Categories
Uncategorized

Android Incident Response Lab 2

Introduction

In this lab we remain focused on the identification phase of responding to an Android incident. This time we uncover a little bit more by extracting a suspicious APK from our device and identify some of its capabilities. 

The 6 steps of incident response

TL;DR

Using ADB run the following commands to retrieve an APK from our test device:

adb shell pm list packages
adb shell pm path “com.sun.latest”
adb pull /data/app/com.sun.latest-mxva-XrzhBiCTjQxp7JkQw==/base.apk

Then, with jadx installed on our computer analyse the AndroidManifest.xml.

Setup

For this lab you will need to setup and install jadx, which is available on GitHub with accompanying instructions to help with setup. If you get stuck during the setup, please reach out in the comments section. Jadx is a useful tool for extracting and analysing APKs.

If you’re using Windows you can simply download and run the exe currently available here.

If you haven’t done so already, you will need to have ADB on your device, if you haven’t then please head back to lab 1 as a minimum.

Listing All Installed APK’s

In the previous exercise we revealed the full app names “com.sun.latest” and “com.asjudiiqmm.ubtknjpzyx”. If you’re yet to know your suspicious app’s package name, you can search through the list of installed packages on your device using the below command.

adb shell pm list packages
✓ NoteAn Android Package (APK) file is a Google variant of a JAR file built up on the ZIP file format. In other words the APK is a ZIP containing all code used to create the package, which for the purposes of analysis is great!

Discovering APK Location on the Device

Now that you have your package name we will use the adb shell pm command one again to get the file path of our suspicious app. The below code extract displays how you might understand the APK path of the suspicious app discovered on our test device “com.sun.latest”

adb shell pm path “com.asjudiiqmm.ubtknjpzyx”
get app install location via adb

Extracting the APK

Now that the file location is known, we can pull APK from the device using adb pull. 

adb pull /data/app/com.asjudiiqmm.ubtknjpzyx-Gij8OedG6WHNoEAddnIPmA==/base.apk
✓ NoteOn each device Android appends base64 encoded random bytes to the app file path. This is security functionality that’s been present in Android since Android 8 (Oreo) and makes it difficult to programmatically analyse or alter files which reside in these directories.

Analysing the Permissions

Now that the suspicious APK is sitting in our local directory we can use jadx to analyse it’s code, the focus of this tutorial is the AndroidManifest.xml. This will provide enough information for us to understand the app’s capabilities at a high level.

When you open jadx for the first time, it will ask you which file you’re looking to analyse, point it towards the base.apk file previously extracted from your device. 

We can now analyse the contents of the manifest.  Below I’ve included a snippet of the primary permissions requested by the com.sun.latest application.  We can see that some quite outlandish permissions have been requested. Most of these permissions are easily discernible, for example android.permission.SEND_SMS permits the app to send sms messages.

    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.CALL_PHONE"/>
    <uses-permission android:name="android.permission.READ_CONTACTS"/>
    <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
    <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.WRITE_SETTINGS"/>
    <uses-permission android:name="android.permission.CAMERA"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.READ_CALL_LOG"/>
    <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-feature android:name="android.hardware.camera"/>
    <uses-feature android:name="android.hardware.camera.autofocus"/>
    <uses-feature android:name="android.hardware.microphone"/>

To do a write up on every permission requested in this list of permissions, would turn this tutorial into quite a long one, and would largely replicate some Android documentation

Challenge

Look through the Android documentation and the permissions above, start to understand which of these are considered dangerous and why.

Conclusion

In this lab you’ve learned how to extract a malicious APK from a device and start to analyse it’s capabilities. In the next lab we’ll start to analyse the code of the yet to be released (23/04/2020) traced CTF challenge, you’ll use these skills to reverse engineer the CTF. During Incident Response, these skills could come in useful in further identifying the capabilities of a malicious application.

Want to practise your new skills?  I’m hosting the AndroidManifest.xml of a malicious file created with EvilDroid on github. Feel free to analyse this to your heart’s content. 

If you’re looking to easily analyse the permissions of all apps installed on your device you can easily do this with the traced app, download it from the Google Play Store today.

Leave a Reply

Your email address will not be published.