Thursday, September 1, 2011

Android "rip-off indicator" of applications

Hi !

In a previous post, I explained how it is possible to use similarity distance to know if your application or a part of your application has been stolen. Lately, I created an open source database of android malwares (it will be the next post), with androsign and androcsign (you must read 1 and 2 for technical information). I can extend this concept to detect more quickly and in a more large datasets if your application has been stolen.

For example, we will take the following DEX file, which is your application (the source code of this DEX file is located here).

The first thing to do is to isolate your important methods to add them in your database to find them in suspicious samples; because in your whole software you will have useless parts. So it's an important step, you must know which methods or classes are the most important.

In our example we have the method T1 in the class file TCMod1 which is our more important method, so we create a signature file like this :
[ { "SAMPLE" : "examples/obfu/classes_tc.dex" }, { "BASE" : "AndroidOS",

"NAME" : "CLASSES TC",
"SIGNATURE" : [ { "TYPE" : "METHSIM",
"CN" : "Lorg/t0t0/androguard/TC/TCMod1;",
"MN" : "T1",
"D" : "()V" } ],
"BF" : "0" } ]
And we can add the signature to our empty database :
desnos@destiny:~/androguard$ ./androcsign.py -i examples/obfu/classes_tc.sign -o examples/obfu/dbsample

[{u'CLASSES TC': [[[0, 'QltdQltGMEldQltGMEYxRjBHXUJbRjBQMFAxU1AxRjBTUDJQMVAxUD
FGMFAwUDFTUDFTUDJQMVAxUDFdQltJXUJbRjBHXUJbRjBQMFAxU1AxU1AyUDFQMVAxRjBGMUYwUDB
QMVNQMUYwU1AyUDFQMVAxXUJbSV1CW11CW0YwSV1CW0YwRjFHXUJbR1AwXUJbUDBQMlAyRjBQMFAx
U1AxRjBTUDJQMVAxUDFGMFAwUDFTUDFTUDJQMVAxUDFGMFAwUDFTUDFTUDJQMVAxUDFQMFAyUDJGM
F1CW0YwRjFGMEldQltGMFAwUDFTUDFGMFNQMlAxUDFQMVAwUDJQMlAwUDJQMlJdQltd',
3.1086018085479736, 1.6915500164031982, 4.4729580879211426, 4.8005590438842773, 0.0]], u'0']}]
After that it's possible to search if your signature is present, in many samples :
desnos@destiny:~/androguard$ ./androsign.py -d apks/mixe/ -b examples/obfu/dbsample -c signatures/dbconfig

594ebcc14a163b86222bd09adfe95498da81ceaeb772b706339d0a24858b1267 : ----> None
d615dd181124ca0fde3d4785786586c3593a61d2c25c567ff93b230eb6d3a97a : ----> None
c8518d4d64a84099abfadc25eb1516957898326546b8e4bfb88066912a06dd56 : ----> None
c6eb43f2b7071bbfe893fc78419286c3cb7c83ce56517bd281db5e7478caf995 : ----> None
35bda16e09b2e789602f07c08e0ba2c45393a62c6e52aa081b5b45e2e766edcb : ----> None
1dd0ccbb47e46144a5e68afc619098730f561741618d89200ac9c06c460bf6e4 : ----> None
com.rovio.angrybirdsseasons-1.apk : ----> None
c1a94e9fd0a6bda7e5ead89d8ef9ee064aeccdaf65238bf604f33e987a8656b9 : ----> None
e5b775383f7a16d96f55701d72a8c87ca27e991d600cb4254bb47dfef556fd18 : ----> None
add10b0368753ec38de0dca15550d824ac141f0c86f2f123f30551bd82e82415 : ----> None
137274dccff625eb1f9d647b09ed50cdfa8f86fe1a893d951f1f04e0d91f85bc : ----> None
7f0aaf040b475085713b09221c914a971792e1810b0666003bf38ac9a9b013e6 : ----> None
03fbe528af4e8d17aef4b8db67f96f2905a7f52e0342826aeb3ec21b16dfc283 : ----> None
76e91e1f9cc3422c333e51b65bb98dd50d00f1f45a15d2008807b06c125e651a : ----> None
7a21caba58a033a696265d2f1a9c421a84293cbba19ed890be3cc26ac584b021 : ----> None
c687e2f0b4992bd368df0c24b76943c99ac3eb9e4e8c13422ebf1a872a06070a : ----> None
zimperlich.apk : ----> None
cf9ebba0501079d61cff24d00e2de662c591039d8ff7f0c982e2e2778d6cf49b : ----> None
7513c6a11b88b87f528b88624d1b198b5bcc325864b328e32cc0d790b0bfc1c4 : ----> None
05ded485fca28f742e94d21172d92ebd77b796a16ed052ced1cf2d0ec184cfd6 : ----> CLASSES TC
Even if your function is obfuscated with android/java obfuscators, it's possible to find your signature :
desnos@destiny:~/androguard$ ./androsign.py -d examples/obfu/ -b examples/obfu/dbsample -c signatures/dbconfig

classes_tc.dex : ----> CLASSES TC
classes_tc_mark1.dex : ----> CLASSES TC
classes_tc_diff_dasho.dex : ----> CLASSES TC
classes_tc_dasho.dex : ----> CLASSES TC
classes_tc_diff.dex : ----> CLASSES TC
classes_tc_proguard.dex : ----> CLASSES TC
See ya !

No comments:

Post a Comment