Reverse Engineering for Static Analysis of Android Malware in Instant Messaging Apps

Abstract

Malware poses a significant threat to Android devices due to their high prevalence and vulnerability to attacks. Analyzing malware on these devices is crucial given the persistent and sophisticated threats targeting Android users. Static analysis of Android malware is a key approach used to detect malicious software without executing the application. This method involves meticulously examining the application's source code or binaries to identify signs of suspicious or harmful activities. The research methodology consists of three stages. The first stage involves collecting malware samples spread through instant messaging applications. The second stage employs reverse engineering, where APK files are decompiled to extract their contents. Following this, a static analysis is conducted, focusing on the AndroidManifest.xml file and the source code to identify the behavior and potential threats posed by the malware. The static analysis results revealed that Android malware often requests sensitive permissions to access personal data, such as receiving, reading, and sending SMS, as well as accessing location and contacts. Further analysis uncovered that after acquiring this data, the malware transmits it to the Telegram API via authenticated HTTP requests using specific tokens and chat_ids. These findings highlight that the permissions requested by the malware are designed to clandestinely collect and export personal data, posing a severe threat to the privacy and security of Android users.