Blog da Zscaler

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Inscreva-se
Security Research

Hey AndroGuard, I Will Crash You Or Your Python Buddy!

image
THREATLABZ
March 13, 2013 - 2 Min. de leitura
Security Insights

Conteúdo

  1. Article
  2. Mais blogs

AndroGuard is a popular tool to be used to analyze android APK files by security professionals.
Quite a few APK analysis tools have been built based on it. They usually call Python library to unzip APK files before reverse-engineering. No wonder some android malware were trying to applied some anti-debugging tricks to crash AndroGuard or Python, just like what PC malware had done on Ollydbg and IDAPro.

I came across a few android samples, which was able to crash (not crush) AndroGuard. I would like to share some information here.  However, I'm not quite sure if codes inside these samples are on purpose for anti-debugging or just some bugs of AndroGuard.

1.  uncommon padding values for "link_size" and "link_off" fields

2. unpack function failure from Python zipfile.py

Here is one example. The sample with MD5 value 22ff8b141bc187095ded6a431073028c protected itself from unzipping by AndroGuard. VT showed it as Android/Wooboo malware family.

Image

Only 5 AV engines detected it as mailicous.

Image

This sample caused an error by leveraging python's aligning on 4-byte boundaries
"unpack('
This application reads the unique device ID, i.e the IMEI for GSM and the MEID or ESN for CDMA phones. It also called 'Landroid/content/Context;->getPackageName()Ljava/lang/String;' under the tag 'Wooboo SDK'.

Kudos to new patch of zipfile.py, it resolved this problem. You can download the latest version to make this patch.

 

 

  def _decodeExtra(self):          # Try to decode the extra field.          extra = self.extra          unpack = struct.unpack          while len(extra) >= 4:              tp, ln = unpack('


 



 



          ..... 





3. Manipulate unexpected value from search_methods()



 For example, a malicious sample can return unexpected values from search_methods("Landroid/media/MediaRecorder","setAudioSource", ".") so that

int(get_register_value(1, registers)) cannot get the correct information and will crash.

Some malware took advantage it to hide its "voice/audio recording" risk behavior.

It is the matter of how to write codes, not directly related with AndroGuard though.



Image

Image



Anyway, if you are doing some projects based on AndroGuard, make sure to download the latest version, which was updated in Dec 2012. The authors have added some fancy features,



Good job, AndroGuard guys!
form submtited
Obrigado por ler

Esta postagem foi útil??

vote yes
Sim, muito útil!
vote no
Na verdade, não

Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.

Explore mais blogs da Zscaler

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

Leia o blog
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

Leia o blog
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Leia o blog
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Leia o blog

01 / 02

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Ao enviar o formulário, você concorda com nossa política de privacidade.