DroidBox is developed to offer dynamic analysis of Android App Data.
The following information listed down below are the results shown and generated.
- Hashes for the analyzed package
- Incoming/outgoing network data
- File read and write operations
- Started services and loaded classes through DexClassLoader
- Information leaks via the network, file and SMS
- Circumvented permissions
- Cryptography operations performed using Android API
- Listing broadcast receivers
- Sent SMS and phone calls
- First you need to install some apps to use DroidBox and make sure the relevant packages installed
<code class="language-shell">root<span class="variable">@kali</span><span class="symbol">:~</span><span class="comment"># apt-get install python-virtualenv libatlas-dev liblapack-dev libblas-dev </span></code>
You’ll need those in order to use
numpy along with Droidbox. Now create a virtual environment and install pythondependencies:
<code class="language-shell">root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># mkdir env</span> root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># virtualenv env</span> ... root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># source env/bin/activate</span> (env)root<span class="variable">@kali</span><span class="symbol">:~/work/apk</span><span class="comment"># pip install numpy scipy matplotlib</span></code>
import os import sys # Setup new PATH old_path = os.environ['PATH'] new_path = old_path + ":" + "/root/work/apk/SDK/android-sdk-linux/tools:/root/work/apk/SDK/android-sdk-linux/platform-tools:/root/work/apk/SDK/android-sdk-linux/build-tools/19.1.0" os.environ['PATH'] = new_path # Change working directory os.chdir("/root/work/apk/DroidBox_4.1.1/")
Setup IPython settings
%pylab inline import binascii import pandas as pd import numpy as np import matplotlib.pyplot as plt import networkx as nx import datetime as dt import time import ipy_table from IPython.display import display_pretty, display_html, display_jpeg, display_png, display_json, display_latex, display_svg from IPython.display import HTML from IPython.core.magic import register_cell_magic, Magics, magics_class, cell_magic import jinja2 # Ipython settings pd.set_option('display.height', 1000) pd.set_option('display.max_rows', 500) pd.set_option('display.max_columns', 500) pd.set_option('display.max_colwidth', 100) pd.set_option('display.width', 1000) pd.set_option('display.column_space', 1000)
Now create Android Virtual Device
You can install it in your own android device but also you can use android device virtual machine if that is the case.
Here the Command to create the Android Virtual Device
<code># android create avd --abi default/armeabi-v7a -n android-4.1.2-droidbox -t 1 -c 1000M Android 4.1.2 is a basic Android platform. Do you wish to create a custom hardware profile [no] Created AVD 'android-4.1.2-droidbox' based on Android 4.1.2, ARM (armeabi-v7a) processor, with the following hardware config: hw.lcd.density=240 hw.ramSize=512 hw.sdCard=yes vm.heapSize=48 </code>
Waiting for the device... Installing the application /root/work/apk/DroidBox_4.1.1/APK/FakeBanker.apk... Running the component com.gmail.xpack/com.gmail.xpack.MainActivity... Starting the activity com.gmail.xpack.MainActivity... Application started Analyzing the application during infinite time seconds... ^C
DroidBox will then listen for activities until you kill it by ^C.
Meanwhile I was interacting with the APP and saw that DroidBox was collecting the logs during the interacttions.
Now DroidBox will track
- File System Activities
- Network Activities
- Sent Data
- Received Data
- Request Sequence
- Crypto activities
- Activities Chart
DroidBox is a very good tool to deal with Android APKs and analyze their behaviour during run-time. It comes with a working mobile sandbox meant to inspect and monitor an applications activities. However during my analysis I had to rely on previous analysis since the results didn’t contain the full details. Not only the network traffic but also the contents read from files weren’t complete. In order to fully unterstand one malware I need complete details about its behaviour. For example I had following response from the server which is completely useless:
<code>HTTP/1.1 406 Not Acceptable\r\nDate: Mon, 28 Jul 2014 13:29:38 GMT\r\nServer: Apache\r\nContent-... </code>
Besides that I was indeed able to see that the application is reading from some file. But the delivered content was once again striped:
<code><?xml version='1.0' encoding='utf-8' standalone='yes' ?>\n<map>\n<string name="DOWNLOADDOMAIN">c... </code>
Take your time to comment on this article.