1
00:00:00,330 --> 00:00:05,250
Every Android application runs in a limited access sandbox.

2
00:00:05,760 --> 00:00:13,290
If an application requires access to resources outside the sandbox, then the application needs to request

3
00:00:13,290 --> 00:00:13,980
permission.

4
00:00:14,220 --> 00:00:20,090
The application declares all the permissions it requires in the Android manifesto.

5
00:00:20,340 --> 00:00:21,110
X-Mailer file.

6
00:00:21,480 --> 00:00:28,290
Let's open the Trojan dash signed application that we have decoded and decompiled.

7
00:00:28,610 --> 00:00:30,630
And let's open the Android manifesto.

8
00:00:30,790 --> 00:00:31,560
X-Mailer file.

9
00:00:34,810 --> 00:00:41,530
Expand that, as you can see here, on all versions of Android to declare that the application is permission,

10
00:00:41,950 --> 00:00:48,610
we need to use this permission within the tags called user's dash permission.

11
00:00:48,940 --> 00:00:51,190
These ones here written in blue.

12
00:00:51,640 --> 00:00:59,560
The Android manifests file will start with the manifest tag and will close or ends with a manifest tag

13
00:00:59,920 --> 00:01:03,340
and all the permissions will be listed within the use.

14
00:01:03,540 --> 00:01:05,920
This is dash permissions tag.

15
00:01:06,540 --> 00:01:08,830
Some permissions are considered normal.

16
00:01:09,250 --> 00:01:11,710
So the system immediately grants them upon.

17
00:01:11,710 --> 00:01:14,320
Installation or other permissions are considered dangerous.

18
00:01:14,410 --> 00:01:16,600
As we've seen earlier in the slide.

19
00:01:16,720 --> 00:01:22,540
So the user must explicitly grant the permission to the application.

20
00:01:22,780 --> 00:01:30,010
Beginning with Android six point or API level twenty three user can revoke permissions from any app

21
00:01:30,700 --> 00:01:35,770
at any time, even if the application targeted slower API levels.

22
00:01:36,490 --> 00:01:43,060
So if the application is using your contacts yesterday, the application shouldn't assume that it will

23
00:01:43,060 --> 00:01:45,130
still have access to your contact today.

24
00:01:45,550 --> 00:01:47,950
So you can deny that permission at any time.

25
00:01:48,520 --> 00:01:49,360
Let's see here.

26
00:01:49,650 --> 00:01:50,870
Decoded application.

27
00:01:51,160 --> 00:01:53,410
What are the permissions required?

28
00:01:53,950 --> 00:02:01,630
Actually, we have couple of dangerous permissions required, such as read phone state, send them as

29
00:02:02,020 --> 00:02:10,000
receive s.m as record audio call, phone, read contacts, write contacts, record audio rights settings,

30
00:02:10,030 --> 00:02:11,320
camera read as someone.

31
00:02:11,350 --> 00:02:16,720
Actually, all of these are considered dangerous permissions.

32
00:02:17,140 --> 00:02:19,450
So this is the first thing to do.

33
00:02:19,750 --> 00:02:24,220
So this is how we perform initial static malware analysis.

34
00:02:24,610 --> 00:02:30,040
We start with the Android manifest of Ximo file and check the permissions.

35
00:02:30,400 --> 00:02:37,630
The next thing that you need to know while working with this Xome of file is the activity tag.

36
00:02:38,110 --> 00:02:44,290
Spotting these dangerous permissions is a great indicator for malicious activities.

37
00:02:44,740 --> 00:02:49,840
If you want to have a comprehensive overview about dangerous permissions, you can refer to the Android

38
00:02:49,870 --> 00:02:52,450
documentation in this video.

39
00:02:52,480 --> 00:02:57,910
We will continue our analysis for the Trojans that a B.K. file that we have created earlier.

40
00:02:58,180 --> 00:03:00,580
So I have gathered everything in this folder here.

41
00:03:01,180 --> 00:03:06,970
As you can see, the APC, a file, the jaw file and the all the horses.

42
00:03:07,390 --> 00:03:11,760
So let's go and check again the manifesto text Amelle file.

43
00:03:12,430 --> 00:03:15,910
I'll open it now with the browser and.

44
00:03:17,900 --> 00:03:18,620
Not a reader.

45
00:03:19,080 --> 00:03:25,430
So we've seen earlier these permissions, if you scroll down, usually you'll be able to see some declared

46
00:03:25,430 --> 00:03:31,190
services that might indicate the existence of a malicious activity.

47
00:03:31,640 --> 00:03:38,180
But for the sake of going further and analyzing the jar file, notice here the activity tag.

48
00:03:39,440 --> 00:03:41,840
It starts with a label than an Android name.

49
00:03:42,140 --> 00:03:46,250
This is the name of the main class that will initiate the application.

50
00:03:46,700 --> 00:03:49,100
So remember that it's called main activity.

51
00:03:49,100 --> 00:03:54,560
We'll close that and go to the jar file and open it.

52
00:03:54,680 --> 00:03:57,010
And the jadi go.

53
00:03:57,200 --> 00:03:59,090
So let's move that here.

54
00:04:03,660 --> 00:04:05,850
Well, open Geddie QE and expand it a bit.

55
00:04:09,880 --> 00:04:10,570
So here you go.

56
00:04:10,600 --> 00:04:13,990
This is Judy Gooey, this is the interface fit on the left side.

57
00:04:14,500 --> 00:04:18,550
You will see the list of classes declared by the application.

58
00:04:19,060 --> 00:04:23,710
And as we've seen earlier, the initiating class is main activity.

59
00:04:24,160 --> 00:04:27,070
So under that, you'll be able to see the constructor.

60
00:04:27,670 --> 00:04:29,690
Actually, there's nothing spooky about that.

61
00:04:29,710 --> 00:04:32,110
It's just initiating the application.

62
00:04:32,590 --> 00:04:38,020
What we're going to do now is perform some keyword search.

63
00:04:38,080 --> 00:04:46,480
As we've seen earlier, we have some recommended words that we need to search for to inspect any possible

64
00:04:46,480 --> 00:04:47,470
malicious activity.

65
00:04:47,890 --> 00:04:51,340
Let's go here and press on that button, which is the search button.

66
00:04:51,670 --> 00:04:57,250
And as you can see, you can search by type field, string, constant, modu, et cetera.

67
00:04:57,580 --> 00:05:02,090
Remember that the search functionality NJT Gooey is case sensitive.

68
00:05:02,200 --> 00:05:05,560
So I've done some analysis earlier to this file.

69
00:05:05,920 --> 00:05:11,640
And one of the string constants that we can search for is socket.

70
00:05:12,070 --> 00:05:15,880
Let's enable this string constant here and let us search for socket.

71
00:05:16,420 --> 00:05:22,090
So as you can see, we're using this and lowercase s it will find nothing but uppercase s.

72
00:05:22,560 --> 00:05:27,910
It will indicate that in the payload the class there is something or some declaration or socket.

73
00:05:28,510 --> 00:05:32,940
So let's close that and let's search again for socket here.

74
00:05:33,160 --> 00:05:34,210
If you scroll down.

75
00:05:41,430 --> 00:05:48,810
So as you can see, this is a declaration for suck it suck, it means your ex establishing connectivity

76
00:05:48,810 --> 00:05:52,740
with an external server coming and going.

77
00:05:52,770 --> 00:05:58,380
This might indicate that there is some input and output streams established by the application.

78
00:05:59,970 --> 00:06:01,140
Let's go up again.

79
00:06:01,200 --> 00:06:03,720
Because I've noticed something not usual.

80
00:06:04,140 --> 00:06:05,820
This is a more application, by the way.

81
00:06:05,850 --> 00:06:12,180
And you can search it manually without going through the search, keyword search or the search list.

82
00:06:12,450 --> 00:06:18,290
As you can see here, there is some declaration of a data structure of arrays.

83
00:06:18,390 --> 00:06:21,300
And these numbers are seriously not clear.

84
00:06:21,720 --> 00:06:29,130
This might indicate a combination of the IP and the port that this application is establishing connectivity

85
00:06:29,130 --> 00:06:29,430
to.

86
00:06:29,850 --> 00:06:31,350
So you can scan it manually.

87
00:06:31,470 --> 00:06:35,520
Obviously, this is the most malicious class within the application.

88
00:06:43,680 --> 00:06:52,830
So we were able to spot some sockets which indicate connectivity to external server and the declaration

89
00:06:52,830 --> 00:06:58,350
of malicious or unusual kind of data structure.

90
00:06:58,770 --> 00:07:03,690
Another key word that we can use in our search is HTP.

91
00:07:04,080 --> 00:07:05,820
So let's open this search again.

92
00:07:07,370 --> 00:07:15,270
Android age DDP, which might indicate as well certain connectivity to external servers.

93
00:07:16,320 --> 00:07:17,820
Obviously, let's close that.

94
00:07:18,920 --> 00:07:21,240
Here is a declaration for HTP.

95
00:07:28,530 --> 00:07:32,700
Let's do another search in the beat of the class as well.

96
00:07:32,730 --> 00:07:40,830
There is another declaration for each, which as well might indicate certain traffic or certain connectivity

97
00:07:40,830 --> 00:07:43,200
established with an external entity.