Java & Mobile Malware Analysis
by Coleman Kane
This module covers Java malware and Android malware. The reason these two are covered together is because the Android runtime, Dalvik, is derived from the Java JVM runtime. The analysis tools used for both have a lot of overlap, and Ghidra’s analyzer even provides a similar analytical view for both.
Though popular, iOS isn’t included in here for multiple reasons. First, Android holds a much larger market share than iOS for mbile devices - and this number gets even higher when broadened out to include all operating systems that are not MS Windows. Thus, the target set is much larger and due to this Android malware is more commonplace than iOS malware for much of the same driving reasons that Windows malware is more common than Mac OS X or Linux malware. The second reason is more practical: Android is based upon a largely open-source set of building blocks, and therefore has a lot more open-source and free malware analysis tools available for it on any development platform. Conversely, iOS typically requires a Mac running Mac OS X and with Apple’s Xcode installed on it. These access restrictions to the environment also play out on the analysis side: debugging and execution-analysis tools are largely limited to Apple platforms, and even then, often come either with a premium above and beyond that, and often are byprodcuts of platform reverse-engineering efforts, which can frequently become invalidated with new iOS and Mac OS X releases.
That said, a lot of the same execution model and environmental constraints are common across both Anroid an iOS malware. A lot of the concepts used for analyzing Android malware can translate over to iOS, and vice-versa, so Android is also a perfectly good starting point to start to explore mobile malware analysis.
Android Mobile Apps (apk):
Some resources for iOS and Mac OS X malware analysis (external link):lecture java jar android apk run-time-analysis