Mini-Module
Summary
The Android Application Malware Analysis module explores how malware targets vulnerabilities in the Android operating system. Building on the previous three modules, it delves into the specialized study of Android-specific threats.
In this module, we will cover:
- Detailed classification of the various malware types that target Android devices, emphasizing their characteristics and methods of attack.
- Malware analysis methodologies and tools.
- Thorough exploration of permission abuses, where students will learn to recognize vulnerabilities linked to Android's permission model.
- Advanced analysis techniques for:
- Uncovering detection evasion strategies.
- Unraveling embedded custom virtual machines used to hide the malicious code.
- Uncovering the exploitation mechanisms of two-factor authentication (2FA) tokens.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections, an emulated or physical Android device as directed, or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Hard" and assumes a working knowledge of Android static and dynamic analysis techniques.
Having completed the modules listed below is sufficient for successfully completing this module:
Introduction
Android malware refers to malicious software targeting Android devices with the intent to disrupt normal operations, steal sensitive data, or gain unauthorized access. It commonly spreads via apps from unofficial sources, phishing scams, third-party app stores, or even legitimate platforms like the Google Play Store. Often disguised as legitimate applications, malware deceives users into installing it, compromising their security.
A key feature of many Android malware types is their ability to conceal malicious behavior: evading detection, maintaining persistence, and exploiting users financially.
Common Types of Android Malware
An application can be classified as malware if it displays behavior from any of the categories below. Note that is not uncommon for apps to fall into multiple categories simultaneously.
Ransomware
Ransomware encrypts user data or locks the device, demanding payment for restoration. It operates in two primary modes:
-
Data Encryption: Personal files (e.g., photos, videos, documents) are encrypted with a key known only to the attacker. Victims must pay a ransom to obtain the decryption key. -
Screen Locking: The malware disables access by overlaying the screen with a ransom message, preventing interaction with the device.
Spyware
Spyware secretly monitors a device without the user's consent. It can track location, read messages and emails, and even activate the camera or microphone. To do this, it often asks for powerful permissions during setup, especially Accessibility Service, which gives deep access to the system. Once granted, it can pull sensitive data like contacts, call logs, texts, and emails. That data is usually sent to a command-and-control (C2) server and may be sold or used for further attacks.
Stalkerware
Stalkerware is an intrusive software secretly installed to monitor an individual's activities. Unlike traditional Spyware, stalkerware is often installed by someone with physical access to the target's device—like a jealous partner or controlling parent. It runs in the background, quietly tracking location, reading texts, checking call history, and accessing photos or social media. Once active, it sends the data back to the person who installed it, allowing them to keep tabs on the victim's private life.
Adware
Adware is software that injects pop-ups, banners, or other advertisements into a device, mainly to generate revenue. It's often bundled with free apps and usually installs alongside them, typically without the user's knowledge. Once active, it can flood the screen with unwanted ads, sometimes linking to risky websites. This type of malware may make itself difficult remove, slowing down the device and limiting the user's control over their data and browsing experience.
A common subtype is Click Fraud, where the app secretly triggers ad clicks (often through hidden WebViews or tiny, invisible ad frames) to drive up revenue without the user knowing.
Trojan
Trojans are malicious applications disguised as legitimate software to trick users into installing them. Once executed, they can steal sensitive information, spy on user activity, send premium-rate SMS messages, or recruit the device into a botnet. Trojans typically rely on social engineering to gain an initial foothold, then connect to a command-and-control server to receive instructions or download additional payloads.
Denial of Service (DoS)
A Denial of Service (DoS) attack aims to overload a device or network, making it slow, unstable, or completely unresponsive. On Android, DoS malware floods the device with requests to use up bandwidth, drain the battery, or exhaust system resources. These attacks are often ran part of a larger targeted campaign.
Rooting Malware
Rooting malware exploits vulnerabilities in the Android OS to gain root access, bypassing built-in security mechanisms and installing itself with elevated privileges. Once rooted, it can change system settings, remove security controls, and wreak havoc with super-user privileges. These threats often use unpatched exploits (identified by CVE IDs) to escalate privileges. Because they enable full device control, rooting malware poses a serious risk and opens the door to all other types of malicious activity.
Backdoor
Backdoors implant a hidden remote access channel within a compromised device, allowing attackers to bypass normal authentication and execute commands at will. Unlike Trojans, which focus on deceptive delivery, backdoors provide persistent access and are built into seemingly benign software or dropped after exploiting a vulnerability. They use encrypted C2 communications and code obfuscation to evade detection, maintain long-term stealth, and exfiltrate data.
Billing Fraud
Malware in this category forces unauthorized charges by abusing billing permissions. It operates stealthily and uses background services to avoid detection.
| Fraud Type | Description |
|---|---|
SMS Fraud |
Sends premium-rate SMS messages by abusing the SEND_SMS permission. |
Call Fraud |
Initiates calls to premium numbers using the CALL_PHONE permission, often without showing the dialer interface. |
Toll Fraud |
Subscribes users to paid services by disabling Wi-Fi with CHANGE_WIFI_STATE and using mobile data for carrier authentication. |
Botnet
Botnets are armies of compromised "zombie" devices secretly enrolled into a single network under attacker control, often via malicious downloads, phishing links, or secondary payloads. Once connected to their command-and-control infrastructure, these infected hosts can be used for Distributed Denial of Service (DDoS) attacks, spam campaigns, and any operation whose impact grows with each additional bot.
Keylogger
Keyloggers operate silently in the background, recording the user's keystrokes by hooking into the OS or keyboard input APIs. Once captured, this trove of sensitive data is stealthily exfiltrated to the attacker's server, all without alerting the user.
Phishing Malware
Phishing malware deploys deceptive overlays and mimics legitimate websites, tricking users into entering their credentials and other sensitive data (such as banking details or crypto wallet keys). It's often delivered via SMS, email, or malicious apps, using fake URLs and UI elements that are difficult to distinguish from the real thing on mobile browsers.
Spam Malware
Floods devices with unsolicited messages, often using the device's contact list to spread further. Spam is known for degrading device performance and increase data usage.
Known Malware Families
A Malware Family consists of related variants that share code or behavior.
| Malware Family | Description |
|---|---|
Judy |
Auto-clicking adware found in 41 apps, infecting up to 36.5 million devices. |
Ghost Push |
Roots devices and installs adware. It slows performance, drains battery, and uses excessive data. |
HummingBad |
Installs rootkits and fraudulent apps, generating up to $300,000 per month at its peak. |
Gooligan |
Steals authentication tokens and accesses Google services like Gmail, Drive, and Photos. |
Loapi |
Multifunctional malware with crypto mining, adware, DDoS, and more. It can even cause physical damage to devices. |
BankBot |
Targets banking apps with overlays to steal login credentials. |
DroidKungFu |
Uses root exploits to take control of the device and steal data. |
Anubis |
Banking Trojan with keylogging, screen capture, and ransomware features. |
Joker |
Spyware and billing fraud malware found on the Play Store. It can steal SMS, log calls, and sign users up for premium services. |
Methodology & Tools
Android Malware Analysis is the systematic process of examining Android applications to identify, characterize and mitigate malicious behavior. It combines several complementary approaches:
-
Static Analysis: Reviews code (e.g., permissions, structure) without running the app. -
Dynamic Analysis: Observes app behavior during execution. -
Reverse Engineering: Analyzes compiled native code for hidden or obfuscated functions.
| Tool | Purpose |
|---|---|
ADB |
Installs apps, provides shell access, and supports debugging. |
JADX |
Decompiles APKs into readable Java-like code. |
APKTool |
Breaks down APKs into Smali code and extracts resources. |
Ghidra |
Decompiles native libraries to reveal deeper app behavior. |
Frida |
Injects custom scripts to monitor app behavior in real time. |
Burp Suite |
Intercepts and analyzes traffic between the app and its servers. |
Wireshark |
Passively captures and inspects network packets. |