Details
Since debugging 3rd party APKs is hard and reverse engineering heavily obfuscated APKs is extremely difficult our next best option is to just let the APK run to see how it behaves. When we do this type of dynamic analysis we are primarily looking for what types of permissions the APK is asking for and what callouts it makes.
Unfortunately most APK malware is now utilizing HTTPS for their callback domains. This makes inspecting the network traffic impossible with network monitoring software like wireshark or tcpdump without some sort of Man In The Middle technique.
Being able to inspect the malware's network traffic provides vital Indicator's of Comprimise (IOCs) to triage analysts and provides reverse engineers with contextual information which helps them focus on key routines within the APK.
In this video tutorial we go over how to utilize a tool name MITMProxy on Kali Linux to intercept and decrypt IPV4/IPV6 traffic from an Android emulator running APK malware.
What You'll Need
- Virtualization Software (VMware, Virtualbox, Qemu)
- Kali Linux
- Android Studio
- MITM Proxy (preinstalled in Kali Linux)
- MITMProxy Startup Script (optional startup script we wrote)