Full Report
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for the Android emulator. First things first, if you haven’t downloaded the Android SDK do it now from here. I am on Ubuntu 14.04 x64 machine but hopefully you will be able to follow this guide as long as you are on a modern linux system. Sidenote: Since you are gonna run many commands on the emulator I highly recommend that you open a new shell during this proccess (adb shell) and run the logcat command. That way you can see all the debug messages and if something fails, play around and see how can you solve it.
Analysis Summary
# Tool/Technique: Introspy Framework
## Overview
Introspy is a framework designed for dynamic instrumentation and security analysis of Android applications, specifically focusing on "hooking" methods within apps running on an Android emulator environment. The setup described involves configuring an Android SDK, rooting the emulator, installing Cydia Substrate, and then deploying the Introspy components to monitor application behavior.
## Technical Details
- Type: Tool
- Platform: Android (specifically guided for Android 4.2.2 API/API 19 emulator)
- Capabilities: Dynamic method hooking, configuration of analysis targets, real-time logging (`logcat`), data collection during execution, and report generation.
- First Seen: Information provided is based on a blog post from March 10, 2016.
## MITRE ATT&CK Mapping
Since Introspy is primarily an analysis tool used for understanding application behavior (often by security researchers or red teams), its direct mapping relates to the *Defense Evasion* and *Collection* tactics if used offensively, or *Testing* if used defensively.
- **TA0005 - Defense Evasion**
- **T1070 - Indicator Removal on Host** (Relevant in the context of an attacker potentially using hooking to bypass application security controls, though Introspy itself is for analysis.)
- **TA0009 - Collection**
- **T1005 - Data from Local System** (Gathering data from the compromised/emulated device environment.)
- **TA0004 - Privilege Escalation**
- **T1548.002 - Bypass User Account Control** (Requires rooting the emulator environment to function fully.)
## Functionality
### Core Capabilities
- **Instrumentation Setup:** Requires Cydia Substrate installation on a rooted Android emulator environment.
- **Application Monitoring:** Uses configuration files (`introspy.config`) to specify which application components (e.g., CRYPTO, HASH, FS, IPC, SSL, WEBVIEW) should be hooked within the target application (e.g., WhatsApp).
- **Data Collection:** Logs detailed execution traces, including function calls (e.g., `java.security.MessageDigest->update()`, `java.io.FileOutputStream->FileOutputStream()`, `android.content.ContextWrapper->startService()`), file I/O, and cryptographic operations (AES/OFB/NoPadding mentioned).
- **Data Persistence:** Collected data is stored in an SQLite database file named `introspy.db` within the target application's data directory (`/data/data/app_name/databases/`).
### Advanced Features
- **Dynamic Hooking:** Allows dynamic injection and monitoring of methods within running Android processes.
- **Report Generation:** Utilizes the `Introspy-Analyzer` component (via a Python script) to parse the collected `introspy.db` file and output findings into an HTML report (`report.html`).
- **Configuration Flexibility:** Supports specifying hooks for various categories, including file system (FS), cryptography (CRYPTO), Inter-Process Communication (IPC), and network security (SSL).
## Indicators of Compromise
*Note: These indicators relate to the setup and execution environment necessary for the tool, not necessarily malicious output.*
- File Hashes: Not provided in the text.
- File Names:
- `Introspy-Android Core.apk`
- `Introspy-Android Config.apk`
- `introspy.db` (Output database file)
- `whatsapp_findings/report.html` (Generated report)
- Registry Keys: Not applicable (Android environment).
- Network Indicators: None explicitly observed in the output logs, focusing primarily on local execution monitoring. Logs show base64 encoded data transmission failures/outputs: `base64: [cQf6myPv5Zy/pn1OfVnW4If9vRU=]`.
- Behavioral Indicators:
- Use of `adb shell` commands to modify system permissions (`chmod 06755 /system/bin/su`).
- Application interaction with `Cydia Substrate`.
- Calls monitored: `java.io.FileOutputStream->FileOutputStream()` leading to SD card access (`/mnt/sdcard/WhatsApp/Profile Pictures/.nomedia`).
## Associated Threat Actors
- None specified. This tool appears to be a security research/testing framework derived from the work published by SensePost.
## Detection Methods
- **Signature-based detection:** High potential for detection based on the presence of the Introspy APKs or hook libraries.
- **Behavioral detection:** Monitoring for unusual manipulation of system binaries (like `su`), forced mounting of partitions (`mount -o rw,remount`), or application behavior modification indicating dynamic instruction injection (like Cydia Substrate or Frida activity).
- **YARA rules if available:** Not provided in the text.
## Mitigation Strategies
- **Prevention Measures:** Do not run enterprise/sensitive applications on rooted devices or emulators that lack integrity controls.
- **Hardening Recommendations:** Ensure Android devices/emulators prohibit the installation of unauthorized system binaries (`su`) or instrumentation frameworks like Cydia Substrate. Regular monitoring of `/system/bin` permissions.
## Related Tools/Techniques
- Cydia Substrate (Required dependency for dynamic instrumentation).
- Android Debug Bridge (`adb`) (Essential for interacting with the emulator).
- Mobile Application Dynamic Analysis Tools (e.g., Frida, Xposed, objections).