Android Static Analysis, Static APK Triage (PUP Malware)


Today I will quickly describe the static techniques available to ascertain the maliciousness of an Android APK file.

How long will it take for a user to get infected with some sort of malware in their phones? make a guess…

The android mobile ecosystem is plagued with all sort of malware infecting and exposing the user privacy. As to date and different reports being released by different vendors the top 3 attack vectors are, Trojans, Spyware and of course Adware.

Attacking users through their mobile devices is becoming increasily easy as the number of users grow. For cyber criminals is getting easier and easier as they need to consolidate 3 aspects before commiting the crime. Today they have the means, opportunity and motivation.

  • Means, they inject adware code into existing or new android applications
  • Opportunity, users are going out of the mobile ecosystem and downloading web apk´s which are compromised
  • Motivation, mostly financial as these methods create economies of scale.

Doing a quick search on Google for apk´s to download we end up in a website called,

Now let´s pick up a very well know title such as angry birds. And we see the results, please notice how I do not know if intentionally or not the page states that as of July 2015 all the files they are serving are being scanned through Antivirus first.


As you can imagine, I proceded to download the apk file for Angry Birds and here is where you can see how fast you can put your security at risk.

What I did after is static analysis to determine how malicious is the apk I downloaded from this site. In general these are the minimun number of steps to take to ascertain the behaviour of an android application from an incident response perspective.

1.Check for existing signatures in Virustotal


Surprise! our dear Angry Brids come with additional content!!!

2.Permissions analysis, I normally use the apktool in Santoku Linux


This will create a directory in which you can access the manifest file to analyse the android apk permissions as well as intents and activities which in some cases may reveal malicious activity.


Any apk file is in essence a compressed file. Taking an apk and renaming to zip will allow us to explore the apk manually.

3.Explore the apk file manully, one of  the first folders to look is the resource folder where we can find images that can reveal illegal activity.

4.String search in classes.dex, this file is the Dalvik Executable containing the source code. Looking for strings may reveal or provide evidences of evil. The strings comman in Linux will dump all strings present in the dex file.

strings xyz.dex > stringfile.txt

Opening the stringfile.txt will give us access to the strings in the dex file.

5.Extracting the certificate which signed the apk file.


In the image above we can appreciate how the potential threat actor may be in Russia by the details left in the certificate. Also notice the generic email address used to signed the certificate, I pressume that Rovio the software developer of Angry Birds would not signed the application with these details. A quick search on google´, will reveal more results and applications where the certificate used contained that email address. Is is it possible that we found our threat actor? is he still actively injecting ads in some of the most popular applications? I also found a social network profile but it is up to you to reasearch further.


6.Decompiling the dex file. Last step will be to create a Jar file from Dex which is known as decompilation. This will allow us to get an idea of the structure and functionality implemented by the code once you open the resulting file with JD-GUI.


All these steps will be desiderable in order to extract context from the apk we are analysing.

There are other tools which are less manual and faster in provinding information to ascertain the behaviour of the apk but not wanting to rely in third party tools I decided to start with this post which introduce the basic steps and tools.

In coming weeks I will continue this post with additional tools and techniques.The most important take away from the post will be that downloading apk´s from websites or stores out of the mobile application ecosystem such as Google Play or Apple is a risky process. These stores are being continually monitored and pentested to mitigage as much as possible the effects of malware however still vulnerable. Needless to say that other stores out there such as the one in this example did not wait to long to server us a nice piece of malware/pup.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s