Setting Up a Malware Analysis Environment

Summary

This is not meant to be a step by step tutorial rather I wanted to make a good listing of the most useful tools I am using daily for malware analysis. In order to do malware analysis on android we only need 3+1 things. A computer, right tools, a malware sample (and brains). In this post I will help you setup a malware analysis Virtual Machine with all essential tools to get you started. This post by all means does not cover all available tools.

Please note: I am demonstrating the following tools on linux environment, this doesn’t mean you can use the same tools on other operating systems like Windows or MacOS. Most of the tools described in this post are cross-platform.

Linux installation

I will not go as far as to make a tutorial of how to setup a virtual machine and install a linux distribution, since it has been done by many others. I will try to cover as much as possible of the tools I use and the installation process but if you find yourself stuck at any point of this post a simple google search will most certainly answer your questions. Google is your best buddy if you are doing anything related with computers, so google every question you have, you will be amazed how many other people had the same Q.

For this post shake lets just use ubuntu since is one of the most common distributions. What I usually like to do is to keep the installation as clean as possible and de-bloat the standard installation. For this reason we are going to use a very useful script [01] running the following command we are going to invoke the script using curl. This is a personalization step, hence you can choose what you want or don’t want.

curl -sSL https://raw.githubusercontent.com/terminalforlife/Extra/master/source/simplify-ubuntu/simplify-ubuntu | sh

Essential Tools

This section covers almost mandatory tools you need to have in order to work with android malware. We can separate the malware analysis in two (2) parts, Static Analysis and Dynamic Analysis. I am going to follow this separation and add one more layer of seperation, the essential tools. Essential tools are tools not directly connected with malware or reverse engineering (RE).

List of tools: [android studio, android platform-tools, aapt, apktool, VScode, Recaf]

Android Studio[02] is the official IDE for creating android applications.

First we have to install the dependencies and then download and install the android studio. The preferred location for tool will be /opt/ for this post.

sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 lib32z1 libbz2-1.0:i386
# download android studio from https://developer.android.com/studio 
# extract
tar -xvzf /path/to/tarball/android-studio-XXXX-linux.tar.gz
# move to opt
mv android-studio/ /opt/
# run
./opt/android-studio/bin/studio.sh

Android sdk platform tools [03] contains Android Debug Bridge (ADB) and fastboot [04]. Those tools are essential in order to connect to android devices or emulators. Further more we will need Android Asset Packaging Tool (AAAPT) [05] and apktool too. AAAPT and apktool will aid us in the future in order to decompile and recompile android packages (apk).

sudo apt-get install -y android-sdk-platform-tools aapt apktool apktool

Some other useful tools would be a good IDE of choice (I prefer VScode) and a good byte code editor we are going to use Recaf [06].

# download vscode https://code.visualstudio.com/Download
sudo dpkg --install /path/to/code_XXXX.deb
# we are going to instal JDK and JRE since we are going to need those in the future too
sudo apt-get install -y default-jre default-jdk 
# download recaf from https://github.com/Col-E/Recaf/releases/latest
# download the recaf-XXX-jar-with-dependencies.jar
mkdir /opt/recaf
mv /path/to/downloaded/recaf /opt/recaf
# to run recaf
java -jar /opt/recaf/recaf-XXX-jar-with-dependencies.jar

Static Analysis Tools

For static analysis tool

Ghidra or Ida for native parts of an application (shared libraries). I prefer ghidra since its my hobby and dont have access to a licensed IDA.

# download the https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.2_build/ghidra_10.2.2_PUBLIC_20221115.zip
unzip /path/to/ghidra 
mv ghidra_10.2.2_PUBLIC /opt/
# install ghidra frida hook generator https://github.com/CENSUS/ghidra-frida-hook-gen/tree/main/dist [07]
# install https://github.com/Ayrx/JNIAnalyzer [08]
git clone https://github.com/zackelia/ghidra-dark [09]
cd ghidra-dark 
python3 install.py

jadx-gui one of the best free dex to java decompilers. If you have license for JEB go with JEB.

git clone https://github.com/skylot/jadx
cd jadx
./gradlew dist
mv build/jadx/bin /opt/jadx

Dynamic Analysis Tools

Frida for binary instrumentation.

# download the frida server https://github.com/frida/frida/releases according with the emulator/device architecture that you are going to run frida on.
python3 -m pip install frida-tools

Burp suite download and install burp its an installer. We are gonna use burp to intercept traffic of the application during dynamic analysis.

Some worth mentioning tools are the following:

• MobSF
• Medusa

Emulation / Device options

We need a device or an emulator to run the sample on for dynamic analysis. Here we have 4 options, a (magisk) rooted device not your daily device ITS A MALWARE REMEMBER?, an emulator, or an emulator running in a docker [11]

I always prefer a rooted device over emulator. But if you go with the emulator choice make sure you create an AVD without play store (google services) or else you wont have root instantly and you have to root it with magisk. You can always try Magisk on Emulator.

References

• 01 - Debloat Script (Source)
• 02 - Android Studio IDE (Official Site)
• 03 - Android SDK Platform Tools
• 04 - ADB and Fastboot Documentation (Android Docs)
• 05 - AAPT2 (Android Docs)
• 06 - Recaf A Great Bytecode Editor (Github)
• 07 - Ghidra Frida Hook Generator (Github)
• 08 - JNIAnalyzer (Github)
• 09 - Ghidra Dark Theme (Github)
• 10 - JADX (Github)
• 11 - Easy Android Emulator in Docker (Video)