Saturday, March 5, 2011

DroidDream (part 2)

Hi !

It was not the main goal of Androguard to do reverse, but I'm using it to reverse malware, so I decided to add new features. I added yesterday a feature (in the repository) which exports classes/methods/fields into the virtual machine (python) namespace.

So, when you launched Androlyze with ipython, you will have the (tab) completion to play with classes/methods/fields.
$ ./androlyze.py -s
Androlyze version BETA 0

[~/androguard]
|2>a = APK( "./apks/Magic Hypnotic Spiral.apk" )

[~/androguard]
|3>vm = DalvikVMFormat( a.get_dex() )

[~/androguard]
|4>vmx = VM_BCA( vm )

[~/androguard]
|5>ExportVMToPython( vm )

[~/androguard]
|6>vm.CL
vm.CLASS_Lcom_android_root_AlarmReceiver
vm.CLASS_Lcom_android_root_udevRoot
vm.CLASS_Lcom_mikeperrow_spiral_R_string
vm.CLASS_Lcom_android_root_AlarmReceiver_1
vm.CLASS_Lcom_mikeperrow_android_opengl2d_DrawThread
vm.CLASS_Lcom_mikeperrow_spiral_Spiral
vm.CLASS_Lcom_android_root_Setting
vm.CLASS_Lcom_mikeperrow_android_opengl2d_GLDrawable
vm.CLASS_Lcom_mikeperrow_spiral_SpiralActivity
vm.CLASS_Lcom_android_root_Setting_1
vm.CLASS_Lcom_mikeperrow_android_opengl2d_GLHelper
vm.CLASS_Lcom_mikeperrow_spiral_SpiralOpenGLView
vm.CLASS_Lcom_android_root_Setting_2
vm.CLASS_Lcom_mikeperrow_spiral_R
vm.CLASS_Lcom_mikeperrow_spiral_SpiralOpenGLView_ScrollDetector
vm.CLASS_Lcom_android_root_adbRoot
vm.CLASS_Lcom_mikeperrow_spiral_R_attr
vm.CLASS_Lcom_mikeperrow_spiral_deprecated_SimpleSpiralView
vm.CLASS_Lcom_android_root_adbRoot_1
vm.CLASS_Lcom_mikeperrow_spiral_R_drawable
vm.CLASS_Lcom_mikeperrow_spiral_deprecated_SimpleSpiralView_AnimationLoop
vm.CLASS_Lcom_android_root_main
vm.CLASS_Lcom_mikeperrow_spiral_R_layout
vm.CLASS_Ljackpal_androidterm_Exec

You must called ExportVMToPython with the virtual machine in parameter to export names inside python's namespace (begin with CLASS_, METHOD_, FIELD_). In a class it's possible that more one method (or field) have the same name, in this case, the descriptor is added.



And of course you can used it also with the analysis :
[~/androguard]
|9>vmx0.tainted_variables.get_field_by_ref( vm0.CLASS_Lcom_android_root_Setting.FIELD_u ).show_paths()
W Lcom/android/root/Setting; ()V -BB@0x0 1d8
R Lcom/android/root/Setting; onCreate ()V onCreate-BB@0x0 1e
Ok, after the crypt method, the malware sends information to the previous url, by running a thread in class Setting$2 :
13 0x34 new-instance v6 , [type@ 49 Lcom/android/root/Setting$2;]
14 0x38 invoke-direct v6 , v12 , v1 , [meth@ 74 Lcom/android/root/Setting$2; (Lcom/android/root/Setting; [B) V ]
15 0x3e invoke-virtual v6 , [meth@ 75 Lcom/android/root/Setting$2; () V run]

|45>vm0.CLASS_Lcom_android_root_Setting_2.METHOD_run.show()
[...]
18 0x46 invoke-static v2 , v3 , [meth@ 88 Lcom/android/root/Setting; (Ljava/lang/String; Landroid/content/Context;) V postUrl]
[...]
Next the malware try to root the phone by using "exploid" and "rageagaintthecase" :
42 0xb0 new-instance v5 , [type@ 54 Lcom/android/root/udevRoot;]
43 0xb4 iget-object v6 , v12 , [field@ 14 Lcom/android/root/Setting; Landroid/content/Context; ctx]
44 0xb8 invoke-direct v5 , v6 , [meth@ 111 Lcom/android/root/udevRoot; (Landroid/content/Context;) V ]
45 0xbe invoke-virtual v5 , [meth@ 117 Lcom/android/root/udevRoot; () Z go4root]

50 0xd2 new-instance v0 , [type@ 52 Lcom/android/root/adbRoot;]
51 0xd6 iget-object v6 , v12 , [field@ 14 Lcom/android/root/Setting; Landroid/content/Context; ctx]
52 0xda iget-object v7 , v12 , [field@ 15 Lcom/android/root/Setting; Landroid/os/Handler; handler]
53 0xde invoke-direct v0 , v6 , v7 , [meth@ 96 Lcom/android/root/adbRoot; (Landroid/content/Context; Landroid/os/Handler;) V ]
54 0xe4 invoke-virtual v0 , [meth@ 103 Lcom/android/root/adbRoot; () Z go4root]
And call at the end, the destroy function (depends of the exploit success) :
57 0xf0 invoke-direct v12 , v8 , [meth@ 81 Lcom/android/root/Setting; (Z) V destroy]
|49>vm0.CLASS_Lcom_android_root_Setting.METHOD_destroy.pretty_show( vmx0 )
ENCODED_METHOD method_idx_diff=1 access_flags=2 code_off=0x388c (Lcom/android/root/Setting; (Z)V,destroy)
********************************************************************************
DALVIK_CODE :
REGISTERS_SIZE 0x5
INS_SIZE 0x2
OUTS_SIZE 0x3
TRIES_SIZE 0x0
DEBUG_INFO_OFF 0x8dcc
INSNS_SIZE 0x19

o o 0 0x0 if-eqz v4 , [+ 21] [ 4 2a ]
> | 1 0x4 iget-object v0 , v3 , [field@ 14 Lcom/android/root/Setting; Landroid/content/Context; ctx]
| 2 0x8 const-string v1 , [string@ 350 com.android.providers.downloadsmanager]
| 3 0xc invoke-static v0 , v1 , [meth@ 84 Lcom/android/root/Setting; (Landroid/content/Context; Ljava/lang/String;) Z isPackageInstalled]
| 4 0x12 move-result v0
| o o 5 0x14 if-nez v0 , [+ 11] [ 18 2a ]
| > | 6 0x18 iget-object v0 , v3 , [field@ 14 Lcom/android/root/Setting; Landroid/content/Context; ctx]
| | 7 0x1c const-string v1 , [string@ 654 sqlite.db]
| | 8 0x20 const-string v2 , [string@ 48 DownloadProvidersManager.apk]
| | o 9 0x24 invoke-static v0 , v1 , v2 , [meth@ 80 Lcom/android/root/Setting; (Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;) Z cpFile] [ 2a ]
> > > 10 0x2a invoke-virtual v3 , [meth@ 90 Lcom/android/root/Setting; () V stopSelf]
11 0x30 return-void
********************************************************************************

This function checks if "com.android.providers.downloadsmanager" package is installed, if not it copy the sqlite.db file in DownloadProvidersManager.apk (in the directory /system/app) :
[~/androguard]
|6>vmx0.tainted_variables.get_string("sqlite.db").show_paths()
R Lcom/android/root/Setting; destroy (Z)V destroy-BB@0x18 1c
|51>a0.zip.namelist()
Out[51]:
['META-INF/MANIFEST.MF',
'META-INF/ANDROID.SF',
'META-INF/ANDROID.RSA',
'assets/exploid',
'assets/profile',
'assets/rageagainstthecage',
'assets/sqlite.db',
'lib/armeabi/libandroidterm.so',
'res/drawable/icon.png',
'res/drawable/minispiral.png',
'res/layout/main.xml',
'AndroidManifest.xml',
'classes.dex',
'resources.arsc']

So, the file sqlite.db is an APK application. We can open it directly in androlyze, by setting the raw parameter in the APK class.
23 0x5e const-string v11 , [string@ 19 /system/app/]
So the file sqlite.db was in the first application :
[~/androguard]
|52>a1 = APK( a0.zip.read("assets/sqlite.db"), raw=True )

[~/androguard]
|53>vm1 = DalvikVMFormat( a1.get_dex() )

[~/androguard]
|54>vmx1 = VM_BCA( vm1 )
You can see a report of the next APK stage on virustotal. People ask me where to find malwares, it's not very easy but you can check this website ;)

See ya !

No comments:

Post a Comment