There are a great many tools available to help
quickly analyze the behavior of mobile malware samples, making the task easier
for analysts, testers, and pen testers. In the case of Android, one such app
is AppMon, which, through its
binary instrumentation, provides access to the log showing which functions are
being used and their respective parameters.
In this article, we will take a look at how it
works.
How does AppMon work?
This app makes use of a powerful multi-platform
dynamic instrumentation environment which we have already talked about
a few times: Frida. AppMon includes a series of scripts based on this
platform which enable analysts to spy on events triggered on
the system by the app being studied, the results of which can then be viewed
through a web interface with filters for searching and ordering.
As well as this, AppMon includes scripts which
enable the user to intrude into the app, modifying its normal
course of action, as can be seen in the video below. Of course, the analyst can
also add their own scripts to the tool.
Furthermore, it enables the deployment of apps on
both Android and iOS and, benefiting from Frida’s flexibility, it
can be run on multiple platforms (Linux, Mac OS, and also Windows by making
some changes to the code).
Installing the app
The prerequisites for running AppMon are obviously
to install Frida and also some Python modules, which can be done through the
following command:
sudo -H pip install argparse frida flask termcolor
Then we can copy the project from the Github repository or
download the corresponding compressed file. If you are using a Windows machine,
you will also need to change the absolute path defined in the merge_script_path variable of the appmon.py file to point to the
temporary folder in the Windows file system or indeed any other folder as
required. For example, it may end up as follows:
merge_script_path =
‘C:/Users/<nombre_usuario>/AppData/Local/Temp/merged.js’
We have to create our own emulator with Android
4.4.x as Frida has only been demonstrated to be stable for 4.4.x, so
that we can then transfer the files to Frida and launch the server, as we did
previously in the tutorial for app deployment.
We’re ready to go! Now we need to install the app
we want to analyze. The best way to do this is via adb, because
some emulators launch the app when it is installed via drag and drop, and
if we are not ready to run the AppMon command we may fail to log some critical
functionality.
Analyzing the sample
Let’s run a sample of Android/Torec.A,
a malware capable of logging messages and calls made and received on the
device, as well as other critical information, and which can communicate via
Tor. The app’s Android Manifest file tells us that the packet’s name is
com.baseapp. We need this information so we can tell AppMon which process to
intercept.
Read the complete article on