In my endless pursuit of growth and development, I have decided to take on another challenge: malicious Android application research. There have been many stories of researchers finding malicious mobile applications either trying to steal your private information or presenting a barrage of annoying ads generating revenue – it seems that new stories come out semi-regularly. That said, my interest in this matter piqued and I wanted to see what this was all about!
My experience started much like anything else I do; it starts with a simple online search for “how to reverse engineer apks” and other similar online queriers. I will say that there are many open source Android APK reverse engineering tools and resources available. Each component does its own thing and may or may not eventually get included into a framework that makes analysis that much easier. However, before getting into the frameworks, I wanted to start with a few known components to see what value they add to the reverse engineering process.
Lastly, during my research and when testing tools out myself, I also came across information that sparked a few questions: what constitutes a malicious app, how do their developers obfuscate code, how does the code bypass Google’s security in the first place, etc. With time, dots will eventually connect, and I will get my answers and write about them. In the meantime, however, this post will cover what malicious behavior within apps looks like and what security measures are already in place.
Malicious Behaviors in Applications
For starters, there are many apps on the Google Play Store that require permissions to work appropriately. It should be common knowledge to not approve permissions for a potentially private phone feature to an application that doesn’t fit the bill. That is, don’t blindly grant permission requests to just any application just because that application requests it. For example, allowing a game to capture your contacts or read text messages seems a bit flaky. Likewise, self-contained learning applications shouldn’t need access to your camera or storage device without a good explanation as to why the permissions are needed.
Aside from just arbitrary permission requests, other malicious behaviors entail siphoning your personal information, possibly encrypting it, and then sending it over the network to an attacker-controlled server. The difficult part in this, the encryption component, requires reverse engineering the application to understand how the encryption process unravels, then injecting some coding logic to reveal what’s being transmitted. I came across some nifty resources during my research that aid in this, and I will do a separate post with more information about the tools and taking a closer look at them and what they do.
Other malicious behaviors include ad-clicking imitations, which is a revenue avenue for developers. This activity entails coding logic which can essentially mimic an actual user physically clicking on an ad. I will say, the ability to craft such logic seems worthy, seeing that some free apps make money by these ads, but imitating user clicks pushes moral boundaries for me. It’s nice for the developer, as they can increase profits, but this comes at the expense of the ad-provider losing out on legitimate clicks as well as poor user experiences with so many presented ads.
Use this link for more details about what Google looks out for regarding malicious behavior. Be sure to flip between the tabs in the darker green section in the banner as they align with this section.
How Google Play Protect Helps
Using Google Play Store is the only recommended platform to obtain Android applications. The platform is not foolproof, as apps can bypass the security measures, and this is where security researchers come into play. Automating a process to weed out malicious or unwanted apps proves to be no simple task, even for Google. However, having some security measures in place is better than nothing at all.
Google Play Protect is a feature that scans apps prior to downloading to your device. Even after downloading apps, you can use this feature to scan your device’s installed applications. It can warn users of findings and remove harmful apps that are installed. Refer to this link for more information about this feature.
In summary, this post covers what malicious activities look like in Android applications. An example included stealing your private information, encrypting it, then sending it over a network connection. This requires a bit of work to learn to reverse engineer this and figure out what information is being sent before the encryption process takes place. Another example is outlandish permission requests by an application that doesn’t match its use case, such as granting a flashlight app permission to read your text messages.
This post also covers Google Play Protect, a security service that scans apps prior to being downloaded and periodically scanning your device’s installed apps. We should all know by now that even tech giants like Google don’t have a foolproof method to prevent all unwanted applications. With cooperation and efforts from security researchers, along with time, malicious apps will be identified and subsequently taken off the Play Store after reporting findings to Google.
Lastly, look for other posts as I progress in my reverse engineering journey. I have already messed around with a few tools in an isolated environment, compared and contrasted tools that seem to offer similar functionality, and am continuing to better understand the static and dynamic analysis process.