Notes - MCS
Reverse Engineering
Notes - MCS
Reverse Engineering
  • Reverse Engineering
  • Introduction to Reverse Engineering
    • What is Reverse Engineering (RE)
    • RE Concepts
    • When do we have RE activities?
    • Why RE is Relevant and Required
    • Limitations of RE
    • Legal Framework
    • What RE Recovers?
    • Software Reversing
    • Low-level languages
  • Files and Filetypes
    • Files
    • File extensions
    • File Signature
    • Content Type Obfuscation
  • Android – Static Analysis
    • Java Language
    • Application Entry Points
    • Application Structure
    • AndroidManifest.xml
    • Exercise 1
    • Exercise 2
    • Exercise 3
    • Exercise 4
    • Native Applications
    • Java Native Interface
    • Android Native Development Kit (NDK)
    • Android binary libraries
    • JNI Dynamic Linking
    • JNI Static Linking
    • Exercise 5 and 6
    • Web and Hybrid applications
  • Android – Dynamic Analysis
    • Dynamic Analysis
    • Logs
    • Network MiTM
    • Certificate Pinning
    • Dynamic Code Instrumentation
    • Dynamic Binary Instrumentation
    • FRIDA
  • Binary Analysis
    • Binary Objects
    • Executable Symbols
    • What is inside an Object File?
    • ELF Files
    • ELF Program Headers
    • Dynamic Linker
      • Example
    • Binary Analysis Process
    • Function detection
    • Calling Conventions
    • Common Logic Structures
    • C++ code
  • Emulation and Instrumentation
    • Dynamic Binary Analysis
    • Considerations
    • Processes
    • Dynamic Binary Instrumentation (DBI)
    • DBI with Qiling
  • Obfuscation Techniques
    • Obfuscation Techniques
    • Content Type Obfuscation
    • Code Obfuscation
  • Serial Communication
    • Comunicação paralelo
    • Comunicação série
    • Sincronização entre transmissor e recetor
    • Sincronização de relógio
    • Transmissão de dados
    • Topologias de comunicação série
    • Elementos de uma ligação série
  • A interface RS-232C
    • RS-232C
    • Estrutura da trama
    • Camada física
    • Taxa de transmissão (baudrate)
    • Receção de dados
    • Identificar parâmetros de comunicaçãoIdentificar parâmetros de comunicação
    • Encontrar a UART
    • Captura de sinais
  • Norma SPI
    • Introdução
    • Descrição geral
    • Operação
    • Simulação do master SPI
    • Arquiteturas de ligação
    • Tipos de transferências
    • Configuração de um master SPI
    • Procedimento para identificação dos sinais
    • Exemplo
  • Norma I2C
    • Introdução
    • Caraterísticas básicas
    • Exemplo de interligação num barramento I2C
    • Terminologia
    • Masters e Slaves
    • Sinalização
    • Endereçamento
    • Transferência de dados
    • Clock stretching
    • Múltiplos masters
    • Arbitragem
    • Endereços reservados
Powered by GitBook
On this page
  • Thai Camera is sending SMS?
  • Approach
  • How to improve this process?
  • Flow Analysis
  • Taint Analysis
  • Dynamic Analysis
  • Tools
  1. Android – Static Analysis

Exercise 4

Last updated 1 year ago

Thai Camera is sending SMS?

Approach

  • Extract all code and resources: jadx-gui

  • Inspect Manifest for suspicious permission (Send SMS): AndroidManifest.XML

  • Determine if the app is sending SMS: Check the Java classes, and look for SMS send methods.

  • Determine if the SMS is sent without interaction from the user.

    • How are these functions called?

    • What is the call flow?

For a camera application, some permissions are suspicious.

  • Including android.permission.SEND_SMS

  • Therefore, we have indications of possible taints

In com.p004cp.camera.loading and SMS is sent.

  • As an action of clicking a button. With static analysis, it seems to be ok.

There is a SendMessage method with two arguments (number and text).

  • Logs the event to Firebase.

  • Splits the message in chunks and submits multiple SMS.

  • How is the function called?

In several places, but one is strange.

Going back to the previous location.

  • The permission is requested.

  • And if authorized and this.service is set, an SMS is sent automatically (without user interaction).

How to improve this process?

Flow Analysis

The execution flow can be analyzed and reconstructed, allowing us to understand entry and sink points.

  • Identify all methods and their callers: Sources/Entry Points.

    • Events, Intent Receivers.

  • Identify which arguments are used… eventually do a symbolic analysis.

  • Identify which Android APIs are called: Sink Points.

    • Information is sent/registered using the Android API.

Taint Analysis

Identify patterns which may indicate suspicious behaviour.

  • E.g. access contacts, and upload contacts.

Dynamic Analysis

Actually analyze what the application done, in real-time.

Tools

Android Studio

  • If Java code can be obtained, Android Studio creates call flows.

    • Analyze Tab -> Data Flow From Here.

Quark

  • One of many tools providing Flow Analysis and Taint Analysis.

  • Targeted towards malware.

    • Identifies malicious or suspicious behavior, and ranks each taint.

    • Provides limited call graph information through static analysis.

  • Based on smali directly from the apk.

  • Installing quark:

    • pip3 install --user quark-engine

    • freshquark

  • For testing the apk: quark -s –a “ThaiCamera_v1.2.apk”

  • Some indicators (remember, it’s a Camera App!)

    • Get calendar information.

    • Read sensitive data(SMS, CALLLOG) and put it into JSON object.

    • Get the network operator name.

    • Get data from HTTP and send SMS.

    • Send IMSI over Internet.

    • Get the network operator name and IMSI.

    • Write SIM card serial number into a file.

    • Write the phone number into a file.

    • Check if successfully sending out SMS.

Loading::onCreate