Exercise 4

Thai Camera is sending SMS?

Approach

• Extract all code and resources: jadx-gui

• Inspect Manifest for suspicious permission (Send SMS): AndroidManifest.XML

• Determine if the app is sending SMS: Check the Java classes, and look for SMS send methods.

• Determine if the SMS is sent without interaction from the user.

  • How are these functions called?

  • What is the call flow?

For a camera application, some permissions are suspicious.

• Including android.permission.SEND_SMS

• Therefore, we have indications of possible taints

In com.p004cp.camera.loading and SMS is sent.

• As an action of clicking a button. With static analysis, it seems to be ok.

There is a SendMessage method with two arguments (number and text).

• Logs the event to Firebase.

• Splits the message in chunks and submits multiple SMS.

• How is the function called?

In several places, but one is strange.

Loading::onCreate

Going back to the previous location.

• The permission is requested.

• And if authorized and this.service is set, an SMS is sent automatically (without user interaction).

How to improve this process?

Flow Analysis

The execution flow can be analyzed and reconstructed, allowing us to understand entry and sink points.

• Identify all methods and their callers: Sources/Entry Points.

  • Events, Intent Receivers.

• Identify which arguments are used… eventually do a symbolic analysis.

• Identify which Android APIs are called: Sink Points.

  • Information is sent/registered using the Android API.

Taint Analysis

Identify patterns which may indicate suspicious behaviour.

• E.g. access contacts, and upload contacts.

Dynamic Analysis

Actually analyze what the application done, in real-time.

Tools

Android Studio

• If Java code can be obtained, Android Studio creates call flows.

  • Analyze Tab -> Data Flow From Here.

Quark

• One of many tools providing Flow Analysis and Taint Analysis.

• Targeted towards malware.

  • Identifies malicious or suspicious behavior, and ranks each taint.

  • Provides limited call graph information through static analysis.

• Based on smali directly from the apk.

• Installing quark:

  • pip3 install --user quark-engine

  • freshquark

• For testing the apk: quark -s –a “ThaiCamera_v1.2.apk”

• Some indicators (remember, it’s a Camera App!)

  • Get calendar information.

  • Read sensitive data(SMS, CALLLOG) and put it into JSON object.

  • Get the network operator name.

  • Get data from HTTP and send SMS.

  • Send IMSI over Internet.

  • Get the network operator name and IMSI.

  • Write SIM card serial number into a file.

  • Write the phone number into a file.

  • Check if successfully sending out SMS.