During this lab we tie together techniques used in Lab 1 and Lab 2 to identify a malicious app sitting on our device along with the information it could have obtained access to. Following this, we move onto stage 3 of incident response, the containment phase to remove this malicious app from our device.
This lab exercise is designed as a walkthrough, which can also be followed along by uninstalling any benign app on your own lab device.
In this lab we learn the
dumpsys command to help identify when an APK was installed.
adb shell "dumpsys package wocwvy.czyxoxmbauu.slsa"
We then use the below commands to stop a malicious app from running and uninstall it.
adb shell pm clear wocwvy.czyxoxmbauu.slsa adb uninstall wocwvy.czyxoxmbauu.slsa
Using techniques discussed in Lab 1 we discover an app installed on our lab device named
wocwvy.czyxoxmbauu.slsa. Below is a snippet of the
ps command used to identify the app from network connections on the device.
a20e:/ $ ps -ef | grep u0_a213 u0_a213 10194 3792 3 11:15:38 ? 01:15:13 wocwvy.czyxoxmbauu.slsa
The format of the
ps command output is expanded upon in the below code block. Looking at these headings we can see that the
STIME (start time) of this process was 11:15:38 and based on
TIME we can also see that the process has been running for 1 hour 15 minutes and 13 seconds.
UID PID PPID C STIME TTY TIME CMD u0_a213 10194 3792 3 11:15:38 ? 01:15:13 wocwvy.czyxoxmbauu.slsa
Now we want to find out when this app was installed on the device, to do this we’ll issue a command which is new to these labs. The output of this command includes lots of information about the requested permissions as well as an epoch timestamp identifying exact install time/date of the app. We’ll be using this on our suspicious app
wocwvy.czyxoxmbauu.slsa, when issuing this command yourself, simply change the package name to the package of interest.
adb shell "dumpsys package wocwvy.czyxoxmbauu.slsa" Active install Logging info:  1588846477680: "Ver":"", "Session":"0",
For brevity, the command output displayed above has been cut back to the information important to this exercise.
Taking the epoch time, we now use an online epoch converter to convert this epoch time to a human readable time. This returns
Thursday, 7 May 2020 11:14:37.680 GMT+01:00 DST.
Using techniques discussed in lab 2 we retrieve the requested permissions of this app:
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> <uses-permission android:name="android.permission.GET_TASKS"/> <uses-permission android:name="android.permission.RECEIVE_SMS"/> <uses-permission android:name="android.permission.READ_SMS"/> <uses-permission android:name="android.permission.WRITE_SMS"/> <uses-permission android:name="android.permission.PACKAGE_USAGE_STATS"/> <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> <uses-permission android:name="android.permission.CALL_PHONE"/> <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.SEND_SMS"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.RECORD_AUDIO"/> <uses-permission android:name="android.permission.READ_CONTACTS"/> <uses-permission android:name="android.permission.READ_PHONE_STATE"/> <uses-permission android:name="android.permission.WAKE_LOCK"/> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/> <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>
Identification – Some Conclusions
From the above techniques we can determine that the app has the potential to access: contacts, the external storage, record audio, send SMS messages and more, since it was installed at 11:14:37. We also know that the process has been running since 11.15.38 issuing the
adb shell "date" command returns that the current time on the device is
12:38:43 and the day is the same as that of the installation.
Now that we’ve collected enough information about this app, the sensible course of action is to wipe the device with a full factory reset. Some malicious Android apps (Cerberus and Anubis as an example) make it challenging to uninstall via the Android UI using their access to accessibility services to throw you back to the home page whenever an attempt to uninstall the app or factory reset is made. To combat this, we remove the app first via adb.
To begin the process of containment on our device we first must stop the package from running. The below command
adb shell pm clear <package name> stops the app from running and clears out it’s stored data, but it won’t uninstall the app.
adb shell pm clear wocwvy.czyxoxmbauu.slsa
If you’d like to verify that your app has definitely stopped running, re-issue the
ps -ef | grep <your package user id> command.
We’re now ready to uninstall the suspicious app via the below command.
adb uninstall wocwvy.czyxoxmbauu.slsa
Without fully reverse engineering the app, it’s not easy to tell if a suspicious app is a dropper which will install further malicious items on a device. It’s very difficult for malicious apps to persist through a factory reset, which is why a sensible next step is to factory reset the device.
You now have some of the key tools and techniques necessary for identifying and containing a malicious Android app. If after doing some incident response on your Android device, and you’re left wanting to know more about reverse engineering Android APKs, Maddie Stone has released a very informative free course.
If you’d like to continuously monitor malicious activity on your Android device, you can download the Traced Android app for free from the Google Play Store.