As you know when we talk about malware analysis we need an safe environment to run our tools. It’s not a good choice to working in your host main machine for malware analysis. Therefore in this section we want to create a safe environment as much as possible.

The first thing we need is a Linux based virtual machine. I recommend Debian based Linux. Personally my choice is Ubuntu but you are free to choose other distributions. You also need an Hypervisor to run this VM. You can choose between VirtualBox or VMWare Workstation.

For having an android emulator I highly recommend to use Android X86 Virtual Machine. You can use other emulators like Genymotion or Android Studio Emulator but both them are host-only and NAT network type which is a risk for our host machine.

Also there is also CuckooDroid which is a sandbox for Android malware analysis that we may try in the future.

Let’s start 🙂.

1.1. Linux Analysis & Transparent Proxy Virtual Machine

1.1.1. Machine specifications

In the center of the previous scheme we will have the analysis machine that through a network interface, in bridge mode, will be connected to the internet (eth0) and through the other interface (eth1) will be connected to the internal network of Virtualbox. Since we are going to run a lot of software at the same time on the analysis machine, we have to dedicate more than 2GB of RAM, in our case 4GB. We also have to add one more interface (eth1) where the DHCP server will be configured and where the Android machine will be connected.

1.1.2. Tools

There are hundreds of tools for both dynamic and static analysis of Android applications. Here is the installation of the tools that we have found most relevant.

• Android Studio

• Proxy/Sistema:

  • adb

  • docker

  • android-sdk

  • Java 8

  • Iptables

  • isc-dhcp-server

  • Wireshark

    sudo apt install adb docker docker.io docker-compose android-sdk openjdk-8-jre wireshark -y
    

• Static Analysis:

  • Jadx

  wget <https://github.com/skylot/jadx/releases/download/v1.2.0/jadx-1.2.0.zip>
  sudo mv jadx-1.2.0.zip /usr/local/bin/jadx-1.2.0.zip
  sudo unzip /usr/local/bin/jadx-1.2.0.zip -d /usr/local/bin/jadx-1.2.0
  sudo rm /usr/local/bin/jadx-1.2.0.zip
  sudo ln -s /usr/local/bin/jadx-1.2.0/bin/jadx /usr/local/bin/jadx
  sudo ln -s /usr/local/bin/jadx-1.2.0/bin/jadx-gui /usr/local/bin/jadx-gui
  

  • Apktool

    wget <https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool>
    wget <https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.5.0.jar>
    mv apktool_2.5.0.jar apktool.jar
    sudo mv apktool.jar /usr/local/bin
    sudo mv apktool /usr/local/bin
    sudo chmod +x /usr/local/bin/apktool.jar
    sudo chmod +x /usr/local/bin/apktool
    

• Dynamic Analysis:

  • Frida

    sudo apt install python3-pip
    pip3 install frida-tools
    

  • Pidcat (python2 needed)

    wget <https://raw.githubusercontent.com/JakeWharton/pidcat/master/pidcat.py>
    
    chmod +x pidcat
    
    mv pidcat /bin/
    

  • Burp: download from official site.

    chmod +x burpsuite_community_linux_v2020_12_1.sh
    
    ./burpsuite_community_linux_v2020_12_1.sh
    

• Hybrid

  • Mobsf

    sudo docker pull opensecurity/mobile-security-framework-mobsf
    echo “alias mobsf=’sudo docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest'” >> ~/.bashrc
    

1.1.3. DHCP server installation and configuration

To install:

sudo apt install isc-dhcp-server

Add the interface, in the file /etc/default/isc-dhcp-server, where you want to let the DHCP running. Modify the line INTERFACESv4="" to INTERFACESv4="eth1"