MobileHunter analysis using glorifiedgrep

2 minute read

MobileHunter Analysis using glorifiedgrep

This is a quick and short writeup about how the Python module glorifiedgrep can be used for fast analysis of android applications. This is not a complete analysis of the application. Analysis was done using glorifiedgrep version 0.9.3. The analysis can be viewed in the following asciinema. asciinema. Please understand that this is not a full analysis, but a very bried introduction to glorifiedgrep. Read the full analysis here and here.

The GlorifiedAndroid class for glorifiedgrep offers over 200+ different methods for Android analysis, but only a very few are shown here. Refer to the full documentation for all the analysis.

Also keep in mind that glorifiedgrep is not a vulnerability detection module. What it aids in is to quickly pinpoint areas of interest what should be further looked into.

glorifiedgrep

asciinema

asciicast

Analysis

To use glorifiedgrep, first, we need to instantiate the GlorifiedAndroid class.

g = GlorifiedAndroid('/tmp/base.apk')

Get the hash of the application.

We can obtain the hash of the application using:

>>> g.file_hash_of_apk()
{'md5': '155945a28c2b0158f47eb6a6351d795d',
 'sha1': 'ac9516e7cb14dced53504a93ef36b7a1edc6e017',
 'sha256': 'dc12d5c78117af8167d8e702dd131f838fe86930187542cf904b2122ba32afd1'}

Dangerous permissions

We can obtain a list of the dangerous permissions that are being used by the app using:

>>> g.manifest_dangerous_permission()
['android.permission.READ_CALENDAR',
 'android.permission.READ_SMS',
 'android.permission.READ_CONTACTS',
 'android.permission.READ_PHONE_STATE',
 'android.permission.WRITE_EXTERNAL_STORAGE',
 'android.permission.RECEIVE_SMS',
 'android.permission.CAMERA',
 'android.permission.RECORD_AUDIO',
 'android.permission.ACCESS_COARSE_LOCATION']

File types

Researchers have indicated that this apk is bundled with a few executables. Lets use glorifiedgrep to get all the different file types that are bundled with this app.

>>> g.file_get_file_types(exclude=['xml', 'png'])
{'application/octet-stream': ['/tmp/GlorifiedAndroid/unzipped/resources.arsc',
  '/tmp/GlorifiedAndroid/unzipped/classes.dex',
  '/tmp/GlorifiedAndroid/unzipped/META-INF/CERT.RSA',
  '/tmp/GlorifiedAndroid/unzipped/assets/xbin/bk_samples.bin'],
 'image/png': [],
 'audio/x-wav': ['/tmp/GlorifiedAndroid/unzipped/res/raw/beep.wav'],
 'text/plain': ['/tmp/GlorifiedAndroid/unzipped/META-INF/MANIFEST.MF',
  '/tmp/GlorifiedAndroid/unzipped/META-INF/CERT.SF',
  '/tmp/GlorifiedAndroid/unzipped/assets/xbin/id.conf',
  '/tmp/GlorifiedAndroid/unzipped/assets/xbin/terrorism_apps.csv'],
 'application/x-sharedlib': ['/tmp/GlorifiedAndroid/unzipped/assets/xbin/getVirAccount',
  '/tmp/GlorifiedAndroid/unzipped/assets/xbin/gen_wifi_cj_flag_pie',
  '/tmp/GlorifiedAndroid/unzipped/assets/xbin/wifiscan_pie'],
 'application/x-executable': ['/tmp/GlorifiedAndroid/unzipped/assets/xbin/wifiscan',
  '/tmp/GlorifiedAndroid/unzipped/assets/xbin/gen_wifi_cj_flag']}

Using one simple method, we can see the various binaries that are include in the app along with the blacklisted apps file.

Executing shell commands

Instead of using JNI, the application directly executes some of the prepacked binaries in the shell. We can see instances of shell exection here using

>>> g.code_command_exec().out
[{'file': 'sources/com/fenghuo/utils/ShellCommands.java',
  'line': '43',
  'match': '.exec(str)'},
 {'file': 'sources/com/fenghuo/utils/ShellCommands.java',
  'line': '76',
  'match': '.exec(str)'},
 {'file': 'sources/com/fenghuo/utils/ShellCommands.java',
  'line': '89',
  'match': '.exec("chmod 777 " + str).waitFor()'}]

Reading sensitive information

Researchers have also indicated that the application will read various sensitive user information including SMS, calendar entries and call logs. Usually, these information are obtained from content resolvers. glorifiedgrep offers a handy methdo to obtain URLs for various content resolves. Using a little list comprehension, lets gather all the content resolvers this application touches on. We will also include only app code in our analysis.

>>> [x['match'] for x in g.other_content_urlhandler().in_file('feng').out]
['content://com.android.calendar/events',
 'content://calendar/events',
 'content://sms',
 'content://sms/icc',
 'content://sms/sim',
 'content://com.android.contacts/contacts',
 'content://com.android.contacts/contacts/',
 'content://icc/adn',
 'content://sim/adn',
 'content://sim/adn',
 'content://icc/adn']

Application queries for installed packages

The native PackageManager class and its method getInstalledPackages from the Android SDK can be used by an app to enumerate installed applications on a device. We can see that using:

>>> g.code_package_installed()
[{'file': 'sources/com/fenghuo/qzj/WelcomeActivity.java', 'line': '715', 'match': '.getInstalledPackages(8192)'}]

Application makes POST requests

Researches have indicated that this application will post all the enumerated data. We can see the POST requests in

>>> g.code_apache_http_post_request()
[{'file': 'sources/com/fenghuo/http/HttpManager.java', 'line': '65', 'match': 'new HttpPost(reqEvent.getReqUrl())'}]

Hardcoded IP address

We know that the applicaiton will try to send the data to a local 192 IP adderss. We can see those in

>>> g.other_ip_address().out
[{'file': 'sources/com/fenghuo/utils/Global.java',
  'line': '554',
  'match': '192.168.43.1'},
 {'file': 'sources/com/fenghuo/utils/Util.java',
  'line': '1045',
  'match': '0.0.0.0'}]

Environment variables

We can also see that the application tries to access External storage to save its data. We can do so by checking which environment variables it is trying to access.

>>> g.code_get_environment_var().out
[{'file': 'sources/com/fenghuo/qzj/WelcomeActivity.java',
  'line': '322',
  'match': 'getenv("EXTERNAL_STORAGE")'},
 {'file': 'sources/com/fenghuo/qzj/WelcomeActivity.java',
  'line': '325',
  'match': 'getenv("SECONDARY_STORAGE")'}]

Conclusion

As we can see, we can do a variety of Android application analysis using glorifiedgrep in a really fast manner.