Android malware reverse engineering, debugging, monitoring and generally emulating the Android structure and behavior…

  • Android-x86 provides a ready-to-use virtual machine disk which can be simply mounted and used to run original Android on VirtualBox. The advantage of this method is that the experience is 99% like an actual Android device, but with higher processor performance, physical memory and storage.

More info: http://www.android-x86.org/

  • ARE (Android Reverse Engineering) is a comprehensive ready-to-use virtual machine to work with Android. Unlike Android-x86 this is a tool set for Android Reverse Engineering which contains some of the necessary tools.

More info: https://redmine.honeynet.org/projects/are

  • Androguard provides a python based tool to analyze Dex/Odex, APK, Android’s Binary XML and Android Resources (arsc) for Python powered Linux, OSX and Windows platforms.

More info: http://code.google.com/p/androguard/

  • APKinspector is another python based tool which provides a GUI tool to aide analysis and reverse engineering of compiled Android packages and their DEX code.

More info: http://code.google.com/p/apkinspector/

  • Android-apktool brings the capability of reverse engineering Android APK codes using Java runtime environment. Thanks to Java portability, this tool is usable in Windows, Linux and OSX operating systems.

More Info: http://code.google.com/p/android-apktool/

  • Dare (Davlik Retargeting) retargets DEX and APK Android applications to raw .class files. You will need additional tool for further reverse engineering. This tool is an improved version of DED by same developers.

More Info: http://siis.cse.psu.edu/dare/index.html

  • Droidbox is a sandbox which offers dynamic analysis of Android applications. These types of analysis mainly used to know the malware at first place; just to get some clues about the behavior of the malware. This tool provides network traffics, accessed files, accessed services, data leakages, circumvented permissions, cryptography operations and SMS/Phone calls of the malware.

More Info: http://code.google.com/p/droidbox/

  • Smali is a simple assembler/disassembler tool for Android DEX codes. It provides the debug info, annotations, line info and etc.

More Info: http://code.google.com/p/smali/