Android Analysis Quickstart
This guide will get you up and running quickly for any Android Analysis case. Use it as a starting point and once you’ve completed this setup, you can add more techniques for a deeper analysis.
Starting point for most Android Analysis is enabling USB Debugging. Follow these steps to complete this part.
Enable USB Debugging
This is the first step.
Go to [Settings] > [About phone] > [Version] and tap [Build number] 7 times until you see the “You are now in Developer mode” prompt > enter your lock screen password.
On the [Settings] page, tap the Return button > [Additional Settings] > [Developer Options] and toggle [Developer Options] to enable it, then toggle [USB Debugging] to enable.
- For ColorOS 12 and above: Go to [Settings] > [System settings] > [Developer options] and enable [USB debugging].
- For ColorOS 11: Go to [Settings] > [Additional settings] > [Developer options] and enable [USB debugging].
Tools you need to get started: the basics
- Android File Transfer
- ADB
- Fastboot
- MVT + Dependencies
Android File Transfer
This is the tool you can use to look at the files on the devices, transfer them between your computer and the device.
Get it from here: https://www.android.com/filetransfer/
The one for mac should look like this -
This tool should be very straightforward. You plug the device in using a USB cable, and this tool should pop up, showing you the files on the device.
ADB
Android Debug Bridge can be used to run commands on the Android device you are analysing and is very powerful when it comes to forensics.
Get it here:
https://developer.android.com/studio/releases/platform-tools
ADB commands to get started:
./adb devices
./adb devices -l
./adb shell getprop ro.build.version.release./adb pull /system/app/. phone1-apps
These are some more commands you can use to gather information from the analysis device:
adb root (restarts adbd with root permissions)
adb start-server (starts the adb server)
adb kill-server (kills the adb server)
adb reboot (reboots the device)
adb devices -l (list of devices by product/model)
adb shell (starts the backround terminal)
exit (exits the background terminal)
adb help (list all commands)
adb -s <deviceName> <command> (redirect command to specific device)
adb –d <command> (directs command to only attached USB device)
adb –e <command> (directs command to only attached emulator)
In order to pull data (mostly APKs from the device) you can use this command:
adb pull <remote> <local> (copy file/dir from device)
Here you can find a list of commands that you can use with ADB when analysing:
https://developer.android.com/studio/command-line/adb
Fastboot
Fastboot is a command-line tool for Android. You can use this tool to gather information from and run commands on the device you are analysing. The device needs to be booted into fastboot before you can start running its commands.
Use the devices command to list out the mounted devices:
% fastboot devices
Use getvar version command to get the version of the build:
% fastboot getvar version
version: 0.5
Finished. Total time: 0.001s
Use the getvar version-bootloader command to get the bootloader version
% fastboot getvar version-bootloader
Use the getvar version-baseband command to get the baseband version:
% fastboot getvar version-baseband
Use the getvar serialno command to get the serial number of the device:
% fastboot getvar serialno
Use the getvar product command to get the product name:
% fastboot getvar product
MVT + Dependencies
Mobile Verification Toolkit (MVT) is a tool to facilitate the consensual forensic analysis of Android and iOS devices, for the purpose of identifying traces of compromise.
You can use this tool specifically to check against known spyware such as the Pegasus APKs and there is also an option of checking files on the device you are analysing against a database of known malicious files. Details below.
You can get the latest version of MVT from here: https://github.com/mvt-project/mvt
You can use this command to download all apps to your computer:
mvt-android download-apks — output /path/to/folder
You can also decide to enable lookups of the SHA256 hash of all the extracted APKs on VirusTotal. While these lookups do not provide any conclusive assessment on all of the extracted APKs, they might highlight any known malicious ones:
MVT_VT_API_KEY=<key> mvt-android download-apks — output /path/to/folder — virustotal
You will need to provide your VT API Key for the above command.
In case you have a previous extraction of APKs you want to later check against VirusTotal, you can do so with the following arguments:
MVT_VT_API_KEY=<key> mvt-android download-apks — from-file /path/to/folder/apks.json — virustotal
Indicators of Compromise (IOCs)
MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.
These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2 or .json extensions.
With data from an Android backup:
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
It is also possible to load STIX2 files automatically from the environment variable MVT_STIX2:
export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
Known repositories of STIX2 IOCs
Pegasus (STIX2): https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2
Cytrox (STIX2): https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2
You can automatically download the latest public indicator files with the command mvt-ios download-iocs or mvt-android download-iocs. These commands download the list of indicators listed here and store them in the appdir folder. They are then loaded automatically by MVT.