Checking your Android device for known malware

It’s 2017 and, like many others I’m sure, I spend more time on my smartphone than my computers. I never would have thought that these little devices would get so popular, so fast; and yet, these ultra-powerful, ultra-compact, always-on computers seem to forever be within an arm’s reach of us. They are our gateways to troves of information. They are indispensable tools for communicating in real time with friends, colleagues, and sometimes complete strangers. They are the instruments of our productivity, procrastination, and lulz. Come to think of it, I know more than one person in my immediate entourage that acts as if they would rather part ways with an arm or a leg than their cherished smart apparatus.

Unfortunately, there is a price to be paid for our limitless, real-time access to the latest news articles and cat pictures: alas, smartphones are just as prone to malware as their PC and Mac counterparts. Spyware, banking trojans, and even ransomware have been making the rounds of the Google Play store; this year alone, we’ve had to contend with adware such as Judy, spyware such as FlexiSPY, or govware such as Pegasus. Despite Google’s active attempts to keep its store clean, many malicious Android applications slip through the cracks.

When you’re analyzing a phone in the context of a breach, the sheer number of applications to investigate can be daunting. People are as inclined to install mobile apps on a whim as they are disinclined to clean them up. After a few decidedly long mobile investigations, I began to search for a way of better operationalizing my process; the following scripts are a stab in what I believe to be the right direction.

I have written a set of scripts that leverage the drozer mobile application pentesting tool to pull out Android applications from a device being investigated and generate their MD5 and SHA256 hashes in an easy-to-search file. There is a hashing script responsible for gathering the hashes of each application installed on the phone, and a verification script used to compare the hashes to a well-known repository of malware hashes.

I’ve tried to make the scripts as easy to use as possible, but it does require some technical know-how to use.

Skill-level: Medium. While you will not need to be intimately familiar with Android development or debugging, you will at least need to know your way around Linux, and know how to run commands from a shell.

Amount of time required for the procedure: 45 minutes total

Pre-requisites

To run the scripts, you’ll need the following conditions to be satisfied:

  • This current implementation relies on tools that run on Linux; with tweaking, it could be made to run on Windows systems as well — but that would require some programming skills.
  • You will need the Android Debug Bridge (adb) installed on your machine. This can be done by running “sudo apt-get install adb”. Installation time: 5 minutes. Complexity: easy.
  • You will need drozer (https://labs.mwrinfosecurity.com/tools/drozer/) running on your computer. Once downloaded, the package can be installed by running “sudo dpkg -i drozer_2.3.4.deb” Installation time: 5 minutes. Complexity: easy.
  • You will need to have python 2.7 and the pwntools python package installed. This can be achieved by running “sudo apt-get install -y python2.7 python-pip; sudo pip install pwntools” Installation time: 10 minutes. Complexity: easy.
  • Your phone has to be configured to accept USB debugging sessions. Installation time: 5 minutes. Complexity: medium. This is done from the phone:
    • Unlock your Android phone and navigate to Settings > About, scroll down to “Build number” and click 7 times on the field to enable Developer Mode
    • Back in Settings, click on the new Developer options item and activate the USB debugging option.
    • Plug your phone into your computer, make sure it is unlocked, and from a command line, run “adb shell”. Your phone should ask you if you want to trust the computer – select “Yes”.
  • Although you can generate your own drozer agent from drozer itself, the version of the agent that it generates is obsolete. Consider downloading the “drozer (Agent .apk only)” file from drozer’s main site. Once you have it downloaded, you can install the agent by running “adb install drozer-agent-2.3.4.apk”. Installation time: 5 minutes. Complexity: easy.

Running the scripts

The hardest part about using the scripts is installing the pre-requisites – running the script is as easy as downloading it from the repository (https://github.com/kudelskisecurity/check_all_apks), then running it with python: “python2.7 check_all_apks.py”. The amount of time the hashing script takes to run will depend on how many packages you have installed: we found that it took 15 minutes to dump a little over 120 applications.

If you’re familiar with Drozer, please note that the hashing script automatically sets up forwarding between the drozer agent and the console at the standard port of 31415.

The hashing script has two modes: by default, it opens a session with the Drozer agent, creates a list of all the packages installed on the device, and computes the MD5 hash of each package using Drozer’s common libraries.

In “thorough” mode, the hashing script will create a “packages” subfolder in the directory in which the script is located — if you have a lot of applications, please be sure to run the script from a disk that has sufficient space. It will also create a “package_hashes.txt” file with the name of the package, its MD5 hash, and its SHA256 hash.

What now?

If the hashing script has run successfully, you will now have a list of hashes. If you have the hash of a specific piece of malware in mind, you can run a “grep” of that hash in your package_hashes.txt file.

However, a more interesting use case would be to search for your hashes in a database of known malware. I’ve written a verification script that uses VirusTotal to do this, available in the same repository.

To run this verification script, you will need to sign up for a free VirusTotal account and get an API key, which you’ll need to provide to the script as an argument. The script will iterate through the list of hashes, submit each hash to VirusTotal, and return the ratio of antiviruses that detected the package as malware over the total number of antiviruses that scanned the package. You should note that the VirusTotal API is rate-limited to support a whopping four requests per minute — consequently, if you’re testing hundreds of packages against VirusTotal be prepared to let the script run for a long time.

IMPORTANT: While Drozer is an extremely useful tool frequently used by white-hat hackers to legitimately analyze mobile applications for security flaws, it can also be used for nefarious purposes. Once your analysis is complete, do remember to remove Drozer from the phone and to de-activate the phone’s Developer Mode, for the sake of good housekeeping.

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s