Dynamic Android Analysis

As the use of Android applications increases, so are the number of applications that contain malicious code. To prevent such malicious Android applications, many companies, as well as research institutes and universities are taking alternative measures.   The first goal of this research is to find input values that execute malicious code embedded in Android-based mobile app through static analysis, The second goal is to verify the input value by executing the actual malicious code through dynamic analysis. In this research, we have studied the reference of IntelliDroid: A Targeted Input Generator for Dynamic Analysis of Android Malware.   This research is divided into four major categories.  The first is to pre-work to analyze the APK file that contains the actual malicious code. In this preliminary work, we split the actual Android file apk file into AndroidAndroidManifest.xml and classes.jar files using a program called Dare, Apktool. The second is to find the flow of the functions(called CallPath) that actually runs the malicious code with the generated file(AndroidManifest.xml, classes.jar). I used the wala tool to analyze the classes.jar file. The flow of the function was traced using the start point of the function flow and the API where the malicious code is executed as an end point. The third is a research on finding the constraint value of the actual function movement by analyzing the CallPath (functions) Fourth, we simulated the malware suspicious part by inputting the generated constraint values.   The research was commissioned by National Security Research Institute (ETRI), an affiliate research institute of ETRI, and conducted research for 6 months from June 10, 2016 to November 30, 2016.