Researchers from JPCERT uncovered a new technique known as “Smali Gadget Injection,” which is set to revolutionize the dynamic analysis of Android malware.
This method offers a more flexible approach compared to existing tools like Frida, which, while useful, provide limited insights due to their general-purpose nature.
Traditionally, analyzing Android malware dynamically has posed significant challenges. Unlike Windows malware, which can be effectively tracked using debuggers, Android malware has resisted such straightforward analysis.
The Smali Gadget Injection technique addresses this gap by allowing analysts to inject custom gadgets directly into the smali files of an APK, enabling detailed tracking and logging of specific methods within the app.
How Smali Gadget Injection Works
The process begins with identifying the target code within the Android malware. Tools like JADX or JEB Pro are used to decompile the APK files, presenting the code in a readable Java format.
Analysts must pinpoint the methods they wish to analyze dynamically. For instance, in a given malware sample, a method might decrypt strings using the RC4 algorithm, as shown in Figure 1 of the decompiled results.
Smali File Extraction and Gadget Injection
According to Yuma Masubuchi, a researcher from the JPCert report, Once the target method is identified, the APK is extracted using Apktool. This reveals the directory structure and smali files, which can be edited to inject the analysis gadget.
For example, in the file smali/com/fky/lblabjglab/a.smali, a gadget can be inserted to log the method’s arguments and return values.
After injecting the gadget, the smali files are reassembled into an APK. The APK must then be signed with a certificate, ensuring it can be installed on an Android device.
This is achieved using a series of commands involving apktool, keytool, and apksigner.
The final step involves installing the repackaged APK on an Android virtual device, such as those available through Android Studio.
Analysts can then monitor the app’s behavior using Logcat, filtering logs to observe decrypted strings and other dynamic data, as shown in Figure 5
This innovative technique helps threat researchers and allows for various analyses, including monitoring variable contents and intercepting method calls.
It provides cybersecurity professionals a powerful tool for understanding and mitigating Android malware threats.
The Smali Gadget Injection technique represents a significant advancement in Android malware analysis.
While it requires careful preparation and a deep understanding of the target code, its flexibility and depth of analysis are unparalleled.
As cybersecurity threats continue to evolve, such techniques will be invaluable in safeguarding digital environments.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access