To give you an overview what features Dexter has and how to use it, we prepared a small showcase for you.
We are going through all major features of Dexter starting from the registration over inviting other people and the different analysis views to the search function with and without DXQL.
If you are new to Dexter, you will need to create an account. Don’t worry, we are not asking for any sensitive information about you. A username and an e-mail address is enough for us.
After you registered, you will get an e-mail with an activation link. Click it and log in to get to the first start wizard to upload the first application you want to analyze.
Now we need an APK to analyze for you. All analyses are grouped into projects, so the first step of our wizard is the project creation.
The next step is to upload the APK itself and thereby create an analysis.
Now, please give our system a bit of time to perform all analysis tasks.
When everything is done, please click the button to get to your dashboard with your first analysis. If your analysis fails or the status never changes, feel free to contact us. We will then have a look at it and get back to you as soon as possible.
This is your dashboard. On the left side in the bar you can see all your created projects. You can use the buttons on the top right to modify it, invite people, delete it or create a new one. If you don’t see the buttons, you don’t have the appropriate rights in the project. Please contact the owner.
In the middle of the tab you see the members of the selected project and all analyses inside of it.
If you click on an analysis, you see some more details about it and you can open it in the analysis view or edit the description and title of it.
This is the basic analysis view. On the top you have some information about the application itself and diagrams about some internal statistics of the APK like how big are several packages inside the APK compared to each other etc.
Further down we have lists of all used and application-defined permissions with a small description and all activities, services, broadcast receivers and content providers in the application. If you click on an entry, the class diagram will open automatically.
The buttons on the right are for opening the package diagram, a list of classes and strings and an APK file browser to download files from the APK.
Now that you know how the general interface of Dexter looks like and how you can create new analyses, let’s analyse some real malware. We chose FinFisher here, because it’s not even obfuscated in any way and it’s apparently full of debugging information and strings. Let’s try to gather some more information about the inner workings of this malware.
To get an overview about the program, let’s have a look at the packages. Look at the package name of the general analysis information. It’s com.android.services. Strange for a normal Android application, right? Now, use the button on the upper right of the screen to open the package graph.
Indeed, com.android.services seems to be the main package. Let’s open the class list of the com.android.services package by clicking on the name of it and have a look.
The green bubbles you see there are tags. You can tag things inside your analysis to quickly find them later by searching for them. These here are created by out autotagger during analysis. It marks the use of several base classes inside the android framework, the usage of several APIs and so on.
Notice how public Lcom/android/services/Services has quite a few tags assigned. Let’s use the leftmost button in this column to get some more details about it.
Oh, there is a private method called startAllTasksAndStartReceivers. Let’s open this method in the basic block graph to read the bytecode using the button to the left of the name.
If we interpret the byte code correctly, we see that in seems to create a new thread of and inner class called Lcom/android/services/Services$RecordAndReceiversRunnable. Let’s use the search to find that class.
If you press enter or the Go-button, the search will be executed. Notice how we use stars as wildcards. You can only use them at the beginning or the end of a word. It’s like a LIKE-statement in SQL.
There we found our inner class we were looking for. Let’s open the class diagram by clicking on the button in the row of our found class.
The class diagram is designed to be like an UML-diagram you may already be familiar with. As we can see, this class really implements the Runnable interface, so it’s really a thread.
Let’s look at the run method where all the magic seems to happen, but this time we don’t want to read the bytecode for that. If you click the last button in the toolbar of a class diagram (a circled arrow) we will try to decompile this class and show you the java code. Be careful when reading this code. Even if the decompilation is succesful, it may not be correct.
The decompilation shows that the thread seems to initialize some receivers by calling setReceivers and then calls a recordData function every 2 seconds if some kind of licensing flag is set.
From here on you would dig deeper into the code and start reversing it gradually until you found what you were looking for. We are going to stop here and let you explore Dexter on your own.
If you have questions, bugreports or other things you want to share with us, please feel free to contact us!
Here are some other ways you could go to start reversing an application: