DroidBox is developed to offer dynamic analysis of Android App Data.
The following information listed down below are the results shown and generated.
- Hashes for the analyzed package
- Incoming/outgoing network data
- File read and write operations
- Started services and loaded classes through DexClassLoader
- Information leaks via the network, file and SMS
- Circumvented permissions
- Cryptography operations performed using Android API
- Listing broadcast receivers
- Sent SMS and phone calls
Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.
Here is the Source Code for DROIDBOX : LINK.
Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.
Requirements for DroidBox
- First you need to install some apps to use DroidBox and make sure the relevant packages installed
<code class="language-shell">root<span class="variable">@kali</span><span class="symbol">:~</span><span class="comment"># apt-get install python-virtualenv libatlas-dev liblapack-dev libblas-dev </span></code>
You’ll need those in order to use
scipy
, matplotlib
and numpy
along with Droidbox. Now create a virtual environment and install pythondependencies:<code class="language-shell">root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># mkdir env</span> root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># virtualenv env</span> ... root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># source env/bin/activate</span> (env)root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># pip install numpy scipy matplotlib</span></code>
Install Droidbox
import os import sys # Setup new PATH old_path = os.environ['PATH'] new_path = old_path + ":" + "/root/work/apk/SDK/android-sdk-linux/tools:/root/work/apk/SDK/android-sdk-linux/platform-tools:/root/work/apk/SDK/android-sdk-linux/build-tools/19.1.0" os.environ['PATH'] = new_path # Change working directory os.chdir("/root/work/apk/DroidBox_4.1.1/")
Setup IPython settings
%pylab inline import binascii import pandas as pd import numpy as np import matplotlib.pyplot as plt import networkx as nx import datetime as dt import time import ipy_table from IPython.display import display_pretty, display_html, display_jpeg, display_png, display_json, display_latex, display_svg from IPython.display import HTML from IPython.core.magic import register_cell_magic, Magics, magics_class, cell_magic import jinja2 # Ipython settings pd.set_option('display.height', 1000) pd.set_option('display.max_rows', 500) pd.set_option('display.max_columns', 500) pd.set_option('display.max_colwidth', 100) pd.set_option('display.width', 1000) pd.set_option('display.column_space', 1000)
Now create Android Virtual Device
You can install it in your own android device but also you can use android device virtual machine if that is the case.
Here the Command to create the Android Virtual Device
<code># android create avd --abi default/armeabi-v7a -n android-4.1.2-droidbox -t 1 -c 1000M Android 4.1.2 is a basic Android platform. Do you wish to create a custom hardware profile [no] Created AVD 'android-4.1.2-droidbox' based on Android 4.1.2, ARM (armeabi-v7a) processor, with the following hardware config: hw.lcd.density=240 hw.ramSize=512 hw.sdCard=yes vm.heapSize=48 </code>
Run DroidBox
DroidBox will then listen for activities until you kill it by ^C.
Meanwhile I was interacting with the APP and saw that DroidBox was collecting the logs during the interacttions.
Now DroidBox will track
- File System Activities
- Network Activities
- Sent Data
- Received Data
- Request Sequence
- Crypto activities
- Activities Chart
I think
DroidBox
is a very good tool to deal with Android APKs and analyze their behaviour during run-time. It comes with a working mobile sandbox meant to inspect and monitor an applications activities. However during my analysis I had to rely on previous analysis since the results didn’t contain the full details. Not only the network traffic but also the contents read from files weren’t complete. In order to fully unterstand one malware I need complete details about its behaviour. For example I had following response from the server which is completely useless:<code>HTTP/1.1 406 Not Acceptable\r\nDate: Mon, 28 Jul 2014 13:29:38 GMT\r\nServer: Apache\r\nContent-... </code>
Besides that I was indeed able to see that the application is reading from some file. But the delivered content was once again striped:
<code><?xml version='1.0' encoding='utf-8' standalone='yes' ?>\n<map>\n<string name="DOWNLOADDOMAIN">c... </code>
Comments
Post a Comment