Skip to content

Instantly share code, notes, and snippets.

@muhzii

muhzii/work-product.MD

Last active April 14, 2020 20:31
Show Gist options
  • Save muhzii/a65334123880d808f33dc01a24c0e5fa to your computer and use it in GitHub Desktop.
Save muhzii/a65334123880d808f33dc01a24c0e5fa to your computer and use it in GitHub Desktop.
Download ZIP
[GSoC] Android malware analysis in cuckoo
Raw
work-product.MD

[GSoC] Android malware analysis support for cuckoo

Descrition

This project is about adding support for automated analysis of Android applications in cuckoo sandbox.

The basic idea is that you can throw an APK file at cuckoo and it should be able to monitor interactions with the system resources as well as the Android framework to detect malicious activities.

How it works

The monitoring system is built on top of the excellent instrumentation framework Frida.

We utilize Frida through its Python bindings - installed on Android - to inject an instrumentation agent which has access to a rich set of APIs. By using this functionality, we are able to monitor calls made to Android & Java framework APIs to identify the intersting workflow of the sample.

The obtained information can either be viewed separetly or used for further processing to acquire more information about the sample.

There is a wiki page with intstructions on how to use it: https://github.com/muhzii/cuckoo/wiki/Cuckoo-Android-analysis

What I have done

  • Integrated Frida with the Android analyzer through its Python bindings.
  • Upgraded both the cuckoo agent and the Android analyzer to Python 3.
  • Support the analysis for Android SDK versions >= 5.0
  • Added instrumentation for Android Java API calls inside the application.
  • Added monitoring for file system accesses through native calls monitoring.
  • Automated the building of Frida's Python bindings on Android.
  • Upgraded the support for the Android emulator as a machinery engine.
  • Added user interface interaction for automated code coverage.
  • Upgraded the androguard static analysis component.
  • Added support for dumping process memory to extract executable dex files as well as interesting strings.
  • Automated the process of creating and preparing a virtual device for analysis.
  • Implemented common techniques for hindering the detection of the virtual environment.

Unfinished work

Most of the essential tasks have been implemented, however some stuff have been left out:

  • The NAT networking setup in the emulator is limited for sandbox usage. By default, the emulator uses qemu user mode networking which does address translation of all network traffic. This basically has two implication in the case of cuckoo: first, we cannot run multiple VMs and have them connected to a single resultserver as the traffic would appear to be coming all from the localhost. second, in qemu slrip mode the guest can find its way to access the host machine, which is not safe to allow for an untrusted environment. To workaround this, the networking mode should be set-up to use a TAP interface instead. This limitation was discovered late in the work phase, and therefore was planned to have the code reworked accordingly.
  • Adding test cases for the Android analyzer.
  • Enriching the codebase with more signatures.
  • Adding support for physical devices.
  • Extend anti-emulation techniques through sensor APIs emulation.

Related code sections

A main Pull request for the cuckoo repository containing all of the commits.
A separate repository for a memory dumping utility. The binaries built from which are utilized in the Android Analyzer.
Summary of commits/ changes/ new code sections:
  • Shell script to build the Python interpreter used for Android analysis
  • Shell script to automate the creation of virtual devices.
  • Python script to automate the generation of Android API hooks.
  • The configuration file for the Java API hooks.
  • The avd machinery module (completely reworked)
  • The behavioral analysis module for parsing logs obtained from the instrumentation.
  • Implementation of static analysis features of APKs
  • New Auxiliary module in the Android analyzer for UI testing automation support.
  • The APK analysis package module (completely reworked):
  • Added process api module for doing some process-specific operations including dumping the process memory.
  • The Javascript instrumentation agent which does multiple things including monitoring the Java API and native calls for filesystem operations.
  • A modular interface for Frida's components.
  • A new auxiliary module to disguise the virtual environment, typically via binding to mock files instead of original.
  • The abstracts module (reworking for the abstract Package to support Frida).
  • Extracting dex executables from process memory.
  • Web interface support for static analysis.
  • Web interface support for behavioral analysis.
  • Upgrade the cuckoo agent to Python3
  • Upgrades for the Android Analyzer (including porting to Python3)

Attribution

I would like to thank Ricardo van Zutphen for his assistance and cooperation during this project. As well, Jurriaan Bremer for this opportunity to work with an awesome community.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment