242 Pages 83 B/W Illustrations
    by Auerbach Publications

    The rapid growth and development of Android-based devices has resulted in a wealth of sensitive information on mobile devices that offer minimal malware protection. This has created an immediate need for security professionals that understand how to best approach the subject of Android malware threats and analysis.

    In Android Malware and Analysis, Ken Dunham, renowned global malware expert and author, teams up with international experts to document the best tools and tactics available for analyzing Android malware. The book covers both methods of malware analysis: dynamic and static.

    This tactical and practical book shows you how to use to use dynamic malware analysis to check the behavior of an application/malware as it has been executed in the system. It also describes how you can apply static analysis to break apart the application/malware using reverse engineering tools and techniques to recreate the actual code and algorithms used.

    The book presents the insights of experts in the field, who have already sized up the best tools, tactics, and procedures for recognizing and analyzing Android malware threats quickly and effectively. You also get access to an online library of tools that supplies what you will need to begin your own analysis of Android malware threats. Tools available on the book’s site include updated information, tutorials, code, scripts, and author assistance.

    This is not a book on Android OS, fuzz testing, or social engineering. Instead, it is about the best ways to analyze and tear apart Android malware threats. After reading the book, you will be able to immediately implement the tools and tactics covered to identify and analyze the latest evolution of Android threats.

    Updated information, tutorials, a private forum, code, scripts, tools, and author assistance are available at AndroidRisk.com for first-time owners of the book.

    Introduction to the Android Operating System and Threats
    Android Development Tools
    Risky Apps
    Looking Closer at Android Apps

    Malware Threats, Hoaxes, and Taxonomy
    2010
         FakePlayer 
         DroidSMS 
         FakeInst 
         TapSnake
         SMSReplicator 
         Geinimi
    2011 
         ADRD 
         Pjapps 
         BgServ 
         DroidDream 
         Walkinwat 
         zHash 
         DroidDreamLight
         Zsone 
         BaseBridge 
         DroidKungFu
         GGTracker 
         jSMSHider 
         Plankton 
         GoldDream 
         DroidKungFu2 
         GamblerSMS 
         HippoSMS 
         LoveTrap 
         Nickyspy
         SndApps 
         Zitmo 
         DogWars 
         DroidKungFu3 
         GingerMaster 
         AnserverBot
         DroidCoupon 
         Spitmo 
         JiFake 
         Batterydoctor
    2012 
         AirPush 
         Boxer 
         Gappusin 
         Leadbolt 
         Adwo 
         Counterclank
         SMSZombie
         NotCompatible 
         Bmaster 
         LuckyCat 
         DrSheep
    2013 
         GGSmart
         Defender 
         Qadars
         MisoSMS 
         FakeRun 
         TechnoReaper 
         BadNews
         Obad
    2014 
         DriveGenie 
         Torec 
         OldBoot 
         DroidPack

    Open Source Tools
    Locating and Downloading Android Packages
    Vulnerability Research for Android OS
    Antivirus Scans
    Static Analysis 
         Linux File Command 
         Unzip the APK 
         Strings 
         Keytool Key and Certificate Management Utility
         DexID 
         DARE 
         Dex2Jar 
         JD-GUI 
         JAD 
         APKTool 
         AndroWarn
         Dexter 
         VisualThreat
    Sandbox Analysis 
         AndroTotal 
         APKScan 
         Mobile Malware Sandbox 
         Mobile Sandbox
    Emulation Analysis 
         Eclipse 
         DroidBox 
         AppsPlayground
    Native Analysis 
         Logcat 
         Traceview and Dmtracedump 
         Tcpdump
    Reverse Engineering 
         Androguard 
         AndroidAuditTools 
         Smali/Baksmali 
         AndBug
    Memory Analysis 
         LiME
         Memfetch 
         Volatility for Android 
         Volatilitux

    Static Analysis
    Collections: Where to Find Apps for Analysis 
         Google Play Marketplace
         Marketplace Mirrors and Cache 
         Contagio Mobile
         Advanced Internet Queries 
         Private Groups and Rampart Research Inc. 
         Android Malware Genome Project
    File Data
    Cryptographic Hash Types and Queries
    Other Metadata 
         Antivirus Scans and Aliases 
         Unzipping an APK
         Common Elements of an Unpacked APK File
         Certificate Information 
         Permissions 
         Strings
         Other Content of Interest within an APK
    Creating a JAR File
    VisualThreat Modeling
    Automation
    (Fictional) Case Study

    Android Malware Evolution

    Android Malware Trends and Reversing Tactics

    Behavioral Analysis
    Introduction to AVD and Eclipse
    Downloading and Installing the ADT Bundle
    The Software Development Kit Manager
    Choosing an Android Platform
    Choosing a Processor
    Using HAXM
    Configuring Emulated Devices within AVD
    Location of Emulator Files
    Default Image Files
    Runtime Images: User Data and SD Card
    Temporary Images
    Setting Up an Emulator for Testing
    Controlling Malicious Samples in an Emulated Environment
    Additional Networking in Emulators
    Using the ADB Tool
    Using the Emulator Console
    Applications for Analysis
    Capabilities and Limitations of the Emulators
    Preserving Data and Settings on Emulators
    Setting Up a Physical Device for Testing
    Limitations and Capabilities of Physical Devices
    Network Architecture for Sniffing in a Physical Environment
    Applications for Analysis
    Installing Samples to Devices and Emulators
    Application Storage and Data Locations
    Getting Samples Off Devices
    The Eclipse DDMS Perspective
    Devices View 
         Network Statistics 
         File Explorer 
         Emulator Control 
         System Information
    LogCat View 
         Filtering LogCat Output
    Application Tracing
    Analysis of Results
    Data Wiping Method
    Application Tracing on a Physical Device
    Imaging the Device
    Other Items of Interest
         Using Google Services Accounts
         Sending SMS Messages 
         Getting Apps from Google Play 
         Working with Databases
    Conclusion

    Building Your Own Sandbox
    Static Analysis
    Dynamic Analysis
    Working Terminology for an Android Sandbox 
         Android Internals Overview 
         Android Architecture
         Applications 
         Applications Framework 
         Libraries
    Android Runtime
    The Android Kernel
    Build Your Own Sandbox
    Tools for Static Analysis
    Androguard
         Radare2 
         Dex2Jar and JD-GUI 
         APKInspector 
         Keytool 
         Tools for Dynamic Analysis 
         TaintDroid 
         DroidBox 
         DECAF 
         TraceDroid Analysis Platform 
         Volatility Framework
    Sandbox Lab (Codename AMA) 
         Architecture 
         Host Requirements 
         Operating System 
         Configuration
         Running Sandbox 
         What Happens When You Upload Malware Samples, from a Dynamic Analysis Point of View 
         Conclusions about AMA

    Case Study Examples
    Usbcleaver 
         Checkpoint 
         Static Analysis 
         Checkpoint
         Dynamic Analysis 
         Launch of the APK
         Summary
    Torec

    Bibliography

    Index

    Biography

    Ken Dunham has nearly two decades of experience on the front lines of information security. He currently works as a principal incident intelligence engineer for iSIGHT Partners and as CEO of the nonprofit Rampart Research. Dunham regularly briefs top-level executives and officials in Fortune 500 companies and manages major newsworthy incidents globally. Formerly, he led training efforts as a contractor for the U.S. Air Force for U-2 reconnaissance, Warthog Fighter, and Predator (UAV) programs. Concurrently, he also authored top Web sites and freeware antiviruses and other software, and has taught at multiple levels on a diverse range of topics.

    Dunham is the author of multiple books, is a regular columnist, and has authored thousands of incident and threat reports over the past two decades. He holds a master’s of teacher education and several certifications: CISSP, GCFA Gold (forensics), GCIH Gold (Honors) (incident handling), GSEC (network security), GREM Gold (reverse engineering), and GCIA (intrusion detection). He is also the founder and former president of Idaho InfraGard and Boise ISSA, a member of multiple security organizations globally, and former Wildlist Organization reporter. In 2014, Dunham was awarded the esteemed ISSA International Distinguished Fellow status. Dunham is also the founder of the nonprofit organization Rampart Research, which meets the needs of over 1,000 cybersecurity experts globally.

    Shane Hartman, CISSP, GREM, is a malware engineer at iSIGHT Partners, focusing on the analysis and characteristics of malicious code. He has been in the information technology field for 20 years covering a wide variety of areas including network engineering and security. He is also a frequent speaker at local security events and teaches security courses at the University of South Florida. Hartman holds a master’s degree in digital forensics from the University of Central Florida.

    Jose Morales has been a researcher in cybersecurity since 1998, focusing on behavior-based malware analysis and detection and suspicion assessment theory and implementation. He graduated with his Ph.D. in computer science in 2008 from Florida International University and completed a postdoctoral fellowship at the Institute for Cyber Security at the University of Texas at San Antonio. He is a senior member of the Association of Computing Machinery (ACM) and IEEE.

    Manu Quintans is a malware researcher linked from many years ago to the malware scene, as a collaborator with groups such Hacktimes.com and Malware Intelligence, developing expertise and disciplines related to malware research and response. He currently works as an intelligence manager for a Big4, performing campaign tracking of malware and supporting incidence response teams in the Middle East. He also chairs a nonprofit organization called mlw.re dedicated to the study of new online threats to assist organizations and computer emergency response teams (CERTs) combating such threats.

    Tim Strazzere is a lead research and response engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include reversing the Android Market protocol, Dalvik decompilers, and memory manipulation on mobile devices. Past speaking engagements have included DEFCON, BlackHat, SyScan, HiTCON, and EICAR.