Introduction
In this lab we remain focused on the identification phase of responding to an Android incident. This time we uncover a little bit more by extracting a suspicious APK from our device and identify some of its capabilities.
TL;DR
Using ADB run the following commands to retrieve an APK from our test device:
adb shell pm list packages
adb shell pm path “com.sun.latest”
adb pull /data/app/com.sun.latest-mxva-XrzhBiCTjQxp7JkQw==/base.apkThen, with jadx installed on our computer analyse the AndroidManifest.xml.
Setup
For this lab you will need to setup and install jadx, which is available on GitHub with accompanying instructions to help with setup. If you get stuck during the setup, please reach out in the comments section. Jadx is a useful tool for extracting and analysing APKs.
If you’re using Windows you can simply download and run the exe currently available here.
If you haven’t done so already, you will need to have ADB on your device, if you haven’t then please head back to lab 1 as a minimum.
Listing All Installed APK’s
In the previous exercise we revealed the full app names “com.sun.latest” and “com.asjudiiqmm.ubtknjpzyx”. If you’re yet to know your suspicious app’s package name, you can search through the list of installed packages on your device using the below command.
adb shell pm list packagesDiscovering APK Location on the Device
Now that you have your package name we will use the adb shell pm command one again to get the file path of our suspicious app. The below code extract displays how you might understand the APK path of the suspicious app discovered on our test device “com.sun.latest”
adb shell pm path “com.asjudiiqmm.ubtknjpzyx”
Extracting the APK
Now that the file location is known, we can pull APK from the device using adb pull.
adb pull /data/app/com.asjudiiqmm.ubtknjpzyx-Gij8OedG6WHNoEAddnIPmA==/base.apkAnalysing the Permissions
Now that the suspicious APK is sitting in our local directory we can use jadx to analyse it’s code, the focus of this tutorial is the AndroidManifest.xml. This will provide enough information for us to understand the app’s capabilities at a high level.
When you open jadx for the first time, it will ask you which file you’re looking to analyse, point it towards the base.apk file previously extracted from your device.
We can now analyse the contents of the manifest. Below I’ve included a snippet of the primary permissions requested by the com.sun.latest application. We can see that some quite outlandish permissions have been requested. Most of these permissions are easily discernible, for example android.permission.SEND_SMS permits the app to send sms messages.
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.CALL_PHONE"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.WRITE_CONTACTS"/>
<uses-permission android:name="android.permission.RECORD_AUDIO"/>
<uses-permission android:name="android.permission.WRITE_SETTINGS"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-feature android:name="android.hardware.camera"/>
<uses-feature android:name="android.hardware.camera.autofocus"/>
<uses-feature android:name="android.hardware.microphone"/>
To do a write up on every permission requested in this list of permissions, would turn this tutorial into quite a long one, and would largely replicate some Android documentation.
Challenge
Look through the Android documentation and the permissions above, start to understand which of these are considered dangerous and why.
Conclusion
In this lab you’ve learned how to extract a malicious APK from a device and start to analyse it’s capabilities. In the next lab we’ll start to analyse the code of the yet to be released (23/04/2020) traced CTF challenge, you’ll use these skills to reverse engineer the CTF. During Incident Response, these skills could come in useful in further identifying the capabilities of a malicious application.
Want to practise your new skills? I’m hosting the AndroidManifest.xml of a malicious file created with EvilDroid on github. Feel free to analyse this to your heart’s content.
If you’re looking to easily analyse the permissions of all apps installed on your device you can easily do this with the traced app, download it from the Google Play Store today.
