Monday, May 7, 2012

How to Reverse Engineer Android Malware

Reverse Engineer Android Malware

Tools you may need for decompiling Android malware:

apktool – a tool used for manipulating .apk files
   Download: http://code.google.com/p/android-apktool/
jad – a Java decompiler (Windows only)
   Download: http://www.varaneckas.com/jad
JD-Core + JD-GUI – another Java decompiler, supporting newer Java versions and features
   Download: http://java.decompiler.free.fr
dex2jar – a tool for converting .dex files to .class files
   Download: http://code.google.com/p/dex2jar/downloads/list (dex2jar)
apkinspector - all in one tool
   Download: http://code.google.com/p/apkinspector/

However, this tutorial is fairly easy and simple and I will only be using dex2jar and jd-gui. This tutorial is a standard for all apps. You can use the same tools and methods to help decompile your applications and other applications, especially malware, in order to see and understand what the code is actually doing.

So, say we have our malicious malware such as "file.apk".

A lot of these tools can be used in Windows as well as Linux, however I happen to be using Windows for this tutorial.
For Linux: sh dex2jar.sh file.apk
For Windows: dex2jar.bat file.apk



This will create the file called file_dex2jar.jar. Now we can easily view our app's code with jd-gui.
Simply just click on the jd-gui and open the file_dex2jar.jar.


 Now we can easily read and see the code.

Further Research/Advanced Topics:

  • Code Obfuscation 
  • Decompiling Manifest Files
  • Obtaining the Resources - images, etc.

For Related Articles:

http://blog.burrowsapps.com/2012/02/hacking-facebook-for-android.html