Mobile devices store a huge amount of sensitive information, including billing information, which makes them attractive to cybercriminals. The development of mobile operating systems, such as iOS and Android, as well as the technical evolution of smartphones and tablets have led to an increase in the popularity of the latter. The result of high demand and a multitude of operating system vulnerabilities and the lack of anti-virus protection is the interest of cybercriminals in developing or purchasing applications that implement malicious functions on mobile platforms. It sets new tasks for specialists in the field of forensic computer (technical) expertise.
For most of the applications running on the Android OS, Java programming language is used. Programs are executed in the system via AndroidRuntime since version 4.4. In order to analyze applications, an expert needs to understand its format. The considered applications are stored in the memory of the mobile device in the APK format, and the application is first compiled, and after that, it is packaged in an APK file along with all its components. The specified file is a ZIP archive, including bytecodes, resources, certificates, and a manifest file.
After installation, the APK file is copied to the location in the file system. For system applications, it is usually /system/app, for user applications — /data/app. From a forensic perspective, the APK file contains the three most important parts: the signature, bytecode, and resources. The signature contains an APK file checksum that can be used by an expert to determine if the application is damaged. In addition, the expert can collect signatures of programs, including allegedly malicious ones, and use them for quick identification in the memory of the studied digital information carrier.
The executable part of the application is stored in the classes.dex file located in the archive (APK-file), and contains all its compiled classes, presented in the form of bytecodes. It is important that the bytecode here is converted into instructions for the AndroidRuntime virtual machine, since the latter, unlike the Java virtual machine, is based on registers. The APK file may also contain a pre-compiled code (lib directory). The resources are parts of the application that do not require execution, for example, user interface components. The most important part of the resource, in terms of forensic investigation, is the AndroidManifest.xml file. The specified file contains information about the permissions requested by the application during installation. Thus, some applications, in order to gain access with the Android OS protected API, request permission to access reading messages, contacts, etc. Analysis of the file in question is an essential step for detecting the malicious functions of an application.
Experts identify four of the most common ways to counter forensic (analysis) investigation of allegedly malicious applications:
The basic static analysis consists of reviewing the executable file without inspecting the actual instructions. This type of analysis can verify whether the data is malicious, present information about its functionality, and sometimes give information allowing to create uncomplicated network signatures. The basic static analysis is elementary and rather fast, but it is mostly useless against complex malware, and it can skip behavior.
The main methods of dynamic analysis include the launching of malicious software and monitoring its behavior in the system to remove the infection, create effective signatures, or both. However, before running malware safely, you must create an environment (lab) that will allow you to learn the malicious programs that are running without risk of damage to your system or network. Like the basic methods of static analysis, the basic techniques of dynamic analysis can be used by most people without in-depth programming knowledge, but they will not be useful with all malicious programs and can skip important functionality.
The advanced static analysis consists of the reverse development of malware components, by downloading the executable file to the disassembler and viewing the instructions of the program to find out what the program is doing. The processor executes instructions, so this analysis describes accurately what the program does. Still, advanced static analysis has an abrupter learning curve than the basic static analysis, and needs specialized experience of disassembly, code constructs, and Windows operating system concepts.
The advanced dynamic analysis uses a debugger to check the internal status of an executing malicious executable. Advanced methods of dynamic analysis provide another way to extract detailed information from the executable. These methods are most useful when you are trying to obtain information that is difficult to compile with other methods. In the OWASP Mobile manual, you can learn how to use the advanced dynamic analysis together with advanced static analysis for a complete analysis of suspicious malicious programs.
A phone that is infected with malware can display information in different ways, and it may even stop working correctly. You may have a damaged phone with malware hiding in the shadows, and you probably won’t even understand. The absence of a fan or taskbar or pop-up windows or other symptoms by which infection can be determined often goes unnoticed.
The number of malicious packages to install malware in 2017 more than tripled, and in 2018 nearly 40 million attacks occurred.
Cybercriminals seeking greater returns focus their efforts on organizations and use different tactics to infect the maximum number of corporate devices with their own or most well-known malware. Here are some of the most used programs:
Backdoor — malicious code that is installed on the computer to give access for the attacker. Backdoors usually allow an attacker to connect to a laptop without authentication and execute commands on the local system.
A botnet is similar to a backdoor, in that it enables an attacker to get access to the system, but all the networks infected by the same botnet get the same directions from one control center.
Downloader — malicious code that is created only with the aim to download another malicious code. Bootloaders are usually installed by hackers when they first get access to the system. The loader program will download and install an extra malicious code.
Information-stealing malware is malicious software that collects information from a victim's computer and sends it to an attacker. Examples include analyzers, hash password thieves and key registrars. This malicious program is usually used to gain access to online accounts, such as e-mail or Internet banking.
The launcher is a malicious program used to run other malicious programs. Generally, non-traditional methods are used to run other malicious programs to provide stealth or greater access to the system.
The rootkit is a malicious code designed to hide the presence of another code. Rootkits are usually paired with other malicious programs, such as the back door, what allows remote access to the attacker and makes the code hard to detect for the victim.
Scareware is malicious software created to frighten a user and make them purchase something. It regularly has an interface that looks like antivirus or other security software. Scareware informs users that there is malicious code in their OS and that the only way to dismiss it is to buy the antivirus "software" when in fact the latter does anything except removing the scareware.
Spam-sending malware is a malicious program that infects a user's computer and then uses this computer to send spam. This malicious program brings income to attackers allowing them to sell spam mailing services.
Worm or virus is a malicious code that can copy itself and infect other computers.
Malicious programs often consist of several components. For example, an application can have a keylogger which collects passwords, and a worm component that can send spam. Do not get too carried away with the classification of malware following their functionality. Malicious programs can also be classified based on whether the intent of the attacker is mass or targeted. Massive malicious software, such as scareware, uses the "shotgun" approach and is designed to affect as many computers as possible. Of the two purposes, these are the most common, and usually less complicated and easily detectable and protected because the security software is its goal.
Target malware, like a one-of-a-kind backdoor, is adapted to a specific organization. Target malware poses a more significant threat to computer systems than massive malware because it is not common, and your security products probably will not protect you from it. Without a detailed analysis of targeted malicious programs, it is almost impossible to protect the network from these malicious programs and to remove the infections. Target malicious programs are usually very complex, and your analysis often requires the advanced analysis skills described in this article.
One of the general and fastest ways is to analyze the malware on the resources virustotal.com and payloadsecurity.com. For more detailed analysis you need to address specialists. In principle, malware analysis requires extensive testing for vulnerabilities which has been described above.
At Hacken, we take security extremely seriously, and all the checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to contact our Team!