Skip to content

erase2004/Malware-Analysis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AMD:Android Malware Detector

It is used to check whether Android App is malicious.
We first use simlarity funciton to examinate the App with previous Apps.
If they are not quite similiar, then we perform taint analysis on it to check
whether there is privacy data leak.

Obtaining the software:

=======================

Just use git to clone the whole project file:

git clone https://github.com/erase2004/Malware-Analysis.git

Prerequisites:

==============

To run the program correctly, making sure that you have installed following software or library.

After installing the prerequisites, You have to create following directory:

<Project_dir>/log
<Project_dir>/files
<Project_dir>/files/BB
<Project_dir>/files/FH
<Project_dir>/files/REPORT

Also creating unique MySQL user and corresponding password for use.
Storing the MySQL username and password in secret.txt in Project_dir with following format:

username:<your_username>
password:<your_password>

Then you can import permission.sql into MySQL with unique account.

Running the program:

====================

At Project_dir, just type ./pdaemon, then the program will run as a daemon.
Now, you can upload your Android Apps to Project_dir/files to be analyzed.
You can get the result from Project_dir/files/result.txt and/or
corresponding report files in Project_dir/files/REPORT.

To stop the program, you just need to type ./stop.sh at Project_dir.
You can check whether the program is running or stoped by pdaemon.log in Project_dir/log.

Program functions and files introduction:

==============================

  • Project_dir
    • pdaemon.c
      pdaemon.c is the source file of main program pdaemon.

    - pdaemon.lock
    pdaemon.lock records the pid of pdaemon when pdaemon is running.

    - pdaemon
    pdaemon is the main program. It sequentailly calls other functions in Project_dir/bin
    so that the daemon can perform Android App Analysis automatically.
    It outputs log in pdaemon.log in Project_dir/log.

    - stop.sh
    It reads the value in pdaemon.lock so that it can stop the main program when user execute it.

    - condCode.txt
    It records the relation between numbers and conditions.
    Users can recognize the second value of each line in result.txt in Project_dir/files with condCode.txt.

  • Project_dir/bin
    • unzip.pl
      It unzips apk files into corresponding directory.

    - toSmali.pl
    It converts class.dex in each apk directory into *.smali using baksmali.jar.

    - baksmali.jar
    It is a disasembler for Android's dex format built by others.
    Project Home: http://code.google.com/p/smali/

    - toBasicBlock.pl
    It reads *.smali of each apk, then storing useful information in corresponding .bb file in Project_dir/files/BB.

    - featureHash.pl
    It generates feature hash value of each apk by reading corresponding bb file.
    Then it stores the values in FHTemp.txt in Project_dir/files/FH.

    - distance.pl
    It calcuates the similarity between the feature hash values using Jaccard Similarity.
    If there is no feature hash value that has high similarity with it, then the App will left for taint analysis.

    - mainDetect.pl
    It converts each class.dex in each apk that previously similairty tested but left for taint analysis into
    corresponding .jar using dex2jar. Then calling CallGraphAnalysis.pl and passing values to it for further analysis.

    - dex2jar
    It is a tool that work with Android .dex and JAVA .class files built by others.
    Project Home: http://code.google.com/p/dex2jar/

    - CallGraphAnalysis.pl
    It uses function call graph information of the Android App generated by javacg-static.jar and
    Android API information storing in permission database to perform taint analysis.
    It would check whether the Android App has privacy data leak, then stores the result in corresponding report file
    in Project_dir/files/REPORT.

    - javacg-static.jar
    It is a subprogram of java-callgraph. It is used to produce static call graph for JAVA programs.
    And it is built by others.
    Project Home: https://github.com/gousiosg/java-callgraph

Author

======

Po-Wei Chen [email protected]
Chi-Hong Ke [email protected]
Wei-Chen Lin [email protected]

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks