Android Reversing and Malware Analysis

1. Apk in a Nutshell: hello and welcome to averages. How to hack and relapse and advance penetration testing. Cause in this video, we shall be understanding What are a picket files on board us on a picket find Consist off on board are the components often 100 application? So what is an AP defied an epic? A file is the file format that is used for installing software, usually games, perhaps on the Android operating system. Just like in Windows PC, we have a dot txt file for installing software. Similarly, in Android, we have the daughter picky, not a prettified. To install the mobile applications. A Pdf Files are a type of like archive files, specifically in zip former packages, which are based on the jar file. Former. These files have not a PK ah as the filename extension. Now what doesn't he pick? A fine consist off an a p. K file consist of the following files and folders medal in If it's a folder, then we have got the resources dot air sea file than the rest folder classes, door decks and android manifest dot XML. Now, as I said before in the previous light, that epic files are a type off archive file specifically unzipped former packages. So that means we can extract the contents of the epic a file when we extract the contents will get all this files and folders. Now let's see a demo off extracting Ah, the contents from any BK file. As you can see, I have, ah dot epic a file over here. Now, as this isn't zip format and we want to extract the data from this so I can rename this extension to dot zip from Dr P. K. And after that, Ivan unzip it, do a test run. So if you see the contents, as we have seen in these slides that we have got Madonna folder the rest folder under manifest dot xml file the classes dot exe file and the resources dot heresy. Now let's see, what does this folders and file mean now the meta una fold oh has information about cryptographic hash off files on this are difficult of the application. Now I'm inside the extractor daughter, pick a file folder. If I go to my tie and if folder then you can see there's there are two certificates with the application was signed and uploaded into the under market. So for a developer, it's very important that before uploading it to the 100 market, he has to sign it with the certificate. Now the manifesto MF file As you can see it as God the Shaolin Digest hashes This is the show and I just as for this file that is infotech dot jp What? This file, it has got this shower and digest. So it has got all the cryptographic hash functions also for every file. Next, we have got the resources dot air sea file. It contains pre compiled resources, which I am finally examine. Then the less folder. The Rest folder contains those for resources which are not compiled into the resources dot area C file. Then we have classes, door decks. This is the actual court of the application, which is compile index former now Ah, as we have seen in the earlier video as well. The classes compile in the text file. Former are understandable by the dull Vic virtual machine, but we cannot read the file as it isn't binary former. So let's see the classes door, Dex file of the closet or Dex file. If I try to read it with the North pad. As you can see, this is in binary format. So this is not readable. Tony, could I? So I mean, we have toe ah, reversing unit this in order for it to be converted into a readable ah court. So for that, there's a video on reverse engineering where we will be discussing in detail about how to convert this decks. Fights into readable format mixes the android manifest dot xml. This file describes the name version access rights on the reference library files for the application. So an android manifest file is also ah in a binary format, so we cannot ah, read it. So we will look in, um in detail how to reverse engineer this file as well in the next videos. Now let's see what does 100 application consist off on Under an implication consist of various components which together cleared the working application. These components are activities, services, broadcast receivers, content providers and indents before proceeding. Let's have a quick walk through off what this different, um, components are all about activities. These are the visual screens which a user could interact with. These may include buttons, images, text view or any other visual company. So for them a purpose. I have this emulator on. Now I'll go to the AP one Now this is an activity. This is a logging activity. Basically. So if I enter the correct password that is Aborigine. If a press Logan, it gives me correct password. Now, if I enter the wrong credentials, then it gives me a wrong password. So this is an activity, Basically. Ah, if if I If I provide the correct password, then it gives me the correct password. Correct. Password page. Uh, otherwise it gives were wrong. Ah, passport page. So basically what have what is happening? Like, these are two activities. 1st 1 is the logging activity Aborigine on. Then this is the second activity. That is the after logging pace that it is giving me. So there are two activities are involved over here. So I've seen in the demo there were two visual screens which were interacting with each other That is the log in page and the after logging pitch. So similarly a user can carry out operations like sending an SMS or making calls using activities next to these services. These are 100 components which run in the background and carry out specific tasks specified by the developer. These tasks may include anything from downloading a file or a street hippy orto playing music in the background. But this one important point that there is no user interface provided over here like in case off activities broadcast receivers ah, in 100 application are those receivers that listen to the incoming broadcast messages by the android system or by other applications which are present in the device once they receive a broadcast message. Ah, particle action could be triggered depending on the pre defined conditions. The conditions could range from receiving an SMS on incoming phone call, a changing the power supply and so on. Now intense are the components which are used to buying two or more different android companies together. Indents could we use to perform a variety of tasks such as starting in action, switching activities and starting services, So asking in the demo before the application, When I entered the correct password, it redirects me to the correct passport page. But when I enter the ah ah, wrong password, then it gave me around passport page. So basically, when the password was correct, it opened up another activity, so they were to activities involved. Now the two activities were communicating with each other, whether the authorize or whether the authentication passed or failed. So this was the communication between two activities. So this was possible because off interns, so that's activities use intense to communicate with each other, a condom paradas are used to provide access to a structure. Set off data to be used by the application on application can access and equity, its own data or the data stored in the phone using content. Breuder's. It's like an interface with which APS can communicate with other APS. In order to insert update data, an APP can be developed which can read the SMS, which is presenting the default SMS application off the full. But but what if an APP wants to read the SMS from the different application SMS app? Then it has to get the permissions first. So they put. The developer of the application has to mention the permissions for reading the SMS from the default application. The default SMS application, which is presenting before so content providers are basically they help in quitting or accessing the the own data, the applications own data or the data from the fall that is stored in the fall. Now, this is all Ah, about this epic a file. And what does the ah android application consist off? Now the main question is like, How do we get this daughter pick a file? Our developers used this ideas like eclipse to develop the android application. Now, if you see I have this app One application over here and this is the court that they have written. So the all decide the cord that the developers everything. Now when they compile the score, we get a daughter Pick a file in the dot in the bin folder. If you see in been good job in this is there, is it This is the daughter. Pick a file now This daughter picking filed, they have to import it. So they're sorry they have to export it to the local machine, Then sign it and then upload it to the ah under market on bus to users can download those daughter picking fights to install it on their mobile devices. So now that we are, we know Ah, the 100 application and the internals off Amber. Under application, we can move on to reversing an android application, which is the next video. Ah, in that video, what we will do is like we will get the readable So score and other data sources when we just have the door typically filed with us like we have seen over here the classes dot decks on android manifest dot xml file was not readable. So in the next video, that is reverse engineering, we will convert them into a readable format. So that's it for this video. Thanks for watching. 2. Introduction to Reverse Enginnering of Android App: hello and welcome to averages. How to hack Android Apps and Advance penetration testing cause In the previous lesson, we had seen the concept off a PK Files, wherein we had seen what an epic if I looks like and what are the different components in building an epic a file. Also, we had seen the process off how to extract an epic a file find named Classes Door. Dex was unreadable when we tried reading it. So in this lesson, we are going to learn the concept off reverse engineering, which will help you to understand How can we come with the DOT decks files on other unreadable bite coats into a readable format? On in the next video, we'll practically do that as well. So let's get started with reverse engineering. But before going had, let's understand, what does engineering means? Engineering is nothing but designing or building something Here we are trying to build on Epic, a file that is building an android application. So the first step in order to build on under application is writing the code files that is George in that is dot Java files, then using a Java C compiler that Java compiler. We will get the dog class files. After that, we will use the D X tune to convert the dog class files into dot Exe files. Now, once we have, we got the dot decks files. Then the resources present in the dark decks files will be given to the A P K builder, which will finally give us the daughter pick a file as an output which we intended to get to build an 100 application. So this is how we get the dot epic a file from the court files that is door java fights. And, yes, this process, we're not going to do it manually. We are not going to use the Java compiler than the DX tools in the epic a builder. But ah, eclipse I d helps us in automating this process. So eclipse I d takes Get off all this. So we have to just write the according the appliques I d on de cliffside evil automatically give us the daughter pick a file. So this is all or automated by eclipse I d now reverse engineering Is the process off breaking something down in order to understand it and then rebuild it in our case, we're trying to get back the dog Java file from the daughter picket file. Now that we have seen the engineering process off building an android application when we got the dot epic a file from the door Java files. But in reverse engineering we are doing The divers were trying to get back the door Java file from the door. Typical file. So that is nothing. But basically, we're converting the unreadable bite court into a readable source score. So this is a mean moto to convert the unreadable by code into a readable source score. So now let's see the process off. Reverse engineering on APP Here we are trying to take the existing binary file that is three dot epic a file on DE compile it to do some modifications to it and then against rebuild it. Now, getting this Dex file is easy because now this next file emptying this once we get because we can under the a. P k file and we will get all this. That is the resource Ah, the dot Dex file and the manifest file, as we have seen in the earlier video as well. Maybe unzip the door. Typical file and inside it regard the Resources folder, the Manifest File and the Doctor decks wise. Now, from this dot bex file, we need to get the tort class file and then the door job a file. So this is how the process goes from the daughter. Becky files. We get the door Dex file by extracting the epic a file. After that, we get the dog class file and finally, the door Jabba fights not getting dark class and dot Java file is something different on for this. We are going to use tools like Deck Studio J D. Do I an AP Keitel. So remember that we will be using these tools for reverse engineering. Often 100 application. That is Dextre Job J. D. Do I an epic? It'll on this. Tools are also important. Um, not only in reverse engineering, but also during pen testing and Android Marvin analysis. So keep in mind that we will be using these tools That is all the street tools during of a pen testing process as well as during malware analysis, Android manner analysis. So, as I said, Dexter Roja will help us in converting the dot Becks files into the dark class fights. So let's look in tow. Some brief about those tools. So Dextre job, as I said, helps to convert decks, fights to jar files. Then we have the JD do I, which is nothing but a Java graphical user interface, but which we can open the door jar files. So this is a graphical interface, wherein we can open the door jar files and read all the files that are present in the jar file. On the 3rd 1 is a PK tools. It contains Andre reversing tools into one. So the epic it will has board next to John as well. A small E. We'll understand what a small in the next video for time being. Just keep in mind that a picket tool is built up off tools like Next to John and Smalley. The main advantage off a pick a tool over J. D. Do I is that it is by direction. This means a few decomp island application and modified. You can re compile it back using the applicator, but this is not possible with djtgv in jail. Did you are you can just d compile the for application the jar files, basically. But you cannot make, um, again re compile it using Jerry Joy. But in case of a picket Oh, yes, we can re compile it back. So however, ah, extra and Jerry do I won't be do won't be able to do similar functions like a picket tool as we said that off Re compiling. So in the next video, we will see how to use Dexter Roja and Jadidi right tools for reverse engineering. So that's it for this video. Thanks a lot for watching. 3. Reversing the source code: Hi there. Welcome to APP itches. How to hack and relapse. An advance penetration testing course In the previous listen, we had seen what reverse engineering on android application mean and also got introduced to the reverse engineering tools And this. Listen, we're practically going to learn how to get back. This source scored in a readable format from the bite court. That is the glasses door, Dex file. And also, we will learn how to use Dextre Jar. Andrew, Jerry, do I for this. So the tools required are Dexter Jar. This is the down or link. You can goto this link on download the Dextre Joseph file. Now, as you can see on the screen we had there on the website to download Dextre Jar. This is the battle over here. You can click to download it and it will get downloaded. I have already downloaded if copy off extra job. The second tool that we need is the Jerry do. I told the downloading for the same is on the screen. Now when you go to this link, this is developed site to download JLugo tools to scroll down here in the download section , you will find all the files over here. This is for windows that I've downloaded. Andi, I have already downloaded this file as well. So now, as you can see, I will go to the tools fold over, have downloaded both defiles and unzipped them now going to the decks to jar file. If he have a look inside it, then we can find many files over there. But our main concern would be this file The dog bad file, which is, I mean, used for Windows. And in case off Lenox, it would be the daughter such find that we would run. Similarly, the JD do I for Windows is here. If I go into this, you can find the executable file over here. We have to just executed. We will have a look at these tools in some vile. Now, going back to the presentation. Now that we have downloaded the required tools, we will see how to convert the door. Dex, file present in the application to job for might file. For that, we will use the decks to jar tool for this. The first step would be to open up the command, prompt and then navigate to the folder where Dextre Jar File is there. So now, as you can see, I have opened up the command prompt, and I will navigate to the folder. There, over next to God is present. So this is the folder. Here we go inside this and now we will type in the command. This command be after type. That s Dextre Jar next dot next to D to J. Sorry, Dextre jar dot Bat and the epic A but file, but name. So, as the command goes, did too. G Dexter Jaradat, bad space. And I'll have the file, but by my a pick a fight list. There, it's on B deck. Stop, as you can see over here. So I have just imported this. Come on, now, let's press enter. Now, as you can see, that the operation is going on where the decks to jar file is operating and now it has been completed. So now let's go into this. Fold off the decks to job folder, and as you can see, we have a jar file over here with our dot AP case file name that is apt. Fun on. This is the job. Find that we have obtained using the Dextre jar. So Dextre Jar has successfully converted the door. Dex file of the application to a door jar file, which is named at one next to John Torture now moving head. Let's look at the J de jure I Tool. Now the stool. Using the stool, we will open the door jar file that we have just obtained currently using the Dextre job tool. So we can just simply open the Dodger file in our Jerry GeoEye tool now. So the steps for it would be just click on the jetty july dot txt file. Ah. Then the vendor will open the JD July interface, then on it click file and then open and then select the jar file that was obtained earlier . So now let's see. Practically So let's go into Jerry, do I? And you have this e x e file over here. Let's run it. Great. So now, as you can see, the Java decomp pilot has opened. This is the J. D. G. I told simply goto file, Then open file on, then navigate to the place where the jar file is present. In our case, it's present in the next to a jar. There it is. This is the Dodger file. That the opening. Now, as you can see, we have caught some files over here. This is the package. Name off our daughter. Pick a file. So inside this you can see the many files that their bill convict art class main activity dot class art art class and Malcolm got class. So there are nothing but of ah ah resources off the android application that are there. So now if I go inside any one of them, you can see it going toe. Welcome to class. As you can see, you can see the core clearly over here. So, no, we can see all the resources Java resources basically on all the methods off the android application. So, using JD, do I We can read the door char file. So we have successfully converted the 100 able Ah, class files or the bite court files with that for them to a readable source scored, as you can see on our screen. So using Dextre Jar and Jerry, do I This has been made possible. So this is it. So this is how we used the Jerry. Do I on this we have d compiled the application. So now we have successfully converted the unreadable bite court into a readable source score using the tools Dexter Jar and Jay did you? In the next lesson, we will learn how to practically carry out reverse engineering off the under application using the epic Kato. Till then, thanks for watching the video. 4. Reverse engg using apktool: Hi. Welcome to add vigils. How to hack Android APS and advance penetration testing. Cause in the previous lesson, we had practically seen how to get back the source code in a readable format from the bite court using Dextre Jar and J. D. Do I In this lesson, we shall be learning how to use the epic a tune to reverse engineer the application court. And also, how can we d compile, modify and rebuild the under application here we shall see another way off reversing an android application that is converting the decks dot dex file to Smalley files. Now, a small e file is a file format whose Syntex similar to language known as just mean Smalley files are intermediate between door java on dot epic A files. We won't be going much intraday upped about this modified former does off now, But for more information, you can refer this link present on the screen. Now, I have gone to this link for Smalley files so you can read all this file so that a present over here to know more about the small if Smalley file format coming back to the presentation? No, the epic a tool can be down order from this link. So we will. She shall goto this link. Now I will show you the page for downloading this epic. It'll so this is the page off. A pick A tool where you can download the latest version. That is he epic a tool to dot Exe. So now follow all the steps. If you're using windows, followed the given steps over here. If you're using Lennox, there's also steps they have mentioned and also for Marcus. So what I've done is like I have already installed the epic a tool following these instructions. So now we can go back to a presentation. So we have already downloaded the epic A to so now, as discussed earlier in the earlier video as well, the main advantage off a pick a tool over J. D. Do I is that it is bi directional, which means that you can de compile an application, modified the cord and then re compile it again using the epic It'll so it will re compile perfectly and will generate a dot epic a file which is a new daughter. Pick a file. But however, in case off next to a jar and JD do. I won't be able to do such similar functionality. So now let's first d compile the application using the epic It'll So the steps for that would be open up the come on prompt on Randy Command epic A total space D space defined them off. Epic A. The D here stands for D come bite. So as now I have the epic a file on the deck stop. So I have said the part off the CMD Dexter up as well. So now let's run become on. That is a tool space de, which means D compile and space defy limb off the A Beautiful. That is one dot epic, so I'll just enter. So I guess there's some error. One second. Why misspelled the spelling off our app? That's a BP, and now it should run properly. So, as you can see has run and we have caught from folder output Full Doyle. So let the process complete and it's now completed. So now let's check the output director that we have found a here. So let's go into this directory on now. As you can see, we have the android manifest start XML file over here. One original folder, The resource for low on dot, Viable Filed. But we're interested in the Smalley folder and the manifest file. So if I opened this manifest file in a northward editor so as you can see, the android manifest dot xml file is converted into a readable format. If you remember in the earlier video we were not able toe view the or, I mean like, it was the 100 manifested XML file was unreadable when we had just extracted the dot fbk file using unzip. So what a picket will has done is that it has given the android manifest start XML file in early in a readable format for us. Now, if we go to this small e directory, we'll going to com best an app one. Now, if you see the sequence over here, calm test. And often this is nothing but the package name that is calmed or test dot app fun. So now you can see there are many fights over here dot Smalley files. So, as you can see, better corn fake, we have to mean activity. We have the art art Smalley and welcomed or small Yes, Well, very as you can see, there are some files which has the dollar symbol in the file name. So there are nothing but they are the inner classifies. You can say that. Any file having a dollar? Ah, it means that it's an inner class. Basically. So now let's go to one of the small. If I say I'll go inside. Welcome, dots. Molly. Andi. As I said, we have become bile. This application. Now we can modify all these contents over here. Whatever court is present in this morally files, we can mortified that as well. So basically, we can perform any more malicious attack on the application by modifying the contents off the cord over here so you can just edit or add some more court to it on Ben again. Rebuild it. Eso This is possible using a pick a tool. So now suppose you have done any modifications over here. Now let's see how we can rebuild this application using the epic It'll So the steps for rebuilding the application using epic it'll is very simple again. Open of the command, prompt and run the command epic. It'll space be space. The director name which we got after d compiling. I mean, like, I'll show you that on Also be here stands for build because we are trying to rebuild the application now after d compiling it and modifying it. So before we go to the command problem toe, build the application. Let's go to the output directory that were God from the earlier step off. The compiling. As you can see here, there are three folders and two files. His original rest Smalley Manifesto maximal and the dark, Viable File. So now let's give the command that is a PK dune space. Be space d tree tree, part name. So as you can see, the building process has started, it will take some time. No, it's completed. So now, once after completion, let's go back to the open directory. Here you will find two extra folders that is the Bill folder and the Dust folder. The nasty. Now going to the Bill folder, you will find the A P. K and the classes dot decks resources, Daugherty, R C and R dot under Manifest Arctic Similar and the rest folder. So this has bean built again. Read this husband rebuild re compiled. Now, if we go again to the under manifest file because this husband rebuilt again. You can see that this is enough un readable format. So the epic if I'd also you will find in the DST fall file. So Ford Asari So this is the epic a file that has been rebuilt again And now you can resign it and upload it to the under market. So basically what we have done this we have, ah, de combined the application Jane's the values on then rebuild the application again using the epic it'll thus the epic It'll is really intelligent and useful when it comes to, like penetration testing off under wraps. So this stool, we will be going to use in the further videos as well. So that's all for this video. Thanks for watching. 5. Introduction to android malwares: hello and welcome toe averages. How to hack under adapts and advance penetration testing cause in the previous videos we had seen about Android application reverse engineering. In this video, we will look in brief about android malware s and also see how it has affected the android and its users. Now malware stands for malicious software. It is any type off course or programme. Cyber Attackers used to perform malicious actions and right so close to three million malware samples last year. Attackers have device techniques to permit the Google Play store and have now started publishing fake caps and games in order to trick the victims. Now the year 2014 has seen an exponential growth in the figures off android malware that have been detected and reported 304 times it was the growth in android. Malware on this figure is directly attributed to the highlights in android smartphone sales and usage across the world. This uprising print also indicates that the dominance off mobile malware attacks will continue in future as well. Now let's see how android fares when compared to the other mobile. Lewis, the end right is playing a major role in causes off mulberry incidents. The highest nearly 97 person malware incidents are recorded through Android Mobile devices . Symbian Wisp of Platform is responsible for around 3.5% off malware incidents, whereas IOS, BlackBerry, Palm OS and Win see our next negligently affected by malware, hence more attentive for threat is an android device. Now, when an android user views a feature application on Google play, he immediately places a degree of trust and faith in that application on assumes that it has been effectively screened for malware and other security risks by Google. Several techniques and processes I am old before an APP is allowed to feature on the play store. Hence, it is preferable to download and install ABS directly for Google play. However, Molera Toes have identified this as a weakness on are increasingly targeting Google play and attempting to sell fake applications within the store. They have started pushing fake muller developers with familiar application names in order to trick users into installing such applications to cause havoc due to the cascading effect . Now users find it difficult to identify fake caps from the real ones. Sometimes Google scandal is unable to remove fake applications from the marketplace before they are installed by the victims. Moloto authors have become increasingly adept at deriving the benefits from this and obtaining private data from the user's devices. So as you can see, Google plays also not safe, although they are ensuring many layers of security off through Google Bouncer as well. But somehow the malware daughters are trying to break into this Google place security and uploading the fake applications now that have been under I'm always in news in the past, we will discuss some off them, As you can see on the screen, will discuss these four where malware s so starting off with on right wider shield. A. So in the second quarter of 2014 the website and write police came across a fake sample off Android Wieters Shell on Google Plea. This application featured as a top aide application in the store and was tough installed by a large number of users. The Application Auto claimed that it was an anti virus program that protected personal information from dangerous viruses. The operator. The application also promised to be ah, real time malware protection by scanning the files and other installed applications, but instead the application stored the critical device information, personal user data and it also hampered the battery life on degraded the device once the application was in store. So this was a classic example of the malware itself was a fake paid application. So people also downloaded this application on a large number. So many of the users were affected due to this malware on right virus. Really? No. Next one is Android Babich A. So this malware attacked directly the social networking and the chatting APs. So in 2014 it was present in on glibly with the name as camera vision. Auction off of this application was responsible for video recording and other related functionalities. But unknown to the user, the application was stealing user data and uploading it to a remote server in the background. The data included washed amounts off contact informations from applications such as WhatsApp, chat on and other social networking chatting APS. The malicious application also sent text messages to premium great numbers in the process. So this was all about Android Verbeke, But the 3rd 1 was on right wing way dot so this was a remote access toolkit on this type of malware can remotely controlled the access and status off device when it is installing the on it while this APP was active on Google play for a while but it has been removed now. So ah, the application performed radius malicious activities and those were very critical malicious activities like clicking photos from the camera of the device. Sending SMS is from the device it also captured, or you and video clips from the device down under protest from Device Gallery also recorded active call. So all your calls were getting recorded by this malware Onda. It also download the details off other counts like email your social media on we. Maybe you'll be using VPN through your mobile device. So all those details were downloaded by this month that was stored on the device. So the user's privacy was very much affected in this because all the SMS is and recorder, it would record the active calls as well. So this was a very dangerous malware in and right next up was the android agent dot etc. So this mother was discovered in second quarter off 2014. It posed as a fake application on Google play on the smaller went by the name off Google Place Toy. So this is driving with Google Play store. So People Menus is believed that the application was a version or an update off the authentic Google Place toe application. Now, after installation, the application stayed velden from the screen, so User did not see anything from that application. But in the background it ran eso so as to collect the private data on Trans transmitted all those data to the remote servers. It also intercepted incoming text messages and data entered by the users to access online banking services. So these were some of the 100 monuments that were in news in recently. So the question comes, is like, Can we expect more malware attacks in the future? And the answer is yes. And here are some of the reasons we suppose this fund off that more malware attacks will be there in future. WiFi networks will become a serious attack vector for mobile devices, and a packers would be able to perform man in the middle attacks against compromise networks and devices. There would be targeted attacks on banking credentials and date off the users as well. This can be largely attributed to the auto log in feature of the mobile labs and the banking websites. New payment systems would be under threat, like the Google wallet, which had the will or ability known as Android Fake I D, which allowed Attackers to steal Google wallet credentials off victims for a short duration and also due to the continued dominance off the hardware. Advair is nothing but an application with supports, advertisements and advert has Bean leading source off android malware devices for last few years on. This pattern will continue in future toe. So the next question comes out there is that Isn't there any fixed? Oh ah, control the smaller attacks. The answer is it's Ah, Katyn. Most game between the developers and the Attackers. The developers will fix the vulnerabilities, and the attacker will again try to break the fixes or come up with more attacks. But it's the end user who asked him, or ever the end user has to be aware. Like what applications is it downloading from the place toe? Are those malicious software or are those fake applications he has to decided before installing it on his device. So it's always better that we don't download application from untrusted third party sources off the android market. So that's it. Father's video. In the next video, we will see the static and dynamic analysts off mall Vess. Till then, thanks for watching. 6. Dynamic vs static: Hello and welcome to averages. How to hack and or adapts and advance penetration testing course. On the previous video, we had seen some popular mulberries that affected the Android users and also the future off Galvez. From this video, we are starting analysis off on dried mulberries, so to analyze model as there are two techniques, basically one is the dynamic and the other one is static. So study over static analysis, static analysis is testing and evaluation often application by examining the court without executing the application. So this is very important that in static analysis, we just go through the we just analyzed the court offline on. We do not run the application to analyze it. So the main at one page of static analysis is it examines all possible execution parts and variable values and not just those involved during the execution. The static analysis can reveal errors that may not manifest themselves until weeks, months or years after release. This aspect off static analysis is especially valuable in security assurance because security attacks awful exercise and application in unforeseen and untested ways. So just remember that in static analysis, the only analyzed the cord off line, and we do not run the application at all now, in case of dynamic analysis. Ah, it's it is testing and evaluation often application during runtime. Unlike the static analysis, very on lies the court offline. So the main advantage of dynamic analysis is it reveals Saptari defects, or when celebrities, which caused whose cause is too complex to be discovered by static analysis. So development is which are very hard to find with static analysis. We can find those by doing a dynamic analysis so the enemy analysis can play a role in security assurance as well. But it's primary goal is finding and debugging errors. So this were, Ah, the two approaches, like static and dynamic analysis in gentle. Now we'll see how this approaches. Now let's see how ah, the static and dynamic analysis for Mile West is done. So in case off static analysis, we will try toe disassemble the a p K file using the techniques that we have seen under reverse engineering section. So before moving ahead, I would suggest that you watch the reverse engineering off under applications with you before we carry out the static analysis. So, after doing the reverse engineering off android application. We analyzed the malware for its malicious behavior. So this requires knowledge off reverse engineering and android programming on the tools that we are going to use this Dextre job, J d do I An epic It'll which we have already. Ah ah, seen the demo for these tools in the box indicating videos in case off dynamic analysts off malware. We will run the malware infected application and inspect its behavior when it is running on the device. So this requires understanding off tools like droid box. Why a shock Bob suit to understand them always behavior. Now, Dr Box, we will be understanding the stool in the later video. We have, ah, really dedicated just to understand about Dr Box. Why shark is a network sniffing tool which we have already seen while doing Ah, the man in the middle attack on Bob suit Proxy as you know, Ah, it is used to capture the network traffic. So we have also seen the usage off bulbs in the previous videos. So this was all about the dynamic analysis and static analysis off mall us. Now we will see in the next video how to perform static analysis off android applications which are affected by Muller s. So that's it for this video. Thanks for watching. 7. Static analysis of android malware: hello and welcome toe app vigils how to hack and or adapts and advance penetration testing cause In the previous video, we saw that there are two methods of malware analysis. One is dynamic and the other one static. So in this video we shall see how to conduct a static analysis off an android malware. Now we know that in static analysis, one has to break apart the application or the malware, using reverse engineering tools and techniques in order to recreate the actual court on algorithm that the program was created with so so that we can go ahead with the up with our analysis. So they normally the tools that are used for starting analysts are Dextre job that is a tool for converting Androids decks dot decks, formato jowls dot class format. So we had seen all the stools in the previous video when we had learned about reverse engineering off Andrew adapts. So if you want to come before that with us, well, on the next video, the next coolest JD do I. It's a graphical utility that displays the job also scored off, not class files. On Finally, the AP Kato. It's a messaging tool, which convert the dogged X Files, two dots, my Smalley files and a picket. You'll also gives us all the files in a readable format. Those wade Ah, the bite court that for that between unreadable former a pivotal renders that person in a readable format. So that's what this would be the tools that would be playing with ah in the static analysis . The malware explication that we shall be analyzing was one of the most notorious malware that appeared in the and arduous that is dry dream, so the smaller was called as dried team. So this villian, currently ah, has very low rate off detection from the anti viruses engines. So if you want to download such models for testing purpose so you can go to this website that is contact you mean a damn dot blocks born dot com. You will find many such models with which you can test them for or analyze them statically or dynamically. So there's a good website, which you can go through. So now I have already downloaded the A P K file for that mullah. So now let's start over static analysis. So, as you can see on my deck! Stop! I have a peek A file. Now let's start away. Pick a tool and can what? Those files to reverse engineer them for that. Come on, Prompt! It's on my deck! Stop! So let's change. Mr. Jacque, stop on the Commander's AP care Tool. These for D Compiling Andi Package name. So enter. So this has started to be compiled. So we'll get defiled snow. The Ford has been formed over there, so yes, So this is done. So now let's check the fordo. So as you can see, we have caught the android manifest are taxable finds and the other folders as well. The Smalley for the very via the small if ice Ok, so now let's start. So first up, we will check the android manifest Start xml file. I'll open it in our text editor. Okay, so this has opened. So now as you ah learned that the android manifest dot xml files has got all the permissions and the services that are running on the that would be running by the application. So we have the permissions with the application needs. So the application has asked for Internet permission change by five state Okay. Access WiFi, state access network state. Bluetooth is there. Then it can read the phone state as well s. Okay, So indented activities there. It can read us in this also. Okay, so just go through all the permissions that are there And also, let's check downwards. Okay, So there's something called activity. Ah, it's name is dot switcher. Okay, so this is an ah point to be noted over here, that it uses something called a switcher. Okay, then let's go down. So there's one more activity or here settings. That's fine. It's I guess it's settings, but this one is something. Do we have to look out for its future? And there's one service over here. Strategy dot Service celebrate service. Okay, so celebrates services. Something off. I interest. So let's see. So and there are, though. Actions boot completed phone, state category, default. Okay, So after studying the android manifest or maximal file, we can see that Ah, we can identify. Ah, it's a suspicious activities of I mean, like the oldest permissions that are there that the application is asking for. So if you can see that it has asked for as a missed messages than in all areas off networking it as as permissions. Then there are several states are phone and a contradictory as well. And there is a service running in the background. What I see from here, that's thesis elaborate service. So this is the information that I've gathered from the android manifest start XML file. So what we see in the android manifest or maximal finest common on Mulberry infected files the main body of define shows the that that is an application. Okay. Ah, so that there's an application that strings up name on did then. But there's also extra service bundle together, which is invisible to the user. That is the Celebrate service. So now Ah, let's do one thing after we have seen the end or dot manifest file. Now let's go to the Smalley folder on inside. Let's goto com on button full. OK, As you can see, there's something as future dots. Morally right. So that was the same of activity. That was then. Android manifest start xml file. So let's try to open this switcher dot small leaf island. The north bad. Okay, so? So as you can see Ah, okay. There's it has given us the instance. Fields of toggle button, text view, toggle button. Then we have connected the manager over here. Okay, this is fine. Bluetooth adapter. We have have the telephone manager, so you have to look in the court because the static analysts So we have to analyze all the courts, but we have two main identify, which all, Ah, files we have to look into. Ah, for instance, from the android manifest dot XML file. I got to know that switch. There is some activity, as you can see in and rush manifest file. The switcher was an activity. So I'm here in this. Which about Smalley file. So if he look at it, everything seems normal as off? No, because what I what I get to know from this is that the toggle button is there. Then you have the brutal manager than text view, then collectivity manager. You have to toggle button. So this program is supposed to look for the connections and manage the state off them. I guess that this application is basically looks for the humanity connections. For example, you can switch the toggle button owner off for your GPS, Bluetooth, WiFi and audio. So this application is basically for that function. So So exploring more into this Richard or Smalley file. If you go down, we can see that we have this celebrate service. Also, we hear So the service is running in the background after the installation of the program. So that means, ah, the service run secretly in the background without the user knowing and also have seen from the android manifest file The application after getting installing the system is installing a service that is running after the boot process of the device. And it's all also able to read the configuration of the device, including SMS and address book. On at the same time, it's, ah, doing some compression and encryption. So let's find that how it's encrypting the information. Let's see that if you go toe and Smalley directly for goto com button Phone strategy nuclear T We'll find this this plus Morley, Let's open this. Okay. Andi Ah, Diego. So past couple quickly. So this is the key that they're using toe encrypt. Ah, the data. So I mean, like the keys Ah ah, the all the configuration of the device that there that this service is capturing this element service, including the SMS and the address book. It's uploading them in a compressed and encrypted former. So this is the key that is used for that encryption book was Ah, And now let's goto celebrates service off. No, let's check this service. This elaborate service you are small e file. It would be under service on day. We have the celebrity service plus plus Okay, a knife against he Down Lord, I look, if I and now the seems something as utf eight and according so I had decoded this So this was something written in Chinese. So this was a Chinese world, which was Ah, and this is the utf encoded version of the Chinese word. And the Chinese word meant download failure. So from the language of this, it is clear that this application was then the Chinese market. And this has been developed by our Chinese develop so and also as the Mallory's dry dream malware. So it was there in the Chinese market. So this proves that this is malware infected application. Okay, now let's goto tool small If I Let's check. What's this? Okay, Now, if you see this file Okay, We from by seeing this file What? We get us content. Texas. Let's see if it has got some inbox SMS as such. Okay, so it is creating an inbox SMS. That's great. So So this is this is ah, function to right. I mean, like to create new estimates. This is this is used to create new estimates, So it's it's creating us. Oppose this application is creating new estimates in the background at sending somewhere. So this is typically behavior off a mulberry application. Also, if you see if you have this get I am here inside this. So this is ah reading the I am me off the telephone as well. So this application is reading. I'm here of the telephone. Let's see some for some more. If you have this, get s embassy. Ah, this is for, like, contact Osama side. So this is Ah, it it is getting the contact of SMS contact list. Basically. So this is also something malicious. Can also that is run route command. So this is used to execute commands on the system. Okay, then get root. File name also is there because you can see we have to skate conflict file as well. So this gets the private configuration file the sense store TCD. So there's also dangerous and we have this get upload proxies also if you see or hear. So this is like it gets the information of the servers that I usedto upload the contents on off the devices. So all this and there are many more has us in this tools of dots Molly file. So as we can see the with functions that exist in the system, the application can have full control on the system. Basically, what we see from here. So actually what? From what we have seen in the other malware, the only option that is missing from here is the voice recording function it is missing at the mall. Wes, all sort of record your voice why you're calling s O. That function is missing over here. And also, if you go to the constant not Smalley file, then you will see all this. Ah, the final names that I used by malware can be found here. So for this we call lock filing. This is basically the same called longer duration. So this fine saves the saved God look, it saves that and we have the contact. Seven. The Contact seven is same names for the contacto. It saves the names for the context than there are many other things. Okay, let's go down The uproar Proxies are also there. So Oprah Proxy. It's like the excellence of war for control content upload. Then we have something joy joy before it's the Google account information. So then we have It's in the stars. Dusk $9 dark contents that I gather from a summer scattering tasks so there are many such malicious. The service that is running on the background is doing some malicious carrying out some malicious activity from the background it's sending. SMS is on ditz accessing the device information. Also, the conflagration filed by private confirmation fight is also it's accessing. So like this have you Ah, just analyze the files inside the ah dot a PK so you will find many such more hidden liabilities. And, uh, that's hidden stuff. So this is how we carry out the static analysis. You basically analyzed the core, understand the cord so and also apply some logic. See exactly what the application is trying to do. Onda uh, try to come to a conclusion. Like what about the is the malware? Is the application Mulvey infected or north? Or is it Ah, the all the permissions that is asking in the android not manifest file are Are they required? Ah, for the application. So if they're not, then you have toe Just do some investigation in the court itself. So that's what ah, that was a small demo of How do we do? The static analyst is basically so the static analysts off malware 100 Mulva can be carried out by sore scored inspection, as we said, because often during application, white listing and analysis, the original source code is not available for an analyst to inspect. So as such, this analysts matter, does not or fun form part off model analysis, but rather Selves are good practice principles for internally developed applications. Next one is we d combined the binary files. So the company is the process off reconstructing source files, former by American violation, as we have already seen in reverse reverse engineering as well. Then we need to win, you know, inspect the configuration, file the android manifest start XML file because it can be a valuable asset when performing static analysis. Because the manifest file declares which permissions the application requires from the user for which android version the application was developed. The external libraries also that are there in the application. So all this stuff is ah, they in the android manifest dot xml file. So we have to inspect that as well. And then there are common string extraction. Let it's so strings nothing but blocks off text contained within the application. The strings maybe like information such as you are ALS or externally linked libraries or cell phone numbers or even maybe the user credentials. Like we found our the encryption key that was used for encryption. We found out that as well on then signature matching. Basically, this is done for ah, popular method off Do finding virus detection where the mass, this ignition off dividers and that one on the those phone in the application. So So this is all about static analysts off 100 mile vez. So in the next video, we will have a look at the introduction to under tamer Android box on. After that, we will look into dynamic analysts off android malware s sort in that time. Thanks a lot for watching the video. See you in the next video 8. Introduction to android tamer: hello and welcome toe averages. How to hack Android APS, An advance penetration distinct course. This lesson will give you an introduction toe a framework called on right tamer. Now you might have heard or being family with backtrack and Callie knocks some off. You might even have used it for pen testing Web applications. Andre Tamer is also similar to them and is dedicated to Android pen testing. It's a Lennox based distribution, and it has got all the necessary tools for a security ordered off 100 application. The various tasks that it can do is under development. Malware analysis. Reverse engineering penetration testing on Android Foreign six. So let's know more about this interesting framework. In order to install Onder Tamer, you can download the ZIP file from www dot and or tamer dot com. This is the website from where you can download and rock tamer. You have the torrent link as well, or you can download the latest version off the ZIP file. So this is the file that you can download. So once you download as you can see, you have the zip file, you unzip it, and inside the Unzipped folder you will fight all this fight. Now we are interested in this dot bi mdk file. Now, as I said, the android tamer is a VM decay file which can be opened up using a VM player or a oracle virtual box. But it is always suggested that you open the under tamer. You know, Oracle Virtual Box as it is optimized for it. No more. No more about the implicate files. You can refer the Wikipedia page for the same, wherein you will get more details about this V. M. D. K. File system. Now I have the Oracle VM virtual box manager open. You can download it from Internet not to create a new VM for under tamer. You have to click on new, then you have to give a name. I will give on droid Dema to and then select the type as Lennox on version as open to 64 bit click on next than for memory size. I would suggest that you great 10 to 4 and b click on next. Then the hard drive. You use an existing virtual hard drive that we have just downloaded navigate to the download folder, Select Under Tamer to Darby MBK Click open and then you click on Create. Once it is created, the VM would be listed over here, as you can see under Tamer, which I'd already be created one initially. Now you just click on start. No one's done oneself or started the virtual machine. It will give your log in screen. You can input the default log in credentials that is user name is stammer and password as android. So once when it is started, you will get the android famous like this. This is the deck stop off and or tamer. Now there are various tools Every label in Android Tamer We'll see them now. So here 1st 1 is reverse engineering. So using river simulating tools, we can, uh, do reverse engineering off android applications. So we have Dextre job, Jerry, do I and Epic It'll which I used for reverse engineering. We will see more in detail about these tools in the reverse engineering video. Next up is Moloch analysis. Now there are some great tools over here. Droid box is one off them. We will see more in detail about dried box in the next video and also andro guard eyes one of the greatest set off fighting tools for malware analysis we have. We also have been testing This is the right place for you. If you're looking for a strong set off tools for security ordered off your mobile applications. This contains stools for both were based as well as native mobile applications. If you go to development, you can see DDM s an eclipse. So using development tools, you can write boc applications for your pen testing or, I mean, we have the eclipse ideas well and the DEA Miss DDM, Mrs Dolich Debug Monitor service which can be used for interacting with file systems, controlling the emulator, pulling and pushing files from onto emulator devices and also for debugging applications on X lips ideas also, as you know, with which you can develop 100 applications. Next. US foreign six. The first rulers and right foreign six. Logical. That is a F logical tool. It is used as a popular data extraction tool for android. It pulls SMS contacts and call logs from android device and presence It's for and presents it for examination. Next is it all morning. So there are few tools for all morning as Well, so raw morning will help you for analyzing or taking back up off your existing room and finally rooting so rooted routing tools. You can root your android device as we have seen in the routing video. So the stools would help you to root your on our device. You have the Zegra Zog Rush Onda routing abscess, bed. So this is all about Ah, the tamer, the android tamer frame book. So if you're looking for a framework for all your android security needs Ah, andro temer is one of the best tools that can be looked into. So that's it for the video. Thanks a lot for watching. 9. Dynamic analysis with droidbox: hello and welcome toe Aboriginals. How to hack Android apps and advance penetration testing cause in the previous listen, we had seen about Android tame a framework and all the tools related to android security it provides droid box was one off them. In this video, we shall see how to do dynamic analysis. Red Dried box, not right. Box is an automated tool for dynamic analysis off android applications. So what does the analyst's report off drug box have it has incoming and outgoing network data filed, read and write operations data leakage yr network file an SMS information about sent SMS and phone calls, but he invented permissions. Hashes for analyzed packages. List off broadcast receivers, cryptography operations using Android FBI's on all the started services and loaded classes through decks class LoDo. Now the steps to follow while doing a dynamic analysis with dried boxes, you first launch the android tamer where you will find the droid box tool. After that launch an emulator with the target application. This is the application that we will be besting. So after that, after you have launched the emulator now start the droid box and begin to analyze the target application. Once the analysis is finished, you will get an output in the form of a report and we have to analyze that. So let's get started with the demo. So let's start up the android tamer now. So at the dame, a up and running. So this is the end of time off. Now you have to go to terminal. We have to launch the emulator now, so let's go to seedy slash arsenal slash dried box. Let's see what all contents does it have now? We will be using this start e m u dot s h to start the emulator. So they come on for this s dot, slash start, I miss you and then the ah, name off the emulator. Now, as you can see in this android virtual device manager which have started from this option or hear a really manager, if you click this, you'll get this window now. They have already given us too. Every day he's ready. Made a video is wearing the target application is present. So what we will do now is basically use this test every D and start over droid box analysis because the target application is already present in distressed already. It is already. It said it's ready. Made a really now. So let's use this. Several given the command one second given to come on US groups. Yes. So give the commanders we give the command as best AIVD So test a V d and then press enter . Okay, so now, once we pressed enter, you will get this emulator up and running. So we have started this similar to know. So now the next step is now. The next step is to start the droid box or launch another terminal on we will goto CD again the same folder arsenal slash dried box. No, inside this. Unless have you see, we will execute this droid box dot Shh. Because this would launch the droid books on the target application is this droid box test dot epic. So this application is already installed in this test every the emulator. So we have to just long the common now. So they come on from that is coming for that is destroyed. Box dot Shh. Space on, then. The name of the target application that is droid box epic. I'll press enter as soon as you press enter droid box would be launched and the analyst is would start. So if you see now the droid box has launched on It has started to ah analyze this application so But I stopped it. The droid box would basically ah and lies the application. And ah, test all the features of the application. So whatever function the APP had performs, the dried box was and would analyze all off it on give us in Ah, report based on the same. So whatever do we know is like now, as you can see, the emulator screen has turned black. This is the calling function off the droid box application. So it is testing the calling feature. Also, as you can see, the ICANN over here. So this is testing. So now let's stop this analysis on view the report. So for stopping this analyst, you can just press control. See, So now on pressing controls you. As you can see, we have got ah, the output over here. The analysts output. I will just exam eyes the screen. OK, on if you can see you're here, what we have got As as we discussed audio. See, now we have got the file read and write operations. Okay, so basically, we have got that. So I read and write operations, then crypto ap activities. You can check out all of this. Andi. Then we have got the network activity as well. That's great. So all the destination host port? It has been all the details about the same. Then we have got the incoming traffic. This is the traffic, the network traffic. You can go through all these. Analyze this output. So this is all the network traffic that Yes, it has captured aan den. We have. Ah. Now if it had ah, if he had given it more time to analyze, it would have surely given us the sent SMS and phone calls details as well. So no, I ve observed here it has saved a PK behavior graph. So it gives us a graphical output as well. Inform off. Text, image file. This is behavior graph PNG on it has also a tree map graph. So treat or PNG so you can find it under the arsenal bright box. So let's go into that in the Arsenal folder. So if I go here So if I goto Arsenal folder than inside Arsenal folder. We have to go to droid box than inside dried books. You will find the behavioral graph PNG. If you go inside this, you will get some graph sort off thing this time stamp and the activity network. Right. It will create network open all these graphs you can analyze. So this is ah, basically a good tool to work with. You're doing Mullah Analyst is also it would help you a lot. So if you want to do similar dynamic analysis formal Wes, you can put it in the droid books and start analyzing them. That's it for this video. Thanks for watching. 10. Dynamic analysis of android malware: hello and welcome to add vigils. How to hack under adapts and advance penetration Testing course. Now, in the previous videos we have seen about Andre Tamer on Dried Box. So now we can start with the dynamic analysts off Android malware is so in this video, we will show you how to dynamically and lies Android Mulva using the dried box tool well as discussed in static versus dynamic analysis off Android malware videos. During dynamic model analysis, one is expected to check the behavior of the application Almallah as it's been executed on the system. So rather than checking it, checking the court offline we ah unless the application when it is getting executed on the system most of the times the use off virtual machine or sandbox is used for this method. Ah, as we have seen in the earlier videos, that Android Tamer has got many tools of some of them are like reverse injuring tools and also for malware analysis. We saw the ah, this dried box as well in that so dried boxes used for dynamic analysis off android applications as well esteem. Always so, the analyst will simply run the application on Look on the system on that rug locks. Ah, analyzing the behavior of the malware as it gets executed. So one of the aptly he will just execute the application, run some tools on, then analyze the output off those network logs or the tools of the tools report. Amazingly so for this activity, we shall use dried box which will automate the dynamic analysis off the malware and give us the output. So basically, Ah, in the case of dynamic analysis, this is very fast process. I mean, like we it can be done quickly as compact, toe static analysts, because static analysts, we have to analyze the court off line. So we have to go through each and every line of the cord, understand it. But in case of dynamic analysis, you just executed on the system the application. You used some tools and it will give you the output instantly. So this is pretty fast. Ah, type of analysis. Now, the droid box output after analysts constant contents. Ah, four fights, basically. So when is the text Mr presenting textbooks log off break points, So I'll show you that on the one is the lock at. We have understood What is water logged catch. So locket logs are there for the execution Trump. Then we have a temporal graph off permission access points. So it gives us a graphical representation as well. Ondas a tree map off permissions that I accessed by the application so that this Ah, with all these reports we analyze, um, the application for malware infection. Basically, it also gives us a nice do I report as well after it has analyzed. So I'll show you that as well. We shall be for the demo. We shall be using the same default application. The droid box to start a PK that were seen Android box. So it is malware infected. So we'll use the same application again for this analysis as well, August. As you can see, I have started the emulator. Ah, and now let's go to the folder Arsenal slash tried box. Let's do a less Okay. Now we have this ah, dried box to start a PK. This is our test application for on which we were doing the malware analysis Talbert dynamic model of analysis to become one for this destroyed box dot shh Space droid box that started it became so know this command will start the dynamic analysis off the door topic. If I So in running the droid box ah, it will automatically pushed the malicious a PK onto the virtualized device and then install the it became it. So by default, the application is launched after installation when the tried boxes going on so not right box will do dynamic analysts off these application. And if you try to run each and every feature of this application, if if it has got ah phone calling option, then it will also, um, call up. It will also call some numbers or if the application is sending SMS is it will also send SMS is so it will simulate all the features off the application basically, and it will give us the output. Based on that output, we will see if the application has got mulberry infection or not. So now, as you can see ah, it ah, it as it is. I guess it's calling some number. Okay, So as you can see, it has automatically dial some number and, um, number. So this is nothing but dried boxes performing this analysis. So it has also called up some number. So this is a part of the drive box analysis because this application has that feature of phone calling. This application can make calls myself. So that's what it is doing. So now let's I will skip this. Ah, love, pause this video. Let the analysis complete and we'll see the report. Okay, so we have got the report from dried books. So as you can see, it is given us thean for the application defy limits droid box test or KPK The empty fash on all of that duration for which it does run on. Do we have the file activities? The read operations? It hasn't heard from the might file named or text on. Also, it has I heard from her put dot txt. So if you scroll down so as you can see, this is this has given this. Ah, nice graphical. Uh, do I with the report so right operations Also that it has also written on the files mile filed or text on output dark text. So the information is there, Then there's a network activity. This is important. This is important to us. So it has open connection to three locations cord or google dot com at Port 80 than they're some PJ Lantieri said dot com At Port 80 and local host, it has opened 1 23 and as an outgoing traffic as well as agency. So there you, Aronson had us, which are going on paid port 80. So this is something delicious. And then there's incoming traffic as well on this, So it's sending some date outside, as you can see on now, let's see the SMS receiver. So Okay, so as a merciless evil is also there. So that means it can send rest Mrs as well. So information leakage, if you can see as a miss, has been sent on this number. So if you see this number, this belongs to Russia. 07 chord. Right. So you can see that it has sent a summons us to Ah, this number okay. And it has also made calls to this number. So this might be some premium number. It might be calling some premium number also. So this is the typically ah, basic how a malware application behaves. This this is giving us that signal that this is a multi infected application. So this is the phone calls and the sm is this is this information of key importance Ah, when trying to detect pay centres or bought masters so they might be connecting to their bought monsters also which are moderate infected eso. So as you see in this example, both the SMS and phone are linked to some premium services. So hence we can see Ah, see that this application is a malicious application. So see, we just ran right box and it gave us the output on We were like You have to just interpret the output on ah reduce that whether this application is malicious or not. So by judging ah, by looking at the report, I guess this is doing some malicious activity, this application So we can say that this is ah Mullah convicted application life. You see, I had said that it gives us graphical or protest Well, so this is the graphical output. So if you see a little just Thanks um, is it so this has given us like the sections are service sms leak. So as a mislead is also saw a section over here. So it's a cause of concern. Onda, we have filed right functions. It has performed this much on then. Key. Okay. And that Rick Reed operation, it has also performed. Okay, so basically, this gives us a good idea off. What? All functions has the application done in the background. And also, there's a big photograph that you can analyze what all functions it has done. It has red files on. Then it has the crypto thing as well. So this is how the droid boat works for us. And this is how you do. Ah, dynamic analysts off mullah application. So I hope you have enjoyed this video in the next morning, Russi on dried application, penetration, testing and the exploitation of the same. So thanks a lot for this. Uh, thanks a lot for watching See in the next morning.