Introducing ApkScan

Two weeks ago, we presented our Android malware research at the SANS Community Night. One of the presentations discussed the development of ApkScan, a service we are developing to facilitate the distributed malware analysis of Android samples. Although already quite a few (online) malware analysis services already offer Android malware analysis reports, we feel like they have a few shortcomings:

• The user (and the quality of the reports) fully depends on the techniques used by the malware analysis services to which samples are submitted. Although most services mention the tools they use to perform the analysis, it is still somehow a “black box” for users of the service to know what exactly happens during the analysis. What happens if a user would like to gather analysis information that is not provided by the online service? The user is often left out in the cold, and this brings us to our next point.

• Existing online malware research services that we reviewed do not allow clients to interface with submitted samples in order to perform their own analysis. Samples are in most cases hashed after which the original binaries are removed (except for some meta-data such as the file name and size). This makes it not only difficult for users to collaborate, it makes the service often useless to malware researchers that are trying to gain access to sample data. Some websites such as Contagio Mobile do a great job at offering samples for research purposes, but it’s often cumbersome finding the sample you need. More importantly, research already performed by others is not linked to the samples — each researcher could have a “different piece of the puzzle” if collaboration is non-intuitive. We understand the concerns linked to storing and offering potentially harmful binaries, but we are convinced that allowing access to such samples in a controlled and more streamlined way would benefit the research community greatly.

Our goal with ApkScan is to solve the above-mentioned shortcomings and provide a way to analyse Android samples using a more distributed, “white box” approach. The architecture of ApkScan was also presented during the talk, and from a high level it looks as following (click for full size):

• An application server hosting the ApkScan web front-end where users can submit new samples through a browser.

• A sample daemon that can fetch samples from sources other than uploads through the browser. The idea is to link the sample daemon to app markets (official and malicious), so that samples of interest can be fetched and analysed automatically, without requiring intervention from a user uploading the sample in the web front-end. Due to the large influx of new apps released in these markets, the daemon will be powered by a robust search engine (e.g. “fetch all applications that have been released this month in the Finance category, that have “Online Banking” in their name or description).

• A RESTful API. Through this API, remote clients can interact with our back-end systems without using the web front-end, making it much more convenient to pull and push data. The API in its current shape is already exposing quite some functionality including fetching samples and reporting data from other clients, as well as pushing new reports to the server.  In order to interact with the API, a token is required. We will hand out tokens in a controlled way upon launching but the API will be accessible to everyone interested in using it. 

• The ApkScan API clients do the actual work — they fetch new samples that are pending analysis from our back-end, perform the analysis (static, dynamic, whatever the client supports!) and (optionally) resubmit the results to our back-end. As we want to encourage users to submit their analysis results (as a huge point of ApkScan is to facilitate collaboration), we will be working out a way to reward those that do so. Anyone who is into malware research (no matter how complex) can develop a client and benefit. If for example you are interested in Android malware that targets your financial clients, you could implement an API client that analyses samples for the presence of certain strings or URL’s. You get access to samples and existing raw reporting data, and in return you submit the outcome of your research. Win-win.

Our research team at NVISO has currently already developed a first ApkScan API client that performs basic static and dynamic malware analysis on any samples submitted through the web front-end. We use a wide range of (existing and custom) tools for this, including:

• apktool for reverse-engineering binaries (using smali and baksmali to assemble/disassemble DEX files)

• droidbox for behavioural analysis. We are updating certain parts of the code (including reporting and interaction with the sandbox) to facilitate a more streamlined process for automated analysis. 

• Our own scripts and tools to perform static analysis (manifest parsing, string hunting, interaction with other online services). The code will be open-sourced upon release.

Our API client is built on Ruby and deployed in a Backtrack machine — however you could use any programming language that can interact with the RESTful API. Over the next coming weeks we will be working on ApkScan with the goal of releasing to the public. When we launch, we will:

• Launch the ApkScan web application where users can submit samples and view analysis reports.

• Launch an ApkScan API along with documentation on how to interact with it.

• Open-source part of the project — including an example ApkScan API client to get you started working on your own client.

We are very curious to hear your input, concerns, suggestions and other comments. Please feel free to leave a comment or get in touch with us through any of the other channels. We are looking forward to releasing ApkScan, keep an eye out on this blog and our twitter for updates!