1

Working on android malwares, i have faced many android malwares that typically contain urls which are bank phishing page. This type of malwares are growing in number so an automated detection system is really needed. The very first step to detect such malwares is url/link extraction.

One simple static approach is to decompile the app and search for strings beginning with "http" in source code. There are many tools and libraries such as stringoid, Diggy, NinjaDroid, Androguard and many others but as far as i have tested these tools, they can not detect obfuscated urls. For example, consider this code:

this.c = "/something";
this.d = new String(Base64.decode(Application.a, 0));
this.a.loadUrl(this.d + this.c);

It's clear that static analysis alone is insufficient so i'm looking for some other solutions. So far, i have seen some approaches in some articles that try to extract such obfuscated strings from android APK files. One example is ForceDROID that presents a hybrid (both static and dynamic) technique for extracting hidden information. This technique works by changing control flow conditions to execute a certain path. Another example is based on deobfuscation.

These techniques are all great but the problem is that there isn't any implementation of them available.

Unfortunately, i'm not skilled enough to implement such techniques. One approach i think of is to first use an deobfuscator such as simplify and then extract urls through static analysis (using the tools mentioned above).

What are other ways to automatically extract obfuscated urls? Is there any tools or library out there?

Mehran Torki
  • 123
  • 5
  • 1
    If the malware has URLs hardcoded, one can reverse engineer these, going back from the calls to http-client functions. These can be obfuscated, too. But quite often, the fresh phishing URLs are downloaded from C&C server when malware gets activated. – Alex Cohn May 01 '18 at 07:14

1 Answers1

4

I am afraid there are more ways to obfuscate an URL than one can count. It's very easy to come with another method when your last one got flagged, so static analysis is not recommended.

If possible, run the app inside an emulator, log all external communication and compare with a whitelist of allowed sites. Static analysis will generate too much false-positives and false-negatives to be useful.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 2
    Agreed. Watching the traffic will reveal the URLs. This is a great use case for sandboxes. – schroeder Apr 30 '18 at 20:49
  • Won't a debugger also show the stored URL in memory? – schroeder Apr 30 '18 at 20:51
  • It will, but the app will probably only deobfuscate the URL when it needs to download or upload something. Sandboxing is easier. – ThoriumBR Apr 30 '18 at 23:55
  • Logging network traffic helps but not in my cases. As i said, i'm working on malwares that contain phishing page and they need user interaction to navigate to phishing page. So without any user interaction, these malwares doesn't have any network traffic by running them inside emulators. As i want to automate the task, i think i should rather simulate user behavior in some way but i think that's a hard task too. Any thoughts? – Mehran Torki May 01 '18 at 04:38
  • @MehranTorki sandboxes allow you to simulate user behavior – schroeder May 01 '18 at 07:06
  • 1
    It should be remembered that sophisticated malware will recognize the special environment and choose different behavior in a sandbox. – Alex Cohn May 01 '18 at 07:10
  • @schroeder It seems that i need to study sandboxes, heading to Cuckoo, thanks. – Mehran Torki May 01 '18 at 07:24
  • @AlexCohn yes, there is an arms race in this space – schroeder May 01 '18 at 14:30