Categories
cybersecurity

Android Incident Response Lab 3

Introduction

During this lab we tie together techniques used in Lab 1 and Lab 2 to identify a malicious app sitting on our device along with the information it could have obtained access to. Following this, we move onto stage 3 of incident response, the containment phase to remove this malicious app from our device.

This lab exercise is designed as a walkthrough, which can also be followed along by uninstalling any benign app on your own lab device.

! ImportantWhen analysing suspicious apk files, ensure that appropriate precautions are taken to reduce the risk to your device and the network it connects to. Such precautions are beyond the scope of these labs. Traced takes no responsibility for any actions of malicious files and applications.
Incident Response Containment

TL;DR

In this lab we learn the dumpsys command to help identify when an APK was installed.

adb shell "dumpsys package wocwvy.czyxoxmbauu.slsa"

We then use the below commands to stop a malicious app from running and uninstall it.

adb shell pm clear wocwvy.czyxoxmbauu.slsa
adb uninstall wocwvy.czyxoxmbauu.slsa

Identification

Using techniques discussed in Lab 1 we discover an app installed on our lab device named wocwvy.czyxoxmbauu.slsa.  Below is a snippet of the ps command used to identify the app from network connections on the device.

a20e:/ $ ps -ef | grep u0_a213
u0_a213      10194  3792 3 11:15:38 ?     01:15:13 wocwvy.czyxoxmbauu.slsa

The format of the ps command output is expanded upon in the below code block. Looking at these headings we can see that the STIME (start time) of this process was 11:15:38 and based on TIME we can also see that the process has been running for 1 hour 15 minutes and 13 seconds.

UID            PID  PPID C STIME TTY          TIME CMD
u0_a213      10194  3792 3 11:15:38 ?     01:15:13 wocwvy.czyxoxmbauu.slsa

Now we want to find out when this app was installed on the device, to do this we’ll issue a command which is new to these labs. The output of this command includes lots of information about the requested permissions as well as an epoch timestamp identifying exact install time/date of the app. We’ll be using this on our suspicious app wocwvy.czyxoxmbauu.slsa, when issuing this command yourself, simply change the package name to the package of interest.

adb shell "dumpsys package wocwvy.czyxoxmbauu.slsa"
Active install Logging info:
  []
    1588846477680: "Ver":"", "Session":"0",

For brevity, the command output displayed above has been cut back to the information important to this exercise.

Taking the epoch time, we now use an online epoch converter to convert this epoch time to a human readable time. This returns Thursday, 7 May 2020 11:14:37.680 GMT+01:00 DST

Using techniques discussed in lab 2 we retrieve the requested permissions of this app:

    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.GET_TASKS"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.WRITE_SMS"/>
    <uses-permission android:name="android.permission.PACKAGE_USAGE_STATS"/>
    <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.CALL_PHONE"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.READ_CONTACTS"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>

Identification – Some Conclusions

From the above techniques we can determine that the app has the potential to access: contacts, the external storage, record audio, send SMS messages and more, since it was installed at 11:14:37. We also know that the process has been running since 11.15.38 issuing the adb shell "date" command returns that the current time on the device is 12:38:43 and the day is the same as that of the installation.

Now that we’ve collected enough information about this app, the sensible course of action is to wipe the device with a full factory reset. Some malicious Android apps (Cerberus and Anubis as an example) make it challenging to uninstall via the Android UI using their access to accessibility services to throw you back to the home page whenever an attempt to uninstall the app or factory reset is made. To combat this, we remove the app first via adb.

Containment

To begin the process of containment on our device we first must stop the package from running.  The below command adb shell pm clear <package name> stops the app from running and clears out it’s stored data, but it won’t uninstall the app.

adb shell pm clear wocwvy.czyxoxmbauu.slsa

If you’d like to verify that your app has definitely stopped running, re-issue the ps -ef | grep <your package user id> command.

We’re now ready to uninstall the suspicious app via the below command.

adb uninstall wocwvy.czyxoxmbauu.slsa

Without fully reverse engineering the app, it’s not easy to tell if a suspicious app is a dropper which will install further malicious items on a device.  It’s very difficult for malicious apps to persist through a factory reset, which is why a sensible next step is to factory reset the device.

Conclusion

You now have some of the key tools and techniques necessary for identifying and containing a malicious Android app. If after doing some incident response on your Android device, and you’re left wanting to know more about reverse engineering Android APKs, Maddie Stone has released a very informative free course.

If you’d like to continuously monitor malicious activity on your Android device, you can download the Traced Android app for free from the Google Play Store.

Leave a Reply

Your email address will not be published.