Andrubis – Analyze Unknown Android Applications

Posted: July 20, 2012 in Analysis
Tags: , ,

Andrubis is designed to analyze unknown apps for the Android platform (APKs). It has been brought to us by the guys at Iseclabs, who already have an awesome Windows executable scanner Anubis. Infact, it can be considered as an extension for Anubis.
Andrubis gives us an insight into various behavioral aspects and properties of a submitted app by employing both static and dynamic analysis approaches. During the dynamic analysis part an app is installed and run in an emulator – the Dalvik VM. In addition to the normal tracking of open, read and write events, network traffic operations and detection of dynamically registered broadcast receivers , taint analysis is also carried out to report on leakage of important data such as the IMEI. Not only that, cellphone specific events, such as phone calls and short messages sent are also captured by the Andrubis service.
Information is also obtained statically, without actually executing the Android application. Information related to the intent-filters declared by these components is also included.
In short, like the core-Anubis does for Windows PE executable’s, Andrubis executes Android apps in a sandbox and provides a detailed report on their behavior, including file access, network access, cryptographic operations, dynamic code loading and information leaks. An Andrubis static analysis yields information on e.g. the app’s activities, services, required external libraries and actually required permissions.
In order not to reinvent the wheel, Andrubis leverages several existing open source projects in addition to the Android SDK, such as:
  1. DroidBox
  2. TaintDroid
  3. apktool
  4. Androguard
To see how effective it is, an example report of the DroidKongFu.A Android malware, scanned via the Andrubis can be found here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s