3

I have been reading a lot about how malware writers repackage an existing benigh android .apk and repackage it to add malicious functionality.

Now, according to my understanding of the .apk file structure, each .apk file contains a single .dex file which is essentially java byte converted to .dex format. Also, the application has a binary XML called manifest.xml and other resource file and assets. If we have to add extra malicious functionality to the application then we have to modify the manifest.xml (which can be easily done by converting the binary xml back to normal xml), resources (which can be just replaced) and the .dex file.

But the .dex file has a particular structure. According to me any modification done to it should break the code. What techniques do the tools use to prevent the code from breaking because if are adding some malicious functionality to the original app, we are, in essence, adding an extra module.

What are some tools out there that support .apk file repackaging?

Thanks.

Edit: Some members might find it offending to discuss about reverse engineering. Iam research student working on Android Security. I need to know how .apk file repackaging works because this is my research topic. Also, talking openly about reverse engineering isn't a malicious act - books have been written on reverse engineering - using reverse engineering for malicious purposes is malicious :)

Naruto Uzumaki
  • 958
  • 4
  • 17
  • 37
  • 1
    enable proguard in release mode. this will make it harder for reverse engineering. also check this http://developer.android.com/training/articles/security-tips.html – Raghunandan May 25 '13 at 08:03
  • @Simon I understand your concern but I am a research student working on Android Security. I NEED to understand the concept of .apk file repackaging. It is my research topic. – Naruto Uzumaki May 25 '13 at 08:15
  • @Raghunandan Thanks! But I didn't ask how to prevent my application from repackaging but, how to repackage an existing application. – Naruto Uzumaki May 25 '13 at 09:07
  • repackage into what .apk? You package everything into a .apk file in android. – Raghunandan May 25 '13 at 09:08
  • @Raghunandan Yes. One of the techniques that malware authors use is that they take an existing benign application. Unpackage it, add some malicious functionality to it and then repackage it back to a .apk file and upload it to some other application store. – Naruto Uzumaki May 25 '13 at 09:19
  • @NarutoUzumaki thats the reason you should use proguard. when they unpack it will harder to reverse engineer the code. the codes are obfuscated. So it will very hard for them to add new codes and modify the existing one. Also you would have released your .apk with a key you need key to make any updating in play store – Raghunandan May 25 '13 at 09:54

1 Answers1

11

Security Information

Enable proguard in release mode. This will make it harder for reverse engineering. Also check this developer training documentation on security.

(from comment on this question)

Package signature validation

You can verify if a package has been repackaged by checking the signature. Some articles to help with that:

Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.

(originally posted ad Verify Android apk has not been repackaged?)

Decompile DEX into Java

I answered a question about decompiling DEX code in the past. My original answer might be outdated by now but the question has been kept up to date by others. Here is an overview of some of the tools listed there.

A more complete version of fred's answer:

Manual way

First you need a tool to extract all the (compiled) classes on the DEX to a JAR. There's one called dex2jar, which is made by a chinese student.

Then, you can use jd-gui to decompile the classes on the JAR to source code. The resulting source should be quite readable, as dex2jar applies some optimizations.

1: http://code.google.com/p/dex2jar/
2: http://java.decompiler.free.fr/?q=jdgui

Automatic way

You can use APKTool. It will automatically extract all the classes (.dex), resources (.asrc), then it will convert binary XML to human-readable XML, and it will also dissassemble the classes for you.
Disassembly will always be more robust than decompiling, especially with JARs obfuscated with Pro Guard!

Just tell APKTool to decode the APK into a directory, then modify what you want, and finally encode it back to an APK. That's all.

Important: APKTool dissassembles. It doesn't decompile. The generated code won't be Java source. But you should be able to read it, and even edit it if you're familiar with jasmin. If you want Java source, please go over the Manual way.

(original question: decompiling DEX into Java sourcecode)

Community
  • 1
  • 1
hcpl
  • 17,382
  • 7
  • 72
  • 73
  • OK. So to repackage an application I firstly use dex2jar and then jd-gui. Use the source code generated by jd-gui and write additional modules on top of it and then package it again and sign with my own key? – Naruto Uzumaki May 25 '13 at 09:10
  • @NarutoUzumaki And I think this is the most important point that "you will have to sign it with your own key and you can't let it be signed with the original author's key" – eRaisedToX Feb 27 '17 at 10:07