Threat Research

Dynamic Analysis of Android Malware Through Smali Gadget Injection – Insights from JPCERT/CC

admin

Smali gadget injection enables flexible dynamic analysis of Android malware by injecting a gadget into the APK’s smali code to log inputs and outputs during execution. The article outlines the end-to-end workflow—from decompiling the APK and injecting the gadget to rebuilding, signing, and running the repackaged APK in a controlled emulator.
#SmaliGadget #AndroidMalwareAnalysis #APKTool #Cerberus #JPCERTCC #Frida

Keypoints

  • The dynamic analysis of Android malware is challenging due to limitations in existing tools like Frida.
  • Smali gadget injection is introduced as a more flexible method for dynamic analysis.
  • The process begins with decompiling the APK to identify the target methods for analysis.
  • Tools like Apktool are used to extract and edit the smali files of the APK.
  • Gadgets are injected into the smali files to log arguments and return values for debugging purposes.
  • After injection, the smali files are assembled, signed, and repackaged into a new APK.
  • The repackaged APK is executed in a virtual device environment for dynamic analysis.

MITRE Techniques

  • [T1203] Execution – Exploiting vulnerabilities in applications to execute malicious code. (‘Exploiting vulnerabilities in applications to execute malicious code.’)
  • [T1547] Persistence – Modifying application files to maintain persistence on the device. (‘Modifying application files to maintain persistence on the device.’)
  • [T1068] Privilege Escalation – Gaining elevated permissions to access sensitive data or functionality. (‘Gaining elevated permissions to access sensitive data or functionality.’)
  • [T1027] Defense Evasion – Using obfuscation techniques to hide malicious activities from detection. (‘Using obfuscation techniques to hide malicious activities from detection.’)
  • [T1003] Credential Access – Extracting sensitive information such as passwords or tokens from the application. (‘Extracting sensitive information such as passwords or tokens from the application.’)

Indicators of Compromise

  • [Hash] Hash value – 1249c4d3a4b499dc8a9a2b3591614966145daac808d440e5202335d9a4226ff8 (Cerberus) – Appendix: Hash value of Android malware used
  • [File] Repackaged APK – mal.apk – created for dynamic analysis
  • [File] Smali gadget file path – smali/com/fky/lblabjglab/a.smali – location where gadget is injected

Read more: https://blogs.jpcert.or.jp/en/2024/08/smaligadget.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint