Tuesday 8 May 2018

APKiD tool — Detecting Malware And Tampered Android Apps

APKID TOOL — DETECTING MALWARE AND TAMPERED ANDROID APPS

INTRODUCTION:

APKiD Tool finds what type of packers, obfuscator and compilers are used in the APK file. Using APKiD, We can analyse an APK file whether it is malware or pirated version of an original APK so it will be a useful tool for a malware analyser or security researcher who cares about analysing malware in android. Before getting into the APKiD installation let’s examine how APKiD tool is detecting compilers, packers and obfuscators by looking into APK or DEX file.
Mostly, we install the Android app from google play store from the original version, but in case of third-party app stores, we can download the same application which is available in google play store but can’t be trusted because there are chances of the app containing virus or malware. So what makes the differences between the original and modified APK file apart from the tampered code, the difference is in the compiling process. The original file is disassembled and recompiled by using the APKTOOL. APKTOOL uses smali, and they are part of the same dexlib project. So any android app which had malware injected code into original or pirated will have probably been disassembled and recompiled by dexlib. dexlib is a compiler, like dexlib there are several compilers available which is listed below:
  • dx – standard Android SDK compiler
  • dexmerge – used for incremental builds by some IDEs (after using dx)
  • dexlibx
  • dexlibx beta
  • dexlibx
APKid tool looks into the APK or Dex file for detecting the type of compilers.

APKID INSTALLATION:

There are two ways you can install the APKiD tool, by configuring Yara-python and installing APKiD tool or through Docker, you can install which is natural and works fine for me. Here, I will introduce through Docker:

INSTALLATION REQUIREMENT:

  • Docker
  • git

INSTALLATION STEPS:

After installing docker and git Start the docker and follow the below types in terminal:
git clone https://github.com/rednaga/APKiD

cd APKiD/

docker-compose build

cd docker/

./apkid.sh ~/example/example.apk
it can scan APK, DEX, ELF file formats to detect the compilers.

USAGE:

STEPS TO SCAN THE APK:

  • cd APKiD/
  • cd docker/
  • ./apkid.sh ~/example/example.apk
Here, I have scanned a vulnerable Apk called insecure bank application. As shown, below result is giving the details about its compiler, manipulator and its checking mechanisms.

CONCLUSION:

From this blog, we have discussed how we can detect the compilers, packers and obfuscators of an Android app through APKiD tool and also APKiD is developing a slack bot version of its tool which allows users to upload an APK file for analysing.
Briskinfosec provides the best mobile Security solutions. For further doubts and security, solution advice reach us@ Contact@briskinfosec.com

REFERENCE LINK:

https://github.com/rednaga/APKiD

AUTHOR

Dinesh C
Security Engineer
Briskinfosec Technology And Consulting Pvt Ltd.,
follow me @https://www.linkedin.com/in/dineshdinz/
Posted by at 1 comment:
Labels: , , , , ,
Subscribe to: Posts (Atom)